Indian Computer Emergency Response Team (Cert-In) has made it mandatory for private and public-sector organisations that own or operate digital systems, processes, or infrastructure, to undergo a comprehensive third-party cybersecurity audit at least once a year.
This is the first such directive for the private sector.
The guidelines by Cert-In allow sectoral regulators to mandate audits more frequently if needed, Cert-In said.
In a set of guidelines issued for all public-sector and private companies, Cert-In has stated cybersecurity audits should adopt a risk-based and domain-specific approach, aligning with the business context, threat landscape and operational priorities.
These guidelines serve two purposes. Firstly, they assist organizations being
audited (auditees) in preparing for audits, understanding requirements, and
addressing deficiencies.
audited (auditees) in preparing for audits, understanding requirements, and
addressing deficiencies.
This helps ensure that their cyber security measures align with industry standards and regulations, enabling proactive improvement of security practices.
Secondly, the guidelines provide auditing organizations with a structured
framework to conduct rigorous, fair, and transparent cyber security audits.
framework to conduct rigorous, fair, and transparent cyber security audits.
They outline the auditor’s responsibilities, methodologies, and best practices, enabling them to provide independent, impartial and constructive recommendations that strengthen the auditee’s cyber security.
The empaneled auditing organizations agree to provide cyber security auditing services in accordance with the commercial contract to be entered into with the auditee organizations and abide by all the conditions of empanelment as well as service delivery.
