Introduction to the IFSCA Cyber Resilience Audit
The International Financial Services Centres Authority (IFSCA) is the unified regulator for financial services in India's International Financial Services Centres (IFSCs), the flagship of which is the Gujarat International Finance Tec-City (GIFT City) IFSC in Gandhinagar, Gujarat. IFSCA was constituted under the International Financial Services Centres Authority Act, 2019 and consolidated the powers previously exercised in the IFSC by the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDAI) and the Pension Fund Regulatory and Development Authority (PFRDA). Because IFSCA regulates a diverse population of Regulated Entities (REs) - banking units, capital-market intermediaries, insurers and reinsurers, fund managers, aircraft and ship leasing entities, bullion market participants and FinTech firms - it has issued a horizontal, technology-neutral cyber resilience framework that applies across all of them.
The principal instrument is the IFSCA Circular on 'Cyber Security and Cyber Resilience Framework' (the CSCRF for IFSC), read together with the IFSCA (Information Technology and Cyber Security) directions and the outsourcing and business continuity requirements embedded in the various entity-specific IFSCA regulations. The framework deliberately harmonises with domestic Indian mandates - the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (7 November 2023), the SEBI Cyber Security and Cyber Resilience Framework (SEBI/HO/MIRSD/CSFT/CIR dated 20 August 2024, the consolidated CSCRF), the CERT-In Directions dated 28 April 2022 (six-hour incident reporting) and the CERT-In empanelment regime - so that entities operating both onshore and in the IFSC face a consistent control baseline. This guide is written for two audiences simultaneously: the auditor who must assess conformance and produce assurance, and the implementer (CISO, IT head, DPO) who must build and remediate the controls.
What is the IFSCA Cyber Resilience Audit
The IFSCA Cyber Resilience Audit is an independent, evidence-based assessment of a Regulated Entity's ability to anticipate, withstand, contain, recover from and adapt to cyber incidents affecting its critical systems and data, measured against the IFSCA Cyber Security and Cyber Resilience Framework and allied IT-governance directions. 'Cyber resilience' extends beyond preventive cyber security: it demands that an RE continue to deliver its critical financial services during and after a disruptive cyber event, with defined recovery time and recovery point objectives, tested continuity arrangements and board-level accountability.
IFSCA structures its expectations around the internationally recognised NIST Cybersecurity Framework functions - Identify, Protect, Detect, Respond and Recover - augmented by governance, third-party/outsourcing risk, data protection (including alignment to the Digital Personal Data Protection Act, 2023), and mandatory incident-reporting obligations to IFSCA and CERT-In. The audit tests both design effectiveness (are the right policies, standards and controls defined and approved) and operating effectiveness (are they consistently performed, monitored and evidenced over the review period). Depending on the RE category, the audit may be conducted as a self-assessment attested by the board, an independent audit by a CERT-In empanelled auditor, or a Vulnerability Assessment and Penetration Testing (VAPT) exercise, with periodic submission of findings and closure status to IFSCA.
Typical deliverables of the engagement are: a scoping and asset-criticality document; a control-by-control conformance assessment mapped to the NIST functions and IFSCA domains; a VAPT report for internet-facing and critical internal systems; a maturity rating; a prioritised remediation roadmap; and the regulatory submission pack (compliance certificate, cyber audit report, and where required a board-approved cyber crisis management plan).
A crucial distinction for the IFSC context is proportionality. Unlike a one-size-fits-all rulebook, IFSCA applies a risk-based, graded approach: the depth of controls, the frequency of testing, and the intensity of independent assurance scale with an entity's systemic importance, transaction volumes, customer footprint and data sensitivity. A Market Infrastructure Institution such as an IFSC stock exchange or clearing corporation must operate a dedicated or managed Security Operations Centre, undertake red-team exercises, compute a cyber-capability/resilience index and perform continuous monitoring, whereas a small Fund Management Entity may satisfy the baseline through a proportionate control set, an annual VAPT and a self-assessment attested by its governing body. The auditor's first task is therefore to correctly place the entity in its category and calibrate expectations accordingly, because assessing a small RE against MII-grade controls produces false negatives, while under-assessing a systemically important RE creates unacceptable residual risk to the IFSC ecosystem.
IFSCA also expects cyber resilience to be evidenced through the accountability chain. The board (or equivalent governing body) owns the cyber-risk appetite and must be demonstrably engaged: approving the policy suite and the Cyber Crisis Management Plan, receiving periodic posture reports, and being briefed on material incidents. A designated senior officer - typically the CISO - is accountable for the operating programme, while the audit provides independent challenge. Assessors should look for a golden thread running from board minutes, through the risk register and control catalogue, down to operational logs and test evidence. Where that thread is broken - for example, a well-written policy that no operational team follows, or a SOC generating alerts that no one triages - the control is judged ineffective regardless of its documented design.
Who must comply
The framework applies to entities registered with or licensed by IFSCA to operate in an IFSC. Applicability and audit intensity scale with the entity's systemic importance, client-facing footprint and data sensitivity. The table below summarises the principal categories.
| Regulated Entity category | Examples | Cyber resilience obligation |
|---|---|---|
| IFSC Banking Units (IBUs) | Foreign and Indian bank branches operating as IBUs | Full CSCRF; aligns to RBI IT Governance Master Direction; independent cyber audit and VAPT; incident reporting to IFSCA and CERT-In |
| Capital market intermediaries | Broker-dealers, clearing members, custodians, depository participants, investment advisers, portfolio managers on IFSC exchanges | CSCRF aligned to SEBI CSCRF; graded by criticality (MIIs vs qualified/mid/small-size REs); annual VAPT and cyber audit |
| Market Infrastructure Institutions (MIIs) | IFSC stock exchanges, clearing corporations, depositories | Highest tier; SOC/C-SOC, cyber capacity index, quarterly VAPT, red-teaming, continuous monitoring |
| Insurers and reinsurers | IFSC Insurance Offices (IIOs), reinsurers, brokers | CSCRF aligned to IRDAI information and cyber security guidelines; BCP-DR and outsourcing controls |
| Fund Management Entities (FMEs) | Registered/authorised/retail FMEs, AIFs administrators | CSCRF proportionate to scale; data protection and outsourcing focus |
| FinTech and IFSCA regulatory sandbox entities | Entities under the FinTech Incentive Scheme / sandbox | Proportionate cyber security baseline; secure SDLC, API and cloud controls |
| Ancillary and other REs | Aircraft/ship leasing, bullion, ITFS, credit rating, distributors | Baseline IT and cyber hygiene; outsourcing and BCP obligations |
- Systemically important REs and MIIs attract the most prescriptive controls (dedicated/managed SOC, red-teaming, cyber resilience testing).
- Smaller REs may follow a proportionality principle but must still meet the core Identify-Protect-Detect-Respond-Recover baseline and mandatory reporting.
- Group entities relying on head-office or parent infrastructure must still demonstrate IFSC-specific governance, data localisation/segregation and independent assurance.
A recurring theme across all categories is the treatment of inter-connectivity. IFSC entities rarely operate in isolation: broker-dealers connect to IFSC exchanges and clearing corporations; banking units interface with correspondent banks, SWIFT and domestic payment rails; and almost every RE depends on cloud service providers and parent-group infrastructure. Because a compromise can propagate across these links, IFSCA holds each RE responsible for the security of its own connectivity endpoints, APIs and shared services, and for ensuring that reliance on a parent or vendor does not dilute independent assurance. Auditors must therefore trace every trust relationship - human, machine and third-party - and confirm that controls hold at each boundary, not merely at the perimeter.
Structure of the IFSCA Cyber Resilience framework
The framework is organised around the five NIST CSF functions - Identify, Protect, Detect, Respond and Recover - with an over-arching Govern function and cross-cutting domains for third-party/outsourcing risk, data protection and regulatory reporting. This structure is deliberate: it lets an RE that already reports under RBI, SEBI or IRDAI regimes reuse the same control language and evidence, and it lets a single audit produce findings that map cleanly onto ISO/IEC 27001, the NIST CSF and CERT-In expectations. The table below maps the domains, their constituent control families and the anchor regulatory references an auditor should cite.
| Domain / NIST function | Representative control families | Anchor references |
|---|---|---|
| Governance (GV) | Board oversight, cyber security policy, CISO role, risk appetite, budget, third-party governance | IFSCA CSCRF; RBI IT Governance MD Ch. II; SEBI CSCRF Governance |
| Identify (ID) | Asset inventory, data classification, criticality/impact analysis, risk assessment, supply-chain mapping | NIST ID.AM/ID.RA; IFSCA CSCRF Identify |
| Protect (PR) | Access control, IAM/PAM, network segmentation, endpoint/data encryption, secure configuration, patch and vulnerability management, secure SDLC, awareness training | NIST PR.AC/PR.DS/PR.IP; CERT-In baseline; RBI MD Ch. IV |
| Detect (DE) | Security monitoring, SOC/SIEM, log management (ISO 8601/NTP time sync), anomaly detection, threat intelligence | NIST DE.CM/DE.AE; CERT-In Direction (logs 180 days); SEBI SOC/C-SOC |
| Respond (RS) | Incident response plan, cyber crisis management plan (CCMP), forensics, breach notification, communication | NIST RS.RP/RS.CO; CERT-In 6-hour reporting; IFSCA incident reporting |
| Recover (RC) | BCP/DR, RTO/RPO, backups (immutable/3-2-1), recovery testing, lessons learned | NIST RC.RP/RC.IM; RBI BCP; ISO 22301 principles |
| Third-party / Outsourcing | Due diligence, contracts, right-to-audit, cloud governance, concentration risk, exit strategy | IFSCA outsourcing directions; RBI outsourcing MD; SEBI cloud framework |
| Data protection & privacy | DPDP Act 2023 alignment, consent, data minimisation, cross-border transfer, retention | DPDP Act 2023; IFSCA data directions; sectoral privacy norms |
| Cyber resilience testing | VAPT, red-teaming, cyber drills, tabletop exercises, cyber capacity index | SEBI CSCRF resilience testing; CERT-In empanelled VAPT |
| Reporting & assurance | Incident reporting, periodic compliance certificate, cyber audit submission | IFSCA circulars; CERT-In Directions 2022; NCIIPC (if CII) |
Master assessment checklist
This is the operative section of the audit. It enumerates each domain and its control families with a h3 heading and a two-column table (What to verify / Typical evidence). No control area is omitted. Auditors should sample across the full review period; implementers should treat every 'What to verify' row as a build/remediation requirement.
How to use this checklist: for each row, the auditor should (a) confirm the control is defined and approved (design), (b) obtain and inspect the stated evidence, (c) sample instances across the review period to confirm consistent operation, and (d) record a conclusion - conformant, partially conformant with a finding, or non-conformant - with a severity rating. Sample sizes should be risk-based: a small population of critical assets may be tested in full, whereas high-volume events such as access changes or patch cycles warrant statistical sampling. Where a control is inherited from a parent or cloud provider, the RE must evidence the shared-responsibility split and its own monitoring of the provider's control. Implementers, conversely, should read each row as an acceptance criterion: the artefacts in the 'Typical evidence' column are precisely what a remediation project must produce and retain to withstand the next audit.
GV - Governance and board oversight
| What to verify | Typical evidence |
|---|---|
| Board-approved cyber security and cyber resilience policy exists and is reviewed at least annually | Signed policy, version history, board/committee minutes approving it |
| A designated CISO (or equivalent officer) with defined authority, reporting line and independence from IT operations | Appointment letter, org chart, job description, reporting to board/IT-Cyber committee |
| IT Strategy / Cyber Security committee constituted with defined charter and periodic meetings | Committee charter, attendance registers, minutes with cyber agenda items |
| Documented cyber risk appetite and cyber risk register maintained and reviewed | Risk appetite statement, risk register with owners, ratings, treatment |
| Cyber security budget and resourcing approved and tracked | Approved budget, spend vs plan, headcount plan |
| Roles, responsibilities and accountability (RACI) defined across cyber functions | RACI matrix, delegation of authority |
| Regulatory obligations tracked (IFSCA circulars, CERT-In, DPDP) with compliance calendar | Obligations register, compliance calendar, filing evidence |
ID - Asset, data and risk identification
| What to verify | Typical evidence |
|---|---|
| Complete inventory of hardware, software, cloud services and network assets with owners and criticality | CMDB/asset register, discovery scan output, owner tagging |
| Critical systems (Critical IT Assets / CIA) identified using documented impact criteria | Business impact analysis, critical-asset list, board sign-off |
| Data classification scheme applied (e.g., Public/Internal/Confidential/Restricted) with data inventory / RoPA | Classification policy, data inventory, Record of Processing Activities |
| Periodic cyber risk assessment covering threats, vulnerabilities and business impact | Risk assessment methodology, latest assessment report |
| Supply-chain and third-party dependencies mapped and risk-rated | Third-party inventory, criticality tiering, concentration analysis |
| End-of-life / unsupported technology identified with remediation plans | EOL register, upgrade/replacement roadmap |
PR.AC - Identity and access management
| What to verify | Typical evidence |
|---|---|
| Least-privilege and need-to-know enforced; role-based access control implemented | RBAC design, role definitions, access matrices |
| Multi-factor authentication for privileged, remote and internet-facing access | MFA configuration, coverage report, exception log |
| Privileged Access Management (PAM) with session recording and just-in-time access | PAM tool config, vaulted credentials, session logs |
| Joiner-Mover-Leaver process and periodic user access recertification (at least half-yearly) | JML workflow, recertification reports, revocation timestamps |
| Segregation of duties enforced for sensitive transactions and admin functions | SoD matrix, conflict analysis, compensating controls |
| Strong password/credential policy and disablement of default/vendor accounts | Password policy, hardening evidence, dormant-account report |
PR.DS - Data security and cryptography
| What to verify | Typical evidence |
|---|---|
| Encryption of data at rest for sensitive/critical data stores | Encryption inventory, key config, database/disk encryption evidence |
| Encryption of data in transit (TLS 1.2+/1.3) across public and internal sensitive channels | TLS scan results, certificate inventory, cipher configuration |
| Key management lifecycle (generation, rotation, storage, revocation) documented | KMS/HSM policy, rotation logs, custodianship records |
| Data Loss Prevention controls over email, endpoints and cloud | DLP policy, rule set, incident/alert reports |
| Secure data disposal and media sanitisation | Disposal policy, sanitisation certificates, e-waste records |
| Cross-border data transfer controls aligned to DPDP Act and IFSC data directions | Transfer impact assessments, contractual safeguards, localisation evidence |
PR.IP - Secure configuration, patch and vulnerability management
| What to verify | Typical evidence |
|---|---|
| Hardening baselines (CIS Benchmarks / vendor guides) defined and applied | Baseline standards, compliance scan results, deviation register |
| Timely patching with defined SLAs by severity; emergency patch process | Patch policy, patch cycle reports, CVSS-based SLA tracking |
| Vulnerability management programme with regular scanning and risk-based remediation | Scan schedule, VM reports, remediation tracker, ageing analysis |
| Change management with testing, approval and rollback | Change register, CAB minutes, emergency-change records |
| Secure SDLC / DevSecOps with code review, SAST/DAST and dependency scanning | SDLC policy, pipeline evidence, SAST/DAST/SCA reports |
| API security controls (authentication, rate limiting, schema validation) | API gateway config, threat model, test results |
PR.PT - Network and infrastructure protection
| What to verify | Typical evidence |
|---|---|
| Network segmentation isolating critical/production, DMZ and management zones | Network diagram, VLAN/firewall zoning, segmentation test |
| Perimeter and internal firewalls with reviewed rule bases (at least half-yearly) | Firewall rule review reports, rule cleanup evidence |
| Anti-DDoS and WAF for internet-facing services | WAF/DDoS config, mitigation reports, drill evidence |
| Endpoint protection (EDR/anti-malware) deployed and centrally managed | EDR console coverage, detection reports, update status |
| Secure remote access (VPN with MFA, zero-trust where applicable) | VPN/ZTNA config, access logs, split-tunnel policy |
| Email security (SPF, DKIM, DMARC, anti-phishing sandboxing) | DNS records, email gateway config, phishing-block reports |
PR.AT - Security awareness and training
| What to verify | Typical evidence |
|---|---|
| Annual security awareness training for all staff with completion tracking | Training content, LMS completion reports, attestation |
| Role-based training for developers, admins and privileged users | Curriculum, attendance, competency records |
| Simulated phishing campaigns with remediation for repeat clickers | Campaign reports, click/report rates, follow-up training |
| Board and senior-management cyber briefings | Briefing decks, minutes, tabletop participation |
DE - Security monitoring and detection
Detection capability is the difference between a contained incident and a headline breach. IFSCA and CERT-In expectations converge here on three non-negotiables: comprehensive log capture from critical systems, retention of logs for a rolling 180 days within Indian jurisdiction, and accurate time synchronisation so that events across systems can be correlated into a coherent timeline. For systemically important REs the audit tests whether the SOC is genuinely operational - staffed, alerting on tuned use-cases and demonstrably triaging - rather than a dormant tool licence. Detection coverage should be mapped against a recognised threat model such as MITRE ATT&CK so that gaps are visible and defensible.
| What to verify | Typical evidence |
|---|---|
| Centralised log collection from critical systems, security devices and cloud | SIEM onboarding list, log source coverage, retention config |
| Log retention of at least 180 days per CERT-In Direction; secure and tamper-evident | Retention policy, storage config, integrity controls |
| Time synchronisation to NTP (IST/NIC or NPL) across all logging systems | NTP config, time-source policy, drift monitoring |
| SOC / C-SOC (in-house or managed) with 24x7 monitoring for critical REs and MIIs | SOC SOP, staffing roster, MSSP contract, use-case catalogue |
| Correlation rules / detection use-cases mapped to threats (e.g., MITRE ATT&CK) | Use-case library, tuning records, coverage matrix |
| Threat intelligence ingestion and IOC operationalisation | TI feed config, IOC blocklists, advisories acted upon |
| Alert triage with defined severity and escalation timelines | Alert runbooks, SLA metrics, escalation logs |
RS - Incident response and reporting
Incident response is where cyber resilience is most visibly tested, and where regulatory exposure is highest. IFSC REs face concurrent reporting obligations: to CERT-In within six hours of noticing a reportable incident under the 28 April 2022 Direction, to IFSCA within its prescribed timelines, and - for personal-data breaches - under the DPDP Act to the Data Protection Board and affected data principals. The audit must confirm not only that plans exist but that reporting clocks, contacts and escalation paths are pre-wired so that the six-hour window is achievable in practice, including out of hours.
| What to verify | Typical evidence |
|---|---|
| Board-approved Incident Response Plan and Cyber Crisis Management Plan (CCMP) | IRP/CCMP documents, approval records, version control |
| Incident classification and severity model with defined RACI | Severity matrix, escalation tree, contact directory |
| Cyber incidents reported to CERT-In within 6 hours of noticing (per 28 Apr 2022 Direction) | Reporting SOP, sample CERT-In submissions, timestamps |
| Incident reporting to IFSCA within prescribed timelines | IFSCA report copies, acknowledgements, follow-up filings |
| Forensic readiness and evidence preservation procedures | Forensics playbook, chain-of-custody templates, tooling |
| Post-incident review with root-cause analysis and corrective actions | RCA reports, action tracker, lessons-learned register |
| Stakeholder and regulator communication plan (customers, media, partners) | Comms plan, holding statements, notification templates |
RC - Business continuity, disaster recovery and backup
| What to verify | Typical evidence |
|---|---|
| Board-approved BCP/DR aligned to defined RTO and RPO for critical services | BCP/DR plan, RTO/RPO register, board approval |
| Alternate/DR site with adequate geographic separation and capacity | DR architecture, site contracts, capacity assessment |
| Backup strategy (e.g., 3-2-1), immutable/air-gapped copies, encryption | Backup policy, job logs, immutability config |
| Periodic backup restoration testing with documented results | Restore test reports, success/failure logs |
| Annual (or more frequent for critical REs) DR/BCP drills including cyber scenarios | Drill plans, execution reports, RTO/RPO achieved vs target |
| Ransomware recovery playbook and isolated recovery environment | Playbook, IRE design, tabletop evidence |
Third-party and outsourcing risk
| What to verify | Typical evidence |
|---|---|
| Due diligence and security assessment before onboarding vendors/cloud providers | Due-diligence questionnaires, assessment reports, approvals |
| Contracts include security, confidentiality, right-to-audit, breach notification, exit and data-return clauses | Executed contracts, SLA schedules, security addenda |
| Cloud governance: shared-responsibility model documented, CSP certifications reviewed | Cloud policy, CSP SOC 2/ISO reports, config baselines |
| Concentration risk and material outsourcing register maintained; IFSCA notification where required | Outsourcing register, materiality assessment, IFSCA notifications |
| Continuous monitoring of critical vendors and periodic reassessment | Reassessment schedule, performance reviews, security scorecards |
| Documented exit / substitutability strategy for critical service providers | Exit plan, data-portability provisions, alternate-provider analysis |
Data protection and privacy (DPDP alignment)
| What to verify | Typical evidence |
|---|---|
| Lawful basis and consent management for personal data processing (DPDP Act 2023) | Consent notices, consent artefacts, purpose mapping |
| Data Protection Officer / grievance officer designated where required | Appointment records, published contact, grievance logs |
| Data minimisation, retention and purge schedules enforced | Retention schedule, deletion logs, minimisation controls |
| Data principal rights process (access, correction, erasure, grievance) | Rights-request workflow, SLA tracking, sample fulfilments |
| Personal data breach handling aligned to DPDP and sectoral norms | Breach playbook, notification templates, register |
| Privacy-by-design in new systems (DPIA for high-risk processing) | DPIA templates, completed DPIAs, sign-offs |
Cyber resilience testing (VAPT, red-team, drills)
| What to verify | Typical evidence |
|---|---|
| VAPT of internet-facing and critical internal systems at prescribed frequency by CERT-In empanelled auditor | VAPT scope, reports, empanelment proof, closure evidence |
| Application security testing before major releases and after significant changes | Pre-release test reports, change linkage |
| Red-team / adversary-simulation exercises for MIIs and systemically important REs | Red-team ROE, findings report, purple-team follow-up |
| Cyber tabletop exercises and crisis simulations with senior management | Exercise scenarios, participation, after-action reports |
| Remediation of findings within risk-based SLAs and retesting to closure | Remediation tracker, retest evidence, exception approvals |
| Cyber capacity index / resilience scoring where mandated for the RE category | Scoring methodology, computed index, submission |
Regulatory reporting and assurance
The reporting and assurance domain closes the loop between operational controls and the regulator. IFSCA relies on periodic attestations, cyber audit reports and incident filings to supervise the ecosystem, so accuracy and timeliness here are non-negotiable. The audit should confirm that submissions are complete, board-reviewed, filed on schedule and reconciled against the underlying evidence - a compliance certificate that overstates the control environment is a serious governance failure. Where the RE's systems qualify as Critical Information Infrastructure, coordination with NCIIPC is an additional obligation the assessor must confirm.
| What to verify | Typical evidence |
|---|---|
| Periodic compliance certificate/self-attestation submitted to IFSCA on schedule | Signed certificates, submission acknowledgements |
| Independent cyber audit conducted and report submitted with management responses | Audit report, board review, action plan |
| Material cyber incidents and near-misses reported to IFSCA and CERT-In | Incident filings, timelines, closure updates |
| Findings tracked to closure with board visibility | Findings register, dashboards, board minutes |
| Alignment/notification to NCIIPC where systems qualify as Critical Information Infrastructure | CII determination, NCIIPC correspondence |
Scoping the assessment
Accurate scoping determines audit validity. The scope must reflect the RE's IFSC-licensed activities and every system that stores, processes or transmits critical or customer data, including those hosted by the parent group or third parties.
- Define the legal entity and IFSC registration(s) in scope and the regulatory category driving control intensity.
- Enumerate critical business services and their supporting applications, infrastructure, cloud tenants and data flows.
- Include internet-facing assets, remote-access paths, APIs and integrations with exchanges/depositories/payment rails.
- Cover outsourced and group-shared infrastructure, clarifying the shared-responsibility boundary and right-to-audit reach.
- State the review period (typically 12 months for operating-effectiveness testing) and any carve-outs with justification.
- Identify data-protection scope: personal data categories, cross-border flows and DPDP applicability.
- Confirm testing scope: which systems undergo VAPT, red-teaming and DR/BCP drills.
Data-flow mapping deserves particular attention during scoping. The auditor should trace how customer, transaction and personal data enters, moves through and leaves the RE's environment, including flows to the parent group, exchanges, clearing corporations, payment networks and cloud services. Each flow reveals a control boundary that must be tested - encryption in transit, authentication of the interface, logging of the exchange and retention of the data at rest. Data-flow diagrams also underpin the DPDP assessment, since cross-border transfers and processing by parent entities located outside India trigger specific safeguard obligations. An RE that cannot produce accurate, current data-flow diagrams almost always has blind spots in its control coverage, and this alone frequently warrants a finding.
Finally, scoping must fix the assurance model. IFSCA accepts different levels of independent assurance depending on category: a board-attested self-assessment for smaller REs, an independent audit by a CERT-In empanelled organisation for most REs, and the most intensive combination of continuous monitoring, red-teaming and third-party audit for MIIs and banking units. The engagement letter should record which model applies, who signs the attestation, and the reporting timeline to IFSCA, so that the deliverables produced actually satisfy the regulatory obligation rather than merely informing management.
Implementation approach
A phased programme lets an RE reach conformance methodically without stalling the business. The sequencing below front-loads discovery and governance (which unblock every downstream control), overlaps technical remediation with policy work, and reserves resilience testing and independent assurance for the end when controls are stable enough to test meaningfully. Timelines are indicative for a mid-size RE; MIIs and banking units typically run longer, phased over two to three quarters with parallel workstreams, while small FMEs may compress to eight to twelve weeks. The phases deliberately overlap - for example, technical remediation begins before every policy is finalised - so that momentum is maintained and quick wins (MFA, EDR, patch SLAs) reduce risk early.
Phase 1 - Discovery and gap assessment (weeks 1-4)
- Activities: build asset and data inventory; classify data; map critical services and third parties; run a control-gap assessment against the CSCRF and NIST functions; baseline current maturity.
- Deliverables: asset/data inventory, criticality register, gap-assessment report, prioritised risk-ranked findings, indicative maturity rating.
Phase 2 - Governance and policy foundation (weeks 3-8)
- Activities: draft/refresh board-approved cyber policy, CCMP, IRP, outsourcing and data-protection policies; appoint/confirm CISO and DPO; constitute IT/cyber committee; define risk appetite and RACI.
- Deliverables: approved policy suite, committee charter, risk register, obligations and compliance calendar.
Phase 3 - Technical remediation (weeks 6-16)
- Activities: deploy/tune MFA, PAM, EDR, DLP; harden configurations; implement segmentation; stand up SIEM/SOC and 180-day logging with NTP sync; establish patch and vulnerability SLAs; embed secure SDLC.
- Deliverables: hardened baselines, IAM/PAM rollout, SOC use-case catalogue, VM programme, backup/immutability configuration.
Phase 4 - Resilience and testing (weeks 14-20)
- Activities: conduct VAPT via CERT-In empanelled auditor; run DR/BCP and ransomware-recovery drills; perform cyber tabletop; red-team for systemically important REs; remediate and retest.
- Deliverables: VAPT report and closure, drill after-action reports, RTO/RPO evidence, remediation tracker.
Phase 5 - Assurance, reporting and continual improvement (weeks 18-24)
- Activities: independent cyber audit; compile regulatory submission pack; board review; establish KPIs, dashboards and a continual-improvement cadence.
- Deliverables: cyber audit report, IFSCA compliance certificate/submission, KPI dashboard, continual-improvement plan.
Maturity and capability model
CyberSigma rates each domain on a five-level capability scale (aligned to NIST CSF Tiers and CMMI concepts). The rating drives the remediation roadmap and evidences trajectory to IFSCA over successive audits. Maturity is assessed per domain rather than as a single blended score, because an RE can be optimised in access control yet initial in third-party risk; a per-domain radar exposes exactly where investment is needed. IFSCA does not expect every RE to reach Level 5 - the appropriate target depends on category and risk appetite - but it does expect a realistic target state, a credible plan to reach it, and demonstrable progress between audit cycles. A declining or static maturity trend, especially in the Detect and Recover functions, is itself an audit red flag.
| Level | Name | Characteristics | Audit indication |
|---|---|---|---|
| 1 | Initial / Partial | Ad hoc controls, undocumented, reactive; no board oversight | Significant deficiencies; not conformant |
| 2 | Developing | Some policies exist but inconsistently applied; limited monitoring | Material gaps; conditional at best |
| 3 | Defined | Documented, board-approved policies; controls consistently applied; basic SOC and VAPT | Baseline conformance for most REs |
| 4 | Managed | Metrics-driven; risk-informed decisions; tested BCP/DR; threat-intel led detection | Strong conformance; suitable for critical REs |
| 5 | Optimised / Adaptive | Continuous improvement, red-teaming, automation, resilience-by-design | Leading practice; expected of MIIs |
Assessment and audit approach
The audit follows a structured, repeatable methodology that separates design-effectiveness testing (is the control properly defined and approved) from operating-effectiveness testing (did it work consistently across the review period). Evidence is gathered through four complementary techniques - inspection of documents and configurations, observation of processes in action, enquiry through interviews, and re-performance or independent testing such as VAPT. The auditor triangulates across these techniques so that no conclusion rests on a single, potentially self-serving, source. The ten steps below describe the end-to-end flow.
- Initiation and scoping: confirm entity, IFSC registrations, RE category, critical services, review period and testing scope; agree the engagement plan and RACI.
- Documentation review: examine policies, standards, procedures, registers, prior audit and VAPT reports, and regulatory correspondence for design adequacy.
- Control walkthroughs and interviews: with CISO, IT, SOC, DPO, business and vendor-management teams to understand as-implemented processes.
- Technical validation: configuration reviews, sampling of access, logs, patch and change records; independent VAPT of in-scope systems by a CERT-In empanelled tester.
- Operating-effectiveness testing: sample transactions/events across the review period to confirm controls operated consistently (e.g., access recertifications, incident handling, backup restores).
- Resilience testing review: evaluate DR/BCP drills, tabletop outcomes and RTO/RPO attainment against targets.
- Findings and risk rating: consolidate observations, assign severity and likelihood, and map to domains and NIST functions.
- Maturity scoring: rate each domain on the five-level scale and compute an overall posture.
- Reporting: issue the draft report with management responses, agree remediation owners and timelines, then finalise.
- Regulatory submission and follow-up: assist with IFSCA/CERT-In submissions and track remediation to closure with retesting.
Evidence request list
The following categorised evidence pack accelerates the audit and should be assembled during Phase 1.
- Governance: board-approved cyber policy, committee charter and minutes, CISO/DPO appointments, risk appetite, RACI, obligations register, compliance calendar.
- Asset and risk: CMDB/asset inventory, data classification and inventory/RoPA, critical-asset list, business impact analysis, cyber risk assessment reports.
- Access and identity: RBAC/role matrices, MFA and PAM configurations, JML records, access recertification reports, SoD matrix, dormant-account reports.
- Data security: encryption inventory and key-management policy, TLS scan results, DLP rules and reports, media-disposal certificates, cross-border transfer assessments.
- Configuration and vulnerability: hardening baselines and scan results, patch policy and cycle reports, VM scan reports and remediation trackers, change-management records.
- Network and endpoint: network diagrams, firewall rule-review reports, WAF/DDoS config, EDR coverage, VPN/ZTNA config, email-security (SPF/DKIM/DMARC) evidence.
- Detection and monitoring: SIEM source coverage, log-retention (180-day) and NTP config, SOC SOP/roster or MSSP contract, use-case catalogue, threat-intel evidence.
- Incident and reporting: IRP/CCMP, severity matrix, CERT-In and IFSCA incident filings with timestamps, RCA reports, lessons-learned register.
- Resilience: BCP/DR plans, RTO/RPO register, backup policy and restore-test logs, DR/ransomware drill after-action reports.
- Third party: outsourcing register, due-diligence assessments, executed contracts with security/right-to-audit clauses, CSP certifications, exit plans.
- Privacy: DPDP consent artefacts, DPIAs, retention/purge schedules, data-principal rights logs, breach register.
- Assurance: prior cyber audit and VAPT reports, remediation trackers, IFSCA compliance certificates and acknowledgements.
Roles and responsibilities
| Role | Key cyber resilience responsibilities |
|---|---|
| Board of Directors | Approve cyber policy, risk appetite and CCMP; oversee posture; ensure resourcing and accountability |
| IT / Cyber Security Committee | Review risks, incidents, audit findings and remediation; guide strategy and investment |
| Chief Information Security Officer (CISO) | Own the cyber programme, controls, SOC, VAPT, incident response and regulatory reporting |
| Chief Information Officer / IT Head | Deliver secure infrastructure, patching, change and configuration management |
| Data Protection Officer / Grievance Officer | DPDP compliance, DPIAs, data-principal rights, privacy breach handling |
| SOC / Security Operations | 24x7 monitoring, alert triage, threat intelligence, detection engineering |
| Business / Product Owners | Define criticality, RTO/RPO; participate in BCP/DR and tabletop exercises |
| Third-party / Vendor Management | Due diligence, contracts, ongoing vendor and cloud risk oversight |
| Internal Audit | Independent assurance over control effectiveness and remediation |
| All employees | Complete training, follow policy, report suspicious activity promptly |
KPIs to track
- Percentage of critical assets inventoried and classified.
- MFA and PAM coverage across privileged and remote access.
- Mean time to patch critical/high vulnerabilities against SLA; open vulnerability ageing.
- VAPT findings closed within SLA; retest closure rate.
- Mean time to detect (MTTD) and mean time to respond (MTTR) for incidents.
- Percentage of incidents reported to CERT-In within 6 hours and to IFSCA within prescribed timelines.
- Backup restoration test success rate; RTO/RPO achieved vs target in drills.
- Security awareness completion rate and phishing-simulation click/report rates.
- Percentage of critical vendors assessed and contracts with right-to-audit/breach clauses.
- Data-principal rights requests fulfilled within SLA.
- Overall and per-domain maturity trend across successive audits.
Readiness checklist
- Board-approved cyber security and cyber resilience policy is current and version-controlled.
- CISO and (where required) DPO are appointed with defined authority and reporting lines.
- Complete asset and data inventory with criticality and classification is maintained.
- MFA, PAM and least-privilege access controls are enforced and recertified.
- Hardening baselines, patch SLAs and a vulnerability-management programme are operational.
- SIEM/SOC with 180-day log retention and NTP time-sync is in place.
- IRP and CCMP are approved, tested and mapped to 6-hour CERT-In and IFSCA reporting.
- BCP/DR with defined RTO/RPO is documented and drills (including cyber/ransomware) are performed.
- Backups follow 3-2-1 with immutable copies and tested restoration.
- VAPT by a CERT-In empanelled auditor is completed and findings closed.
- Third-party/outsourcing register, contracts and cloud governance meet IFSCA requirements.
- DPDP alignment (consent, DPIAs, rights, retention) is implemented.
- Regulatory submissions (compliance certificate, cyber audit report) are prepared and on schedule.
Common gaps observed
Across IFSC engagements the same deficiencies recur, often because entities relocate mature onshore processes into the IFSC without re-establishing independent governance, or because a rapidly scaled FinTech has prioritised product velocity over controls. The list below flags the highest-frequency, highest-impact gaps; each maps directly to a checklist row above and should be treated as a priority remediation candidate.
- Cyber policy exists but is not board-approved or not reviewed within the last 12 months.
- CISO role lacks independence from IT operations or has no direct board reporting line.
- Asset and data inventories are incomplete, so criticality and classification are unreliable.
- MFA not extended to all privileged/remote access; PAM absent or without session recording.
- Log retention below 180 days, no NTP synchronisation, or SOC use-cases untuned and noisy.
- Incident-response plan not tested; teams unaware of the 6-hour CERT-In reporting obligation.
- Backups not immutable/air-gapped and restoration never tested; ransomware recovery unplanned.
- DR/BCP drills either not conducted or not covering cyber scenarios; RTO/RPO unmeasured.
- Outsourcing contracts lack right-to-audit, breach-notification and exit clauses; parent-hosted systems excluded from scope.
- DPDP obligations (consent records, DPIAs, data-principal rights) not operationalised.
- VAPT performed by a non-empanelled provider or findings left open without retesting.
- No tracking of IFSCA-specific reporting timelines and compliance-certificate submissions.
IFSCA Cyber Resilience mapped to other frameworks
The IFSCA CSCRF is designed to interoperate with domestic and international standards, letting an RE reuse evidence across audits and avoid duplicative control programmes. An entity already certified to ISO/IEC 27001 or complying with the RBI IT Governance Master Direction, the SEBI CSCRF or IRDAI cyber guidelines can cross-walk the bulk of its existing evidence into the IFSCA assessment, closing only the IFSC-specific delta (independent assurance over parent-hosted systems, IFSCA reporting timelines, DPDP alignment and cyber-resilience testing intensity). The mapping below is indicative and should be tailored to the entity's category; where a cell shows a dash, the obligation is either not directly addressed by that standard or is covered generically under its management-system clauses.
| IFSCA domain | NIST CSF | ISO/IEC 27001:2022 (Annex A) | RBI IT Governance MD / SEBI CSCRF | CERT-In / DPDP |
|---|---|---|---|---|
| Governance | Govern (GV) | A.5 Organisational controls | RBI MD Ch. II; SEBI Governance | - |
| Identify | Identify (ID) | A.5.9 Inventory; A.5.12 Classification | RBI MD Ch. III; SEBI Identify | - |
| Protect - Access | Protect (PR.AA) | A.5.15-A.5.18; A.8.2-A.8.5 | RBI MD Ch. IV; SEBI Protect | - |
| Protect - Data | Protect (PR.DS) | A.8.10-A.8.12; A.8.24 Cryptography | RBI MD; SEBI Data Protection | DPDP data-security safeguards |
| Detect | Detect (DE) | A.8.15 Logging; A.8.16 Monitoring | RBI MD monitoring; SEBI SOC/C-SOC | CERT-In logs 180 days; NTP sync |
| Respond | Respond (RS) | A.5.24-A.5.28 Incident management | RBI MD IR; SEBI Incident/CCMP | CERT-In 6-hour reporting; DPDP breach |
| Recover | Recover (RC) | A.5.29-A.5.30; A.8.13 Backup | RBI BCP; SEBI Recover | - |
| Third-party | Govern/Identify (GV.SC) | A.5.19-A.5.23 Supplier | RBI/SEBI outsourcing & cloud | - |
| Privacy | Protect (PR) | ISO/IEC 27701 PIMS | Sectoral privacy norms | DPDP Act 2023 |
| Resilience testing | Identify/Protect | A.8.8 Vulnerabilities; A.8.29 Testing | SEBI VAPT/red-team | CERT-In empanelled VAPT |
How CyberSigma helps
Frequently asked questions
Need help with IFSCA Cyber Resilience?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
