In-depth framework guides
Full explainers for each standard — what it is, who needs it, key requirements, how to comply and FAQs.
Security frameworks
A voluntary, outcome-based framework for managing and reducing cybersecurity risk.
Read the guide →A comprehensive catalog of security and privacy controls for information systems.
Read the guide →A governance and management framework for enterprise information and technology.
Read the guide →A prioritised set of 18 safeguards that stop the most common attacks.
Read the guide →A knowledge base of real-world adversary tactics and techniques.
Read the guide →The most dangerous and common software weaknesses developers must avoid.
Read the guide →The standard awareness document for the most critical web application risks.
Read the guide →A business-driven framework and methodology for enterprise security architecture.
Read the guide →Certifications & attestations
The international standard for an Information Security Management System (ISMS).
Read the guide →An attestation report on controls relevant to security, availability and privacy.
Read the guide →The security standard for organisations that handle payment card data.
Read the guide →SWIFT’s Customer Security Controls Framework for institutions on the SWIFT network.
Read the guide →Standards for secure PIN management and point-to-point encryption of card data.
Read the guide →Data privacy laws
India regulatory
India’s data-protection law governing the personal data of data principals.
Read the guide →Baseline cyber security and resilience controls mandated by RBI for banks.
Read the guide →RBI’s master direction on securing internet, mobile and card digital payment channels.
Read the guide →RBI’s master direction on IT governance, risk, controls and IS assurance practices.
Read the guide →Authorisation and security requirements for payment aggregators and payment gateways.
Read the guide →Rules for issuing and operating prepaid payment instruments (wallets, cards).
Read the guide →Annual system audit and payment-data localisation assurance for payment system operators.
Read the guide →Security audit requirements for UPI Third-Party Application Providers and PSP banks.
Read the guide →System audit requirements for BBPS operating units in the bill-payment ecosystem.
Read the guide →SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities.
Read the guide →Information and cyber security guidelines for insurers and intermediaries.
Read the guide →Security and audit requirements for entities in the Aadhaar authentication ecosystem.
Read the guide →CERT-In’s directions on incident reporting, log retention and security practices.
Read the guide →Payments & cards
PCI DSS
The Payment Card Industry Data Security Standard (currently v4.0.1) — the global standard for organisations that store, process or transmit cardholder data.
PCI PIN & P2PE
Requirements for the secure management of PINs and the encryption of account data from point of interaction to decryption.
SWIFT CSP / CSCF
The Customer Security Programme and its Customer Security Controls Framework — mandatory and advisory controls for institutions on the SWIFT network.
Information security
ISO/IEC 27001 & 27002
ISO/IEC 27001:2022 specifies the requirements for an Information Security Management System (ISMS); ISO/IEC 27002:2022 provides the Annex A control guidance.
SOC 1 / SOC 2 / SOC 3
System and Organization Controls reports based on the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).
NIST CSF & SP 800-53
The NIST Cybersecurity Framework (CSF 2.0) and Special Publication 800-53 control catalog — widely used voluntary frameworks for managing cyber risk.
- ↗ NIST CSF 2.0 — full standard (PDF)
- ↗ NIST SP 800-53 Rev. 5 — control catalog (PDF)
- ↗ NIST Cybersecurity Framework portal
Data privacy
DPDP Act, 2023 (India)
India’s Digital Personal Data Protection Act, 2023 and its draft Rules — obligations for data fiduciaries handling the personal data of Indian data principals.
GDPR (EU)
The EU General Data Protection Regulation — the benchmark privacy regulation for processing the personal data of individuals in the EU/EEA.
HIPAA (US)
The Health Insurance Portability and Accountability Act — Security, Privacy and Breach Notification Rules for protected health information (PHI).
India regulatory
RBI Cyber Security Framework
RBI Master Directions and circulars on cyber security for banks, NBFCs, payment system operators and co-operative banks, plus data-localisation requirements.
SEBI CSCRF
SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities in the securities market.
IRDAI Cyber Security
IRDAI’s information and cyber security guidelines for insurers and insurance intermediaries.
UIDAI / Aadhaar (AUA-KUA)
Security and audit requirements for Authentication User Agencies and KYC User Agencies operating within the Aadhaar ecosystem.
CERT-In Directions
CERT-In’s directions on cyber-incident reporting, log retention and security practices — and the empanelment framework CyberSigma is authorised under.
- ↗ CERT-In Directions under 70B, Apr 2022 (PDF)
- ↗ CERT-In (official)
- ↗ CERT-In empanelled organizations (PDF)
Testing & assurance
VAPT & OWASP
Vulnerability Assessment & Penetration Testing aligned to OWASP (Top 10, Testing Guide, ASVS, MASVS) and CERT-In requirements — across web, API, mobile, cloud, thick-client, network, LLM and IoT.
Third-party risk & assurance
Vendor/third-party risk management, IT general controls (ITGC), security architecture review and firewall/configuration assurance.
Official document links point to the issuing bodies; CyberSigma is not affiliated with them. Need help applying a standard?
Talk to a senior auditor →