An official website of the Pakistan government Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the Pakistan.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

AUDIT FIRM REGISTRATION

SERVICES > AUDIT FIRM REGISTRATION

Criteria for Cyber Security Auditing Firm’s Registration

Registration criteria of cyber security auditing firms with nCERT for conduct of comprehensive cyber security audits of ICT infrastructure and ensure compliance with established information security standards.
This criterion pertains to firms seeking registration as cyber security auditing firm with the nCERT. These firms will conduct a range of essential cyber security audit and assessment activities of ICT infrastructure in Pakistan. Service Providers, providing a range of services including but not limited to IT services, hosting, cloud, IT Security or managing/offering infrastructure to provide such services will be able to opt for their service/infrastructure audit from the approved auditing firms.
To qualify for registration, firms must adopt methodologies and practices aligned with established standards for information security and industry best practices. This registration process is essential to ensure the competency of firms tasked with auditing ICT infrastructure. The outlined criteria emphasize the requirements and expectations for firms seeking registration to perform cyber security assessments, highlighting the importance of adhering to established standards and protocols, ensuring the integrity and effectiveness of ICT infrastructure within Pakistan's cyber landscape.
Mandatory Minimum Baseline Criteria for Company
1 Registration SECP/Registrar of Firms (In case of JV, the JV must be duly registered, and the partner(s) must have local presence and necessary registrations).
2 Tax Payer Active Tax Payer
3 Company Certification ISO 27001 Valid Certification or equivalent
ISO/IEC 27017:2015 or equivalent (if applicable)
ISO 17021 accreditation (mandatory for audit of cloud services only)
4 Registration/Incorporation Time At least 3 year
5 Audits Experience As defined in Section-D
6 No. of Technical Resources As defined in Section-D
7 No. of Certified Resources As defined in Section-D, employees should possess relevant and valid security certifications as outlined in Section-B
8 Company Profile & Documentation As defined in Section-C17

Mandatory Minimum Baseline Criteria for Individual Resource
1 Qualifying Certification Bodies (As applicable) ISACA, (ISC)2, EC-Council, CompTIA, Offensive Security, SANS, ISO/IEC, PCI Security Standards Council, CIA, CCA (HIPPA, PCI DSS, as applicable) - information security specific certifications
2 Cyber Security Auditing Experience At least 3 years and as per Cat wise experience in Section-D
3 Vulnerability/Pen testing Experience At least 3 years
4 Qualification for Auditing personnel (cyber security Sector) BS (Computer Science or Engg. or relevant area) with at least two (02) relevant and valid certifications from qualifying certification bodies ISACA, (ISC)2, SANS, EC-Council, CompTIA, Offensive Security, PCI Security Standards Council, ISO/IEC and 4 years’ experience.
OR
MS (Electronics/Electrical Engg. Computer Science, or relevant area) from an HEC recognized university, or equivalent for foreign degrees and MS (Information Security/Cyber Security or relevant area) from HEC recognized university / equivalence in case of Foreign Degree + at least 01 relevant and valid certifications from aforementioned qualifying certification bodies and 02 years’ experience.
5 Association of Resource with Company The resources proposed for an assignment should not be changed during the pendency of the assignment. In case a change is necessitated then it should be informed in advance to nCERT.

General Rules for Cyber Security Audit Firms
1 The cyber security audit firm must be registered with SECP or the Registrar of firms. Additionally, the company/firm should appear on the Active Taxpayer list (ATL) of income and sales tax issued by FBR.
2 The cyber security audit must not be conducted by a subsidiary, affiliate, associate firm of the auditee or a Cyber Security solution provider firm to avoid conflicts of interest. An affidavit declaring this claim must be submitted along with application and before conducting the audit.
3 The cyber security audit firm should refrain from outsourcing its cyber security audit, penetration testing, and red teaming engagements to any foreign third-party assessor, auditor, or audit firm.
4 Foreign companies with local branch offices in Pakistan are eligible to apply, provided they are registered with SECP, or the registrar of firms in Pakistan.
5 Firms must have clear understanding of National policies, procedures and standards related to IT, IT Security, Cyber Security and data protection aspects etc. that are published on Govt websites including MoITT, PTA, nCERT and NTISB. Few such documents include National Cyber Security Policy, Pakistan Cloud First Policy, Accreditation Criteria of Cloud Service Providers, Pakistan Security Standard for Evaluation of Cryptographic and IT Security Devices, Data Protection Bill (draft), Cyber Security Implementation Guidelines by nCERT etc.
6 Cyber security audit Firm should not be a blacklisted entity in the Public or Private sector within Pakistan or abroad, due to any factor including but not limited to unsatisfactory performance, breach of general/specific instructions or NDA, corrupt practices and/or any fraudulent activity.
7 Cyber security audit firms can perform audits within their respective categories or downward in the hierarchy as outlined in Section-D. For example, firms qualifying for CAT-I can also conduct audits of Service Providers or organizations falling under CAT-II to CAT-IV. Similarly, firms qualifying for CAT-II can audit CAT-III and CAT-IV Service Providers. However, firms qualifying for Cat-IV cannot conduct audits of Service Providers higher in the hierarchy, i.e., CAT-III to CAT-I.
8 Cyber security audit firm must perform onsite audits by ensuring a detailed review of security measures, processes, and compliance with standards, while identifying weaknesses.
9 When assessing the cyber security audit firm, nCERT may review several key areas of discipline, including but not limited to:
  1. Assessment methodology
  2. Profiles of certified individuals/resources
  3. Data storage and retention policies
  4. Information sharing policy and procedure
  5. Tools and reporting methodology
  6. Experience of Conduct of similar audits
  7. Sample Audit reports
10 nCERT reserves the right to conduct a full assessment at any given point in time. This assessment may require re-submission of all relevant documents submitted at the time of registration or any additional documents necessary for further scrutiny.
11 In the event of any clause in the NDA being violated by the approved cyber security Audit Firm, a Service Provider (of IT, cloud, information security, communications etc.) is mandated to provide information including necessary details to nCERT. In such cases, nCERT reserves the right to terminate the registration of the cyber security Audit Firms. If registration is terminated, prior intimation will be provided to all Service Providers and the information will be duly updated on the websites of nCERT.
12 List of approved cyber security Audit firms will be published on the website of nCERT and regulalry updated.
13 nCERT reserves the right to revise cyber security Audit firm registration criteria as and when needed. Revision criteria will be communicated to registered firms as well as published on nCERT website.
14 Registration may be revoked in the event of any legal or criminal offense.
15 Organization should implement a quality management system based on ISO 9001 or relevant standard.
16 Based on the potential and/or performance of an audit firm, nCERT may grant a relaxation of up to 1 year in experience to the firm in each category during the selection assessment process or after selection (during the accreditation/licensing period).
17 The cyber security audit firm must demonstrate proven track record of company / experts offered conducting a comprehensive range of cyber security and security audits as per below category wise details:-
  1. CAT – I – At least 10x audits of organizations/ICT service providers with more than 150x nodes or 10x ISMS with at least 5x reputed organizations
  2. CAT – II – At least 10x audits of organizations/ICT service providers with more than 100x nodes or 10x ISMS with at least 3x reputed organizations
  3. CAT – III – At least 8x audits of organizations/ICT service providers with more than 50x nodes or 5x ISMS with at least 3x reputed organizations
  4. CAT – IV – At least 5x audits of organizations/ICT service providers with more than 20x nodes or 5x ISMS with at least 3x reputed organizations
18 Category wise Applicable Standards
Ser Levels International Standards / Guidelines Category* Trained /Certified HR
a. Baseline ISO/IEC 27001:2013 or 27001:2022 or equivalent CAT-IV The firm must employ trained or certified professionals or partners with expertise in these standards
b. Intermediate
  1. ISO/IEC 27001:2013 or 27001:2022 or equivalent
  2. ISO/IEC 27017:2015 or equivalent
 CAT-III
c. Enhanced
  1. ISO/IEC 27001:2013 or 27001:2022 or equivalent
  2. ISO/IEC 27017:2015 or equivalent
  3. ISO/IEC 27005:2022 or equivalent
 CAT-II
d. Highest
  1. ISO/IEC 27001:2013 or 27001:2022 or equivalent
  2. ISO/IEC 27017:2015 or equivalent
  3. ISO/IEC 27005:2022 or equivalent
  4. ISO/IEC 27070:2021 or equivalent
  5. Sector specific e.g. PCI DSS, HIPAA or equivalent
  6. CSA STAR Certification or equivalent
  7. SOC2 (Managing Customer Data) or equivalent
  8. Relevant Sector Specific Standards
 CAT-I
19 The audit firm must have a good market reputation and should not have been involved in any legal or professional misconduct cases.
20 Accreditation of audit firms will be renewed every 2x years or as per requirement of Pakistan Security Standard and Pakistan Cloud First Policy.
21 The firm must provide project completion certificates with clearly mentioned client’s name, project scope, and completion date.
22 The firm must provide at least three client references or a list of previous clients to validate their credibility.
*As per Accreditation Criteria for Cloud Service Providers (CSP) under Pakistan Cloud First Policy (PCFP) 2022.

Cyber Security Auditing Firms Auditing & HR Experience
No. Categories Of the Auditing Firms Firm with Security In place- Type Cyber security & Auditing Experience (in years) (Min) No. of Permanent Tech Resources(Min) No. of Permanent Certified Resources as in Section-B, (Min) Audits in different Region(s) Exp in International Standard(s) Audit Count
1 CAT-I IT + (Infra / ITSec + Services) and OT (All Sectors)
Highest		 8
(each cat i.e. IT/OT, (Infra / ITSec, Services)		 10 6 5 10 20
2 CAT-II IT + (Infra/ ITSec + Services) and OT (specified Sectors)
Enhanced		 5
(each cat i.e. IT/OT, (Infra / ITSec, Services)		 8 4 5 10 15
3 CAT-III IT+ (Infra/ ITSec + Services)
Intermediate		 5
(each cat i.e. IT, (Infra / ITSec, Services)		 6 4 2 5 8
4 CAT-IV IT Services only
Baseline		 3 4 2 2 3 5

Note: All sectors/ organizations designated as Critical shall fall into CAT-I and CAT-II categories, while those which are not included into Critical shall be categorized as CAT-III and CAT-IV
How to submit form?
A sealed hardcopy of the form must be submitted to Director GRC, nCERT, L –Block, Pak Secretariat F-5/1, Islamabad. Alternatively, a scanned copy can be emailed to dirgrc@pkcert.gov.pk

Download Eligibility Criteria Document
.
Download Registration Form
Subscribe To Alerts