Govt Tightens Cybersecurity Rules for IT, Cloud and OT Experts to Work in Pakistan

The National Computer Emergency Response Team (NCERT) has introduced a structured set of criteria for registering cybersecurity professionals who will provide consultancy and audit readiness services under the Pakistan Information Security Framework (PISF).

The move is aimed at strengthening the cybersecurity posture of organizations across Pakistan by ensuring compliance with security standards and improving preparedness for audits and assessments.

Under the new framework, registered consultants will operate across three major domains: IT security, Operational Technology (OT) security, and cloud security.

Their responsibilities will include conducting gap assessments, preparing implementation roadmaps, and assisting organizations during security audits.

Consultants will be categorized into four tiers: Expert, Senior, Junior, and domain-specific specialists in IT, OT, and cloud security.

Organizations have also been classified into different risk categories. High-risk entities, designated as CAT-I and CAT-II, will be required to engage Expert Consultants due to the complexity and sensitivity of their systems. These experts will lead security assessments and guide organizations through compliance and audit requirements.

For lower-risk categories, including CAT-III and CAT-IV, the requirements are more flexible. Senior or Expert Consultants may be assigned depending on the organization’s complexity, while Junior Consultants may assist with tasks such as vulnerability assessments and penetration testing under supervision.

Expert Consultants are required to have at least 12 years of experience in IT and information security, including a minimum of 6 years in cybersecurity and at least 3 years in areas such as risk assessments and compliance audits. They must also hold advanced certifications, including CISSP and CISM, along with domain-specific credentials such as ISO 27001 for IT, ISO/IEC 27017 for cloud security, and ISA/IEC 62443 for OT systems.

Senior Consultants must meet similar standards but with comparatively lower experience requirements and fewer audit-related engagements.

Junior Consultants must have at least three years of cybersecurity experience and hold certifications such as ISO 27001 or CEH. Their role will mainly involve foundational security tasks, including basic assessments and penetration testing under senior supervision.

NCERT also plans to introduce a competency-based evaluation test to further verify the technical skills of registered consultants, ensuring that all professionals meet the minimum standards required under the new framework.