Select Your Preferred Language

Please choose your language to continue.

Cert-In makes annual cybersecurity audit mandatory for companies | Current Affairs | Vision IAS

Daily News Summary

Get concise and efficient summaries of key articles from prominent newspapers. Our daily news digest ensures quick reading and easy understanding, helping you stay informed about important events and developments without spending hours going through full articles. Perfect for focused and timely updates.

News Summary

Sun Mon Tue Wed Thu Fri Sat

Cert-In makes annual cybersecurity audit mandatory for companies

2 min read

New Cybersecurity Audit Guidelines by Cert-In

The Indian Computer Emergency Response Team (Cert-In) has issued new mandatory guidelines for cybersecurity audits targeting both private and public-sector organizations.

Key Directives

  • Organizations owning or operating digital systems must undergo a third-party cybersecurity audit at least once a year.
  • Audits should be risk-based and domain-specific, aligning with the business context and threat landscape.
  • Sectoral regulators have the discretion to mandate more frequent audits if necessary.
  • The guidelines aim to enhance cyber hygiene amidst rising digital threats and infrastructure breaches.

Compliance and Security Measures

  • A cybersecurity audit is required for major changes to systems, including technology migration and configuration adjustments.
  • Organizations must conduct: 
    • Risk and vulnerability assessments
    • Penetration testing
    • Network infrastructure and operational audits
    • Information security testing, including source code review
  • The principle of “least privilege” must be implemented to minimize access permissions for employees.
  • For remote access, all connections must be tunnelled, encrypted, and logged, with Multi-Factor Authentication (MFA) being mandatory.

Guidelines for Cybersecurity Auditors

  • Auditors must conduct independent assessments of security practices and controls.
  • In cases where assets are unavailable for audit, a detailed reason must be reported.
  • To avoid temporary security measures, audit notifications should be limited to key personnel.

Statistics and Implementation

  • Cert-In has empanelled 200 companies to conduct these audits.
  • In the year 2024-25, 9,708 audits were conducted.
  • Tags :
  • Cyber Security
Subscribe for Premium Features