Which Cyber Security Audit approach is right?
Cyber Security Audit
The dependency on technology has increased to a level where cyber risk may cause severe damage to a company financially and reputationally. In fact, the annual audit report to the Ministry of Corporate Affairs must cover cybersecurity audit. However, the words “ Cyber Security Audit” have a different meaning to different people. The approach, therefore, varies accordingly.
There is an International Standard ISO/IEC 27001 - Information Security Management System (ISMS) to undertake a formal audit. And then there are Information Security Auditors empanelled by the CERT-IN. However, what matters is not the audit but Cyber Security posture of the company. Before any decision is taken, it is necessary to understand the differences between these three approaches.
CERT-IN Empanelled Auditors
In 2004, after CERT-IN came in to being it was realised that the number of people and companies who may be capable of undertaking technical risk assessment using tools was very limited and lots of snake oil was being sold to unsuspecting organisations. The charges for the services were also very arbitrary, and as there were fewer players in the market there was no balancing force. Therefore to protect government organisations for such arbitrariness and to have a rate contract mechanism in force, CERT-IN was tasked to empanel the Information Security vendors who would be authorised to undertake cybersecurity technical checks (wrongly called audit) at specified rates. (The author was the member of First Selection team and was also the guiding force along with Dr KK Bajaj to conceive and implement it). At that point in time, there was no ISO/IEC 27001. BS 7799 and ISO 17799 were not auditable standards. Therefore, an Empanelled auditor by CERT-IN is a misnomer in today’s environment. Technically none of them can certify any organisation against ISO/IEC 27001, as none is a certifying body. The primary task today is thus Vulnerability Analysis and Penetration Testing (VAPT) and in some case technically risk analysis. Some of them have developed capabilities to undertake “Internal Audit” or pre-audit preparation for ISO/IEC 27001.
India is a member of the International Organisation of Standards. ISO/IEC 27001 is an auditable standard for Information Security Management, like ISO 9001 for Quality Management System. Most other standards for Cyber Security such as HIPPA, SOX, NIST, FISMA and PCI-DSS are the US regulations or standards. ISO/IEC 27001 is the only standard mentioned in the Regulations under the Information Technology Act. Only a Certifying Body under the control mechanism of International Organisation Standardisation is authorised to Certify any organisation. The process includes not only VAPT or technical risk assessment but also checks the status of People, Policies and Processes.
Cyber Secure Posturing
The ISO/IEC 27001 certificate has more value for a stakeholder for assurance and also automatically to meet the Financial Annual Compliance audit requirements. However, the Certifying body is not authorised to provide consultancy for the same. Generally, from Zero to Certification can take between 8 to 12 months. After assessing the cyber risks consultant will undertake to restructure network design (if required), technical specifications, and policy preparation, align procedures for cybersecurity, training and awareness programmes for the employees and vendors. He would also advise on any tool or technology or human resources required for better cybersecurity posture. More than the certification it is this posturing that will what will protect a company from cyber threats. For example, if some measures are taken to protect e-mail server, a company may get the IS 27001 Certificate, but only a knowledgeable consultant can guide, as to which email server will be best suited for the company's objective and which specific settings will meet the cybersecurity posture without adversely impacting the business.
Therefore the best approach is to seek the guidance of a knowledgeable consultant who can guide to recast companies technology, networks, people, policies, procedures and processes along with meeting the requirements of IS/IEC 27001. After that going for formal IS/IEC 27001 certification is just a half step away.