Home · Synthesis · cl-mandatory-audit

Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review

CERT-In ISO 27001 RBI ITGRCA SEBI CSCRF CCPA CSA CCM v4 IRDAI 2026 ISO 27701 NCIIPC NIS2 NIST 800-53 NIST CSF 2.0 PCI DSS SEBI Cloud

Primary statement

The mandatory assurance regime operates as a coordinated set of recurring controls: (1) annual third-party cyber security audit by CERT-In empanelled auditor (CERT-In Directions 5 and 19), with audit findings tracked to closure; (2) VAPT after every major release plus periodic cadence per system criticality (SEBI PR.4 + RBI ITGRCA RM.3); (3) third-party / vendor cyber risk assessment pre-engagement + ongoing monitoring (SEBI ID.5); (4) operational IT audit logs covering administrative actions, configuration changes, privileged access (RBI ITGRCA RM.4); (5) periodic risk review at three levels — senior management quarterly, Audit Committee half-yearly, Board annually (RBI ITGRCA RM.16); (6) CERT-In incident reporting discipline (Direction 11). Together these constitute the auditable assurance cycle.

Audit-fatigue payoff

A single audit calendar — CERT-In empanelled annual audit + VAPT cycles + third-party assessments + three-level risk review + operational IT audit logs — satisfies the assurance requirements across all 14 contributing frameworks. The auditor's typical 8–10 distinct assurance questions across frameworks collapse to one calendar-driven audit programme. The CERT-In empanelment alone provides the credentialing baseline for sectoral audits (SEBI, RBI, IRDAI). Without unification, each framework's assurance requirement is tested independently; with unification, the calendar IS the evidence.

Strictness matrix

Scope

Scope: ICT infrastructure of all in-scope organisations shall be audited annually by a CERT-In empanelled information security auditing organisation. Audit covers the full security posture — governance, technical controls, operational controls, compliance with applicable frameworks. The scope is comprehensive across the organisation's ICT estate, not limited to security-control domains. Ceiling source: cert_in:CERTIN.19 Rationale: CERT-In Direction 19 specifies the broadest mandatory audit scope. Other frameworks address narrower assurance subsets (SEBI VAPT, RBI risk review, ISO 27001 internal audit). The CERT-In annual audit is the umbrella under which sectoral audits fit.

Threshold

Threshold: any "public or private enterprise" within scope (as specified in CERT-In Directions) shall undergo annual third-party cyber security audit. The threshold is binary — annual audit is mandatory regardless of organisational size, risk profile, or previous audit findings. CERT-In empanelment of the audit firm is a structural prerequisite. Ceiling source: cert_in:CERTIN.5 Rationale: CERT-In Direction 5 sets the strictest threshold articulator — annual mandatory regardless of organisational characteristics. The empanelment requirement is uniquely strict.

Method

Method (combined): (1) annual third-party cyber security audit by CERT-In empanelled auditor; (2) VAPT cycle per criticality and after every major release (SEBI PR.4); (3) periodic risk review at three levels — senior management quarterly, Audit Committee half-yearly, Board annually (RBI ITGRCA RM.16); (4) third-party cyber risk assessment pre-engagement + ongoing (SEBI ID.5); (5) operational IT audit logs (RBI ITGRCA RM.4) reviewed as part of the assurance cycle; (6) findings tracked to closure with re-test evidence; (7) audit report submitted to Board and to applicable sectoral regulator (RBI / SEBI / IRDAI). Ceiling source: rbi_itgrca:ITGRCA.RM.16 Rationale: RBI ITGRCA RM.16 specifies the most prescriptive risk-review cadence — three levels (senior mgmt / AC / Board) with explicit cadence per level. Combined with CERT-In Direction 5/19 annual audit discipline, this is the audit-defensible method.

Frequency

Cadence: senior management risk review quarterly minimum; Audit Committee half-yearly minimum; Board annually minimum. CERT-In empanelled audit annually. VAPT quarterly for critical, annual for important, after every major release. Third-party assessment biennial deep review for critical vendors plus annual lighter touch. Operational IT audit log review continuous (SIEM) + periodic deep-dive (quarterly). Ceiling source: rbi_itgrca:ITGRCA.RM.16 Rationale: RBI ITGRCA RM.16 specifies the most-explicit periodic risk review cadence at three governance levels. The quarterly senior management cadence is the strictest tier.

Evidence

Required evidence: (1) CERT-In empanelled auditor engagement letter + audit certificate; (2) annual cyber security audit report with findings register and closure tracking; (3) VAPT reports per cycle with manual-test evidence; (4) third-party assessment records per critical vendor; (5) three-level risk review minutes (senior management quarterly, AC half-yearly, Board annually); (6) operational IT audit log review reports; (7) CERT-In incident submissions for the past 12 months; (8) findings closure evidence with re-test where applicable; (9) Board / Audit Committee minutes evidencing audit-findings review. Ceiling source: cert_in:CERTIN.5 Rationale: CERT-In Direction 5 evidence list combined with RBI ITGRCA RM.16 risk-review minutes produces the most comprehensive assurance evidence pack. The CERT-In empanelment certificate is uniquely strict — it cannot be substituted by self-attestation.

Auditor test pattern

Step 1: Inspect the CERT-In empanelment certificate of the audit firm; verify currency. Step 2: Inspect the most recent annual audit report; verify comprehensive scope and findings tracking. Step 3: Sample 3 findings from past 12 months; verify closure with re-test where applicable. Step 4: Inspect the three-level risk review records (senior mgmt quarterly, AC half-yearly, Board annually); verify cadence is honoured. Step 5: Sample 1 VAPT cycle and trace through to findings and remediation. Step 6: Inspect third-party assessment records for 2 critical vendors. Step 7: Verify CERT-In incident submissions are current (no missing submissions for the past 12 months).

Common findings

Common 2024–26 findings: (1) Audit firm is CERT-In empanelled but the specific audit team lacks sectoral specialism (banking, capital markets, insurance); (2) Audit findings closed by self-attestation without re-test; (3) Three-level risk review collapsed to one level (Board only, with senior management and AC review absent); (4) AC cybersecurity discussion is brief and informational, not substantive; (5) Audit certificate exists but follow-on findings tracker is absent; (6) VAPT performed but not after every major release — release pace exceeds VAPT cycle; (7) Third-party assessments outsourced to the same firm running the production engagement (independence concern).