The National Computer Emergency Response Team (NCERT) has invited eligible firms to apply for registration as approved Cyber Security Auditing Firms.
The initiative aims to enhance Pakistan’s cyber resilience by ensuring rigorous security audits of the country’s ICT infrastructure. The registration process mandates strict adherence to industry standards and best practices in information security.
Registered firms will be authorized to conduct security audits across various domains, including IT services, hosting, cloud solutions, and other critical infrastructures. These audits will play a crucial role in identifying vulnerabilities, ensuring compliance with established cybersecurity protocols, and strengthening the overall security posture of the nation’s digital ecosystem.
To qualify for registration, firms must meet the Mandatory Minimum Baseline Criteria, which include compliance with registration requirements from the Securities and Exchange Commission of Pakistan (SECP), tax registration with the Federal Board of Revenue (FBR), and certifications such as ISO 27001.
Additionally, firms must demonstrate prior experience in cybersecurity audits, possess a team of certified professionals, and maintain a robust organizational structure aligned with international security standards.
Individual auditors associated with the applying firms must also meet strict qualification criteria. They are required to have cybersecurity auditing experience, penetration testing expertise, and relevant industry certifications from recognized bodies such as ISACA, (ISC)2, SANS, and EC-Council. Furthermore, personnel should hold degrees in computer science, engineering, or information security, ensuring a high level of expertise in auditing critical ICT systems.
The registration process includes compliance with general rules set by NCERT. Firms must operate independently to prevent conflicts of interest, refrain from outsourcing audits to foreign third-party assessors, and ensure their cybersecurity assessments align with national policies, including the National Cyber Security Policy and Pakistan Cloud First Policy. Additionally, firms must maintain a strong market reputation, as those blacklisted in public or private sectors will be disqualified from the registration process.
NCERT has categorized audit firms into four tiers (CAT-I to CAT-IV) based on their expertise, resources, and the complexity of audits they are authorized to perform. Firms meeting the highest category (CAT-I) can conduct audits of critical infrastructure service providers, while lower-tier firms are restricted to less complex audits.
The final list of approved cybersecurity auditing firms will be published on nCERT’s website and updated regularly. The registration will be subject to periodic renewal to ensure compliance.