The dependency on technology has increased to a level where Cyber risk may cause severe damage to a company financially and reputationally. In fact, the annual audit report to the Ministry of Corporate Affairs must cover cybersecurity audit. However, the words “Cyber Security Audit” have a different meaning to different people. The approach, therefore, varies accordingly.

There is an International Standard ISO/IEC 27001 - Information Security Management System (ISMS) to undertake a formal audit. And then there are Information Security Auditors empanelled by the CERT-IN. Standards and frameworks like NIST, PCI-DSS or c etc are technically the US standards, and in any case if a company is compliant with one standard, it generally meets most of the requirements of the other standards. However, what matters is not the audit but Cyber Security posture of the company. Before any decision is taken, it is necessary to understand the differences between these three approaches.

CERT-IN Empanelled Auditors

In 2004, after CERT-IN came in to being it was realised that the number of people and companies who may be capable of undertaking technical risk assessment using tools was very limited and lots of snake oil was being sold to unsuspecting organisations. There was no Information / cyber security auditing Standard. Therefore, the charges for the services were also very arbitrary, and as there were fewer players in the market there was no balancing force. Hence, to protect government organisations for such arbitrariness and to have a rate contract mechanism in force, CERT-IN was tasked to empanel the Information Security vendors who would be authorised to undertake cybersecurity technical checks (erroneously called audit) at specified rates. (The author was the member of First Selection team and was also the guiding force along with Dr KK Bajaj and IISc to conceive and implement it). At that point in time, there was no ISO/IEC 27001. BS 7799 and ISO 17799 were not auditable standards. Therefore, an Empanelled auditor by CERT-IN is a misnomer in today’s environment. Technically none of them can certify any organisation against ISO/IEC 27001, as none is a certifying body. The primary task today is Vulnerability Analysis and Penetration Testing (VAPT) and in some cases technically risk analysis. Some of them have developed capabilities to undertake “Internal Audit” or pre-audit preparation for ISO/IEC 27001.

Since October 2020, the National Cyber Security Coordinator office has issued “cyber Security Audit Baseline Document” which cover all cyber hygiene requirements and are reasonably suitable for MSMEs. DSCI has also issued the frameworks, which are technically good frameworks but they are still not in widespread use.

ISO/IEC 27001

India is a member of the International Organisation of Standards. ISO/IEC 27001 is an auditable standard for Information Security Management, like ISO 9001 for Quality Management System. ISO/IEC 27001 is the only standard mentioned in the Regulations under the Information Technology Act. Only a Certifying Body under the control mechanism of International Organisation Standardisation is authorised to certify any organisation. The process includes not only VAPT or technical risk assessment but also checks the status of People, Policies and Processes.

Cyber Secure Posturing

The ISO/IEC 27001 certificate has more value for a stakeholder for assurance and also automatically to meet the Financial Annual Compliance audit requirements. However, the Certifying body is not authorised to provide consultancy for the same. Generally, from Zero to Certification can take between 8 to 12 months. After assessing the cyber risks, the consultant will undertake to restructure network design (if required), technical specifications, and policy preparation, align procedures for cybersecurity, training and awareness programmes for the employees and vendors. He would also advise on any tool or technology or human resources required for better cybersecurity posture. More than the certification it is this posturing that will protect a company from cyber threats. For example, if some measures are taken to protect e-mail servers, a company may get the IS 27001 Certificate, but only a knowledgeable consultant can guide, as to which email server will be best suited for the company's objective and which specific settings will meet the cybersecurity posture without adversely impacting the business. Similarly there are many tools and technologies to secure networks such as SIEM, SOC, UEBA, XDR, MDR, IRM and DRM ( see details here) which can confuse the company to arrive at the best and optimum solution.

Recommendations

Therefore the best approach is to seek the guidance of a knowledgeable consultant who can guide and recast companies' technology, networks, people, policies, procedures and processes along with meeting the requirements of ISO/IEC 27001. After that, going for formal ISO/IEC 27001 certification is just a half step away.