Are the following mount point options required, as identified by a CIS scan of Appliance Gateway 11,
/var/log - exec,suid
/var/log/audit - exec,suid
/dev/shm - exec

i.e. can the options of these mount points be changed to noexec, nosuid.

Virtual appliance gateway 11.0

Yes, the engineering team confirms that setting noexec, nosuid for /var/log, /var/log/audit, /dev/shm, have no impact to the gateway. 

The change should be done in /etc/fstab to be persistent.