On October 1, 2024, the Computer Emergency Response Team (CERT) announced vital recommendations aimed at enhancing the cybersecurity audit ecosystem for empanelled auditing organizations. These guidelines are designed to ensure comprehensive, effective audits that not only assess technical compliance but also translate findings into actionable insights for businesses.
1. Executive Summaries for Management
To bridge the gap between technical findings and business risks, auditing organizations should include executive summaries in all audit reports. These summaries should clearly communicate the overall security posture of the audited application or infrastructure, making it easier for board members and top management to grasp the implications of the audit.
2. In-Person Awareness Sessions
Auditee organizations are encouraged to host in-person sessions focusing on audit awareness. These sessions should cover the fundamentals of information security audits, including scope, outcomes, and best practices in secure development, along with insights into CERT-In’s initiatives and guidelines.
3. Compliance Verification
Organisation must include the verification of compliance to CERT-In direction “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet” dated April 28, 2022 in every audit assignment and findings along with relevant evidences should be included in the audit report. Organisations may refer the method of verification document “Method of verifications to compliance with CERT-In Directions issued on April 28, 2022” shared over email and also available on CERT-In website at
https://cert-in.org.in/PDF/Methods_of_Verification.pdf
4. Secure Application Guidelines
Auditing organizations are urged to check compliance with CERT-In’s “Guidelines for Secure Application Design, Development, Implementation & Operations” during application audits. Findings, along with relevant evidence, should be included in the audit report.
5. Comprehensive Audit Criteria
To avoid oversimplifying the audit process, organizations should refrain from using limited lists of vulnerabilities. Instead, audits should discover all known vulnerabilities based on comprehensive standards like ISO/IEC and OWASP guidelines.
6. Audit Artifacts
It’s recommended that auditors capture and include important audit artifacts—such as hash values, versions, and timestamps—in the audit certificate and reports, enhancing transparency and traceability.
7. Documentation of Evidence
Auditing organizations must document both compliance and non-compliance evidence within the audit report. This thorough approach provides a complete picture of the security landscape.
8. High-Quality Reporting
Audit reports should be of the highest standard, detailing every aspect of the audit process—scope, methodologies, findings, and limitations. A comprehensive report not only informs stakeholders but also serves as a valuable resource for future audits.
9. Authorized Risk Treatment
Any treatment plans for identified vulnerabilities must be authorized by the head of the auditee organization. This ensures accountability and a structured approach to risk management.
10. Certificate Issuance Protocol
Audit certificates should only be issued after all identified vulnerabilities have been closed and follow-up audits conducted. If an audit is limited to a staging environment, this must be explicitly stated in the certificate.
11. Incorporating CERT-In Updates
To remain relevant, auditing practices should integrate the latest CERT-In updates, advisories, and vulnerability notes, ensuring that audits reflect the most current security landscape.
12. Continuous Performance Assessment
CERT-In will conduct ongoing performance assessments of empanelled auditing organizations. Those that fail to meet the established criteria may face de-empanelment, promoting a culture of continuous improvement.
13. Capacity Building
It’s crucial for auditing organizations to invest in continuous training for both technical staff and senior management in emerging technologies and domains. This ongoing education is vital for maintaining expertise in a rapidly evolving cybersecurity landscape.
14. Timely Data Submission
Empanelled organizations must adhere to data submission requirements, ensuring that audit metadata and reports are submitted to CERT-In in a timely and accurate manner. This data plays a key role in enhancing the cybersecurity posture of entities within the Indian cyberspace.
15. Sharing Cybersecurity Initiatives
Finally, auditing organizations are encouraged to share their cybersecurity initiatives with CERT-In. This collaboration fosters a broader exchange of information that can benefit the entire community.
Conclusion
These recommendations from CERT are a significant step forward in bolstering the cybersecurity audit framework. By implementing these guidelines, auditing organizations can enhance their effectiveness, ensure compliance, and contribute to a more secure digital environment for all.
