The National Computer Emergency Response Team (nCERT) has introduced a formal registration framework for cybersecurity professionals who will provide consultancy and audit-related services under the Pakistan Information Security Framework (PISF).
The initiative aims to strengthen cybersecurity across public and private sector organizations by ensuring compliance with security standards and improving readiness for audits and risk assessments.
Under the new system, registered consultants will operate in three core areas: information technology (IT) security, operational technology (OT) security, and cloud security. Their services will include security gap analysis, development of implementation plans, and support during audits.
Consultants will be placed into four categories: Expert, Senior, Junior, and domain-specific specialists covering IT, OT, and cloud security.
Organizations have also been classified according to risk levels. High-risk entities, identified as CAT-I and CAT-II, will be required to hire Expert Consultants due to the complexity and sensitivity of their systems. These consultants will lead security assessments and ensure compliance with audit requirements.
For lower-risk categories, including CAT-III and CAT-IV, the requirements are less strict. Senior or Expert Consultants may be engaged depending on operational complexity, while Junior Consultants may assist in basic cybersecurity tasks such as vulnerability assessments and penetration testing under supervision.
Expert Consultants must have at least 12 years of professional experience in IT and cybersecurity, including six years in cybersecurity roles and at least three years in risk assessment, compliance, or audit work. They are also required to hold advanced certifications such as CISSP and CISM, along with relevant standards like ISO 27001 (IT), ISO/IEC 27017 (cloud), and ISA/IEC 62443 (OT).
Senior Consultants will need similar qualifications but with relatively lower experience thresholds.
Junior Consultants must have at least three years of cybersecurity experience and certifications such as ISO 27001 or CEH. Their responsibilities will primarily focus on entry-level tasks under supervision of senior experts.
nCERT is also planning to introduce a competency-based assessment test to evaluate professionals before registration, ensuring that only qualified individuals are authorized to provide cybersecurity consultancy under the new framework.
