New Cybersecurity Audit Guidelines by Cert-In
The Indian Computer Emergency Response Team (Cert-In) has issued new mandatory guidelines for cybersecurity audits targeting both private and public-sector organizations.
Key Directives
- Organizations owning or operating digital systems must undergo a third-party cybersecurity audit at least once a year.
- Audits should be risk-based and domain-specific, aligning with the business context and threat landscape.
- Sectoral regulators have the discretion to mandate more frequent audits if necessary.
- The guidelines aim to enhance cyber hygiene amidst rising digital threats and infrastructure breaches.
Compliance and Security Measures
- A cybersecurity audit is required for major changes to systems, including technology migration and configuration adjustments.
- Organizations must conduct:
- Risk and vulnerability assessments
- Penetration testing
- Network infrastructure and operational audits
- Information security testing, including source code review
- The principle of “least privilege” must be implemented to minimize access permissions for employees.
- For remote access, all connections must be tunnelled, encrypted, and logged, with Multi-Factor Authentication (MFA) being mandatory.
Guidelines for Cybersecurity Auditors
- Auditors must conduct independent assessments of security practices and controls.
- In cases where assets are unavailable for audit, a detailed reason must be reported.
- To avoid temporary security measures, audit notifications should be limited to key personnel.
Statistics and Implementation
- Cert-In has empanelled 200 companies to conduct these audits.
- In the year 2024-25, 9,708 audits were conducted.