HOME > INFORMATION SECURITY POLICY : COMPLIANCE, AUDIT & ASSURANCE


PANEL OF INFORMATION SECURITY AUDITING ORGANISATIONS

Background

Indian Computer Emergency Response Team (CERT-In), under the Department of Information Technology, Government of India has created a panel of ‘IT Security Auditors’ for auditing, including vulnerability assessment and penetration testing of computer systems & networks of various organizations of the Government, critical infrastructure organizations and those in other sectors of Indian economy. The panel was selected from among nearly 100 organizations who submitted their expression of interest to the Request for Response issued by CERT-In in leading newspapers and on the website.

In view of increased awareness among the users in critical sectors as well as foreseen need for IT security and auditing services on a wider scale, CERT-In intends to expand the existing panel and start next round of empanelment. Accordingly, CERT-In has come out with a "Request for Response" for fresh empanelment of IT Security Auditors.

The empanelled auditors will assess the information security risks. They will determine the effectiveness of information security controls over information resources and assets that support operations in the auditee organizations on their request.

The empanelled auditors  –

  1. possess the necessary tools, skills and capabilities to carry out tasks such as:
     
    • IT security policy review and assessment against security best practices
    • Information Security Testing
    • Process Security Testing
    • Internet Technology Security Testing
    • Communications Security Testing
    • Application security testing
    • Wireless Security Testing
    • Physical Security Testing

             to assess the security posture of IT systems and networks for
             protection against -

    • External threats, by way of remote infrastructure security assessment
    • Internal threats, by way of on-site infrastructure security assessment
    • Integrated system threats, by way of application security assessment
  1. agree to provide the IT Security auditing services in accordance with the commercial contract to be entered into with the auditee organisations and abide by all the conditions of empanelment as well as service delivery.

DURATION OF EMPANELMENT

The empanelment of an auditor is valid for an initial period of 24 months and is renewable every 12 months thereafter, based on the feedback from auditee organisations and review of auditor’s performance.

AUDIT ASSIGNMENTS

An Auditor will be contracted by a customer directly to perform IT security audits. CERT-In is not a party to such contracts. 

CERT-In may choose to associate its experts in audit assignments of an auditor to gain first hand knowledge of quality of audits being carried out by the auditor.

For all other details, please refer to the document ‘ Empanelment of IT Security Auditing Organisations - Terms and Conditions for Empanelment, Version 2, December 10, 2005 .