Page 58 - Banking Finance September 2025
P. 58
FEATURES
Cert-In makes annual cybersecurity
audit mandatory for firms
I n a first, the Indian Computer Emergency Response technology security policy review, information security
testing, a source code review, and security testing of
Team (Cert-In) has made it mandatory for private and
public-sector organisations that own or operate digital
systems, processes, or infrastructure, to undergo a processes, communications, applications, and mobile
applications, in accordance with the guidelines of Cert-In.
comprehensive third-party cybersecurity audit at least once
a year. This is the first such directive for the private sector. Organisations are also required to implement the principle
of "least privilege" - ensuring that any employee has the
The guidelines by Cert-In allow sectoral regulators to "minimum level of access permissions necessary to perform
mandate audits more frequently if needed, Cert-In said. their specific roles or function". For a company offering
remote access to its employees, all access to the
In a set of guidelines issued for all public-sector and private organisation's cyber-infrastructure is "tunnelled, encrypted
companies, Cert-In has stated cybersecurity audits should and logged" to avoid misuse.
adopt a risk-based and domain-specific approach, aligning
with the business context, threat landscape, and operational "Multi Factor Authentication (MFA) is mandatory for remote
priorities of the company being audited. access of the cyber infrastructure," Cert-In said in its new
guidelines.
The new guidelines, aimed at tightening cyber hygiene
across sectors, come amid a surge in digital threats and a The agency has also released comprehensive guidelines for
rising number of breaches targeting critical infrastructure. cyber security auditors who are empanelled with it and can
conduct these audits.
Cert-In, the Ministry of Electronics and Information
Technology's agency doing digital-risk analysis, assessments, In these guidelines, Cert-In has stated auditors will be
and prevention, has mandated "a cyber security audit to required to conduct an independent assessment of various
evaluate potential vulnerabilities, ensure compliance, and companies' security practices, systems, and controls.
mitigate security risks before implementation" for any major
change such as a systems overhaul, technology migration, If any asset within the scope of digital products and services
or configuration adjustment that impacts sensitive data and that need to be audited is not provided by a company, the
critical infrastructure. auditors must state that in their report, with a reason as to
why the asset was not given, and bring the report to Cert-
Both public-sector and private companies dealing in any form In's notice.
of digital infrastructure must conduct an independent third-
party audit after every major change to the infrastructure To date, Cert-In has empanelled 200 companies for
and applications of the company's offers. conducting these audits. In 2024-25, Cert-In conducted
9,708 audits, of which 1,579 were in the power and energy
These organisation must also conduct a comprehensive risk sectors, 582 in transport and 7,547 in banking, financial
and vulnerability assessment, penetration testing, a network services and insurance, according to the government
infrastructure and operational audit, an information data. (Source: Business Standard)
52 | 2025 | SEPTEMBER | BANKING FINANCE
