Introduction to the RBI IT Framework for NBFCs
The Reserve Bank of India (RBI) IT Framework for Non-Banking Financial Companies (NBFCs) is a supervisory baseline that codifies the minimum information technology, information security, cyber security, business continuity and IT governance expectations for the NBFC sector in India. It was first articulated through the RBI Master Direction on Information Technology Framework for the NBFC Sector (DNBS.PPD.No.04/66.15.001/2016-17, dated 8 June 2017), and its expectations have subsequently been strengthened, harmonised and extended by the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (Direction DoS.CO.CSITEG/SEC.7/31.01.015/2023-24, dated 7 November 2023, commonly referred to as the IT Governance Master Direction or 'ITGRCA'), which came into effect on 1 April 2024 and consolidated IT governance requirements across banks, NBFCs and other Regulated Entities.
For an NBFC, adherence is not optional gloss on top of the business model; it is a licence-preserving expectation. The RBI examines IT and cyber resilience during its statutory inspection, expects the Board and Senior Management to own IT risk, and requires periodic assurance (Information Systems Audit) evidence to be produced on demand. This guide provides an auditor-grade, control-by-control walkthrough of what an NBFC must implement, how a CERT-In empanelled assessor or Information Systems (IS) auditor evaluates each area, and the exact evidence that satisfies a supervisory reviewer.
Copyright and source note
The RBI IT Framework for NBFCs and the associated Master Directions are published by the Reserve Bank of India and remain the copyright of the RBI. This guide is an original, independent interpretation written for educational and readiness purposes. It paraphrases requirements and does not reproduce the RBI's copyrighted text. Always refer to the current, authoritative RBI Master Directions on the RBI website (rbi.org.in) and any subsequent circulars, as the regulator periodically amends applicability thresholds and control expectations.
What is the NBFC IT Framework
The NBFC IT Framework is a principles-plus-controls regime. Rather than prescribing a single checklist of technical settings, it establishes governance obligations (who is accountable), risk-management obligations (how IT and cyber risk is identified and treated), and a set of concrete control domains that the RBI expects to see operating with evidence. The 2017 Master Direction organised these expectations into IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning, and IT Services Outsourcing. The 2023 IT Governance Master Direction refactored and elevated the same subject matter into four principal chapters: IT Governance; IT Infrastructure & Services Management; IT & Information Security Risk Management; and Business Continuity & Disaster Recovery Management, with a distinct chapter on Information Systems (IS) Audit.
A defining characteristic is proportionality. The framework recognises that a small, asset-light NBFC does not carry the same systemic risk as a large, deposit-taking or systemically important company. Historically the 2017 Direction distinguished NBFCs with asset size of Rs 500 crore and above (which had to meet the full framework) from smaller NBFCs (which followed a simplified, best-effort set). Since October 2022 the RBI's Scale Based Regulation (SBR) framework classifies NBFCs into Base Layer (NBFC-BL), Middle Layer (NBFC-ML), Upper Layer (NBFC-UL) and Top Layer (NBFC-TL), and IT/cyber expectations are calibrated to these layers, with heavier obligations rising up the layers.
- It is issued as a Master Direction (delegated legislation) under the powers of the RBI, making it binding on covered NBFCs, not merely advisory guidance.
- It is outcome-oriented: the RBI expects demonstrable control effectiveness, board oversight and independent assurance rather than mere policy existence.
- It is layered by Scale Based Regulation: obligations scale with the NBFC's size, complexity and systemic importance.
- It integrates with adjacent RBI directions on cyber security, digital lending, outsourcing of IT services, and storage of payment/system data within India.
Who must comply with the NBFC IT Framework
Applicability is defined by entity type and by the NBFC's regulatory layer under Scale Based Regulation. The IT Governance Master Direction (2023) applies to a broad set of Regulated Entities, and within the NBFC universe the practical rule is that Middle Layer and Upper Layer NBFCs must meet the full IT governance, risk, control and assurance requirements, while Base Layer NBFCs meet a proportionate subset. Certain entities (for example Core Investment Companies below thresholds, and specifically exempted categories) may have tailored applicability; the definitive position is stated in the applicability clause of the relevant Master Direction.
| NBFC category / layer | IT Framework applicability |
|---|
| NBFC - Upper Layer (NBFC-UL) | Full framework: comprehensive IT governance, IT & information security risk management, BCP/DR, and independent IS audit. Highest supervisory expectation, including board-level IT Strategy and IT Risk oversight. |
| NBFC - Middle Layer (NBFC-ML) | Full framework applies; expected to implement all control domains with board oversight, dedicated CISO/IT function and periodic IS audit. |
| NBFC - Base Layer (NBFC-BL) | Proportionate application; core hygiene controls, basic IT policy, access control, BCP and cyber-security baseline expected, calibrated to size and complexity. |
| Deposit-taking NBFCs (NBFC-D) | Full framework irrespective of size due to public-deposit risk; stringent BCP and IS audit expectations. |
| NBFC-HFC (Housing Finance Companies) | Regulated by RBI post-2019; IT framework and cyber-security expectations apply per applicable layer. |
| NBFC-Account Aggregators, NBFC-P2P, NBFC-Factors | Subject to the framework plus sector-specific technical and data-security conditions in their respective directions. |
| Digital lending NBFCs and their LSPs | IT framework plus the RBI Digital Lending Guidelines governing data, app security and outsourcing. |
- The Board of Directors and Senior Management carry ultimate accountability; compliance cannot be wholly delegated to a vendor.
- Group entities and outsourced service providers are brought in scope indirectly through the outsourcing and third-party risk provisions.
- Foreign-owned NBFCs operating in India are equally bound; there is no exemption on grounds of a global group policy.
Structure of the NBFC IT Framework
The following table maps the principal control domains as consolidated under the 2023 IT Governance Master Direction (which now governs NBFC obligations), cross-referenced to the seven areas of the original 2017 IT Framework. An assessor should treat these domains as the top-level scope of any readiness or IS-audit engagement.
| Domain / chapter | Scope and core control families |
|---|
| 1. IT Governance | Board and Board-level IT Strategy Committee; IT Governance framework; roles of MD/CEO, Head of IT, CISO; IT strategy aligned to business; IT policy and standards; enterprise IT risk appetite; management of IT projects and resources. |
| 2. IT Infrastructure & Services Management | IT service management (change, incident, problem, patch, capacity management); IT and network architecture; cryptographic and key management; data centre and infrastructure controls; API and integration security; project and change governance. |
| 3. IT & Information Security Risk Management | Information security policy; CISO office; identity and access management; vulnerability and patch management; secure configuration; application/software security (SDLC); network security; data security and DLP; cyber-security operations (SOC/CSOC); security testing (VAPT); cyber incident response and reporting; cyber-crisis management; security awareness. |
| 4. Business Continuity & Disaster Recovery Management | BCP/DR policy; Business Impact Analysis; Recovery Time and Recovery Point Objectives; DR site and periodic drills; resilience of critical systems; crisis communication. |
| 5. Information Systems (IS) Audit | Independent IS audit charter; risk-based IS audit plan; audit universe covering all IT domains; competency of auditors; reporting to Audit Committee of the Board; tracking of remediation. |
| Cross-cutting: Outsourcing of IT Services | Governance of IT and IT-enabled service outsourcing; due diligence; contractual controls; right to audit; concentration and exit strategy; cloud and managed-service risk (aligned to the 2023 Outsourcing of IT Services Master Direction). |
| Cross-cutting: Digital Channels & Data Localisation | Security of mobile/internet channels, digital lending apps; storage of payment and system data within India; customer data protection consistent with the DPDP Act. |
Master assessment checklist
This is the core of the guide. Each control group below is presented with a h3 heading and a table stating precisely what an assessor must verify and the evidence that a well-run NBFC should be able to produce. No control area is skipped. During an IS audit or CERT-In style assessment, each row becomes a test of design and a test of operating effectiveness.
IT Governance and Board Oversight
| What to verify | Typical evidence |
|---|
| An IT governance framework is Board-approved and reviewed at least annually | Board-approved IT governance policy with version history and Board minute references |
| An IT Strategy Committee (ITSC) of the Board exists with the required composition (chaired by an independent director with IT domain competence) and meets at least quarterly | ITSC charter, member profiles, quarterly meeting minutes and attendance registers |
| An IT Steering Committee at executive level operates and reports upward | IT Steering Committee terms of reference and minutes |
| Clear roles for MD/CEO, Head of IT, and CISO are defined with segregation of duties | Organisation chart, role mandates, appointment letters, RACI matrix |
| IT strategy is aligned to business strategy and risk appetite | Approved IT strategy document, IT budget, alignment mapping to business plan |
| IT-related risks are integrated into enterprise risk management with a defined risk appetite | Risk appetite statement, IT risk register presented to the Board/RMC |
| MIS on IT performance and risk is presented to the Board periodically | Board/ITSC dashboards, KRI/KPI reports |
IT Policy, Standards and Documentation
| What to verify | Typical evidence |
|---|
| A hierarchy of IT and information security policies, standards and procedures exists and is Board/senior-management approved | Policy suite index, approval records, review dates |
| Policies are reviewed at defined intervals and after major changes | Version-controlled documents with change logs and review calendar |
| Policies are communicated to and acknowledged by staff | Acknowledgement records, intranet publication evidence |
| Exceptions to policy are formally approved and time-bound | Exception register with approvals and expiry dates |
Identity and Access Management
| What to verify | Typical evidence |
|---|
| Access is granted on least-privilege and need-to-know with formal approval | Access request/approval workflow records, role-based access matrix |
| Joiner-mover-leaver process revokes access promptly on exit or role change | JML tickets, HR-IT reconciliation, timely deprovisioning logs |
| Privileged access is controlled via a PAM solution with session logging | PAM configuration, privileged session recordings, break-glass procedure |
| Multi-factor authentication is enforced for remote, privileged and critical application access | MFA policy, authentication logs, coverage report |
| Periodic user access reviews (recertification) are performed for critical systems | Signed access recertification reports at least half-yearly |
| Default, shared and dormant accounts are disabled or controlled | Account inventory, dormant-account disabling evidence |
Information and Cyber Security (CISO Office)
| What to verify | Typical evidence |
|---|
| A CISO is appointed with sufficient seniority, independence from IT operations, and a direct reporting line | CISO appointment letter, reporting structure, role charter |
| A Board-approved information/cyber-security policy and a cyber-security framework exist | Approved policies, cyber-security framework document |
| Assets are classified and information is handled per its classification | Asset inventory, data classification policy, labelling evidence |
| A threat and vulnerability management programme operates continuously | VM tool reports, remediation SLA tracking |
| Security controls are calibrated to the RBI cyber-security baseline and to the NBFC's risk profile | Control mapping to RBI baseline, gap and treatment plan |
Secure Configuration and Patch Management
| What to verify | Typical evidence |
|---|
| Hardening baselines (e.g. CIS-aligned) exist for OS, databases, network devices and applications | Documented baselines, configuration-compliance scan results |
| Patches are risk-rated and applied within defined SLAs, with critical patches expedited | Patch policy, patch deployment reports, exception approvals |
| Unsupported/end-of-life software is inventoried and remediated or compensated | EOL register, mitigation plans |
| Configuration changes follow change management and are baselined | Change tickets, configuration management database extracts |
Network and Perimeter Security
| What to verify | Typical evidence |
|---|
| Network is segmented (DMZ, internal, management, PCI/sensitive zones) with documented architecture | Network diagrams, firewall zone policy, segmentation rules |
| Firewall and IPS/IDS rule bases are reviewed periodically and least-permissive | Firewall rule-review reports, IPS signatures/update logs |
| Secure remote access (VPN with MFA) and no unauthorised direct exposure of internal systems | VPN config, external attack-surface scan, exposed-service review |
| DDoS protection and anti-malware/EDR are deployed on endpoints and servers | EDR coverage report, DDoS service evidence, malware detection logs |
Application and Software Development Security (SDLC)
| What to verify | Typical evidence |
|---|
| A secure SDLC integrates security requirements, threat modelling and secure-coding standards | SDLC policy, secure-coding guidelines, threat-model artefacts |
| Application security testing (SAST/DAST) and code review occur before release | SAST/DAST reports, code-review records, release gate approvals |
| Segregation between development, test and production environments with controlled promotion | Environment access matrix, deployment approval records |
| No production data is used in test without masking; data minimisation applies | Data-masking procedure, test-data governance evidence |
| APIs are authenticated, rate-limited, logged and security-tested | API gateway config, API VAPT results |
Data Security, Encryption and DLP
| What to verify | Typical evidence |
|---|
| Data at rest and in transit is encrypted using strong, approved algorithms | Encryption standard, TLS configuration, database/disk encryption evidence |
| Cryptographic key management (generation, storage, rotation, destruction) is controlled, ideally via HSM | Key-management policy, HSM records, key-rotation logs |
| Data Loss Prevention controls monitor sensitive data egress channels | DLP policy, DLP incident reports |
| Customer, payment and 'system' data are stored within India per RBI localisation requirements | Data-residency attestation, hosting location evidence, storage architecture |
| Data retention and secure disposal follow policy and legal requirements | Retention schedule, media-sanitisation certificates |
IT Operations and Service Management
| What to verify | Typical evidence |
|---|
| Change management is formal, with risk assessment, approval, testing and rollback | Change tickets, CAB minutes, rollback plans |
| Incident and problem management with defined SLAs and root-cause analysis | Incident tickets, RCA reports, SLA performance |
| Capacity and performance are monitored to avoid resource exhaustion | Capacity plans, utilisation dashboards |
| Job scheduling, batch processing and reconciliation controls operate reliably | Batch schedules, reconciliation reports, failure-handling logs |
| Data centre physical and environmental controls (access, fire, power, cooling) are in place | DC access logs, environmental monitoring, UPS/genset test records |
Logging, Monitoring and Security Operations (SOC/CSOC)
| What to verify | Typical evidence |
|---|
| Centralised log collection (SIEM) covers critical systems with defined retention | SIEM architecture, log-source inventory, retention configuration |
| A Security Operations Centre / Cyber Security Operations Centre provides continuous monitoring and use-case-based detection | SOC/CSOC runbook, correlation use-cases, monitoring roster |
| Time synchronisation (NTP) and log integrity protection are enforced | NTP config, log tamper-protection evidence |
| Alerts are triaged and escalated within defined timelines | Alert triage records, escalation matrix |
Vulnerability Assessment and Penetration Testing (VAPT)
| What to verify | Typical evidence |
|---|
| Periodic VAPT is performed on internet-facing and critical internal assets, and after major changes | VAPT scope, reports and executive summaries |
| Findings are risk-rated and remediated within SLA; retesting confirms closure | Remediation tracker, retest/closure evidence |
| Independent/third-party (CERT-In empanelled) testing is used where required | Empanelment credentials, engagement letters |
| Red-team or scenario-based testing is considered for higher-layer NBFCs | Red-team reports (where applicable) |
Cyber Incident Response and Reporting
| What to verify | Typical evidence |
|---|
| A cyber-incident response plan defines roles, severity, containment and recovery | Approved CIRP, playbooks, contact tree |
| Significant cyber incidents are reported to the RBI within the prescribed timeline | Incident-report copies, RBI acknowledgement, reporting log |
| Incidents are reported to CERT-In within the mandated 6-hour window | CERT-In reporting records |
| Post-incident reviews capture lessons learned and drive control improvements | PIR reports, corrective-action tracking |
| Tabletop/simulation exercises test the response capability periodically | Exercise reports and participation records |
Business Continuity and Disaster Recovery (BCP/DR)
| What to verify | Typical evidence |
|---|
| A Board-approved BCP/DR policy with a Business Impact Analysis exists | Approved BCP/DR policy, BIA document |
| RTO and RPO are defined for critical systems and are technically achievable | RTO/RPO register, DR architecture, replication configuration |
| A geographically separate DR site (or resilient cloud region) is maintained | DR site details, distance/region evidence |
| DR drills are conducted at defined frequency with documented results and gaps | DR drill reports, switchover logs, gap remediation |
| Backups are taken, encrypted, tested for restorability and stored offsite/immutable | Backup schedule, restore-test logs, immutability/air-gap evidence |
| Crisis communication and dependency (vendor/utility) resilience are addressed | Crisis-comms plan, third-party continuity attestations |
Outsourcing and Third-Party / Cloud Risk Management
| What to verify | Typical evidence |
|---|
| Materiality assessment and due diligence precede outsourcing of IT/IT-enabled services | Due-diligence reports, materiality assessment records |
| Contracts include security, data-protection, right-to-audit, SLA, sub-contracting and exit clauses | Executed contracts / MSAs with the required clauses |
| The RBI's right to inspect the service provider is preserved in the contract | Contract clause reference, regulator-access provision |
| Concentration risk and viable exit/portability strategy are documented | Concentration analysis, exit plan, data-return provisions |
| Cloud deployments meet data-localisation, shared-responsibility and configuration-security requirements | Cloud security assessment, CSP compliance certificates, shared-responsibility matrix |
| Ongoing monitoring of provider performance and security posture occurs | Vendor performance reviews, SOC 2/ISO reports, periodic assessments |
Digital Channels, Payments and Customer Protection
| What to verify | Typical evidence |
|---|
| Mobile and internet channels enforce strong authentication and session security | App security assessment, authentication design, session-management evidence |
| Digital lending apps comply with RBI Digital Lending Guidelines (data access, consent, LSP governance) | DLG compliance mapping, consent-flow evidence, LSP agreements |
| Fraud-monitoring and transaction-risk controls are in place | Fraud-monitoring rules, alerting evidence |
| Customer grievance redressal for IT/digital issues is defined and tracked | Grievance policy, SLA, resolution MIS |
Information Systems (IS) Audit
| What to verify | Typical evidence |
|---|
| An independent IS audit function/charter approved by the Audit Committee exists | IS audit charter, ACB approval |
| A risk-based IS audit plan covers the full IT audit universe on a defined cycle | Audit universe, annual risk-based plan |
| IS auditors possess adequate competency and independence (CISA/DISA or empanelled firms) | Auditor credentials, engagement independence declarations |
| Findings are reported to the Audit Committee and remediation is tracked to closure | IS audit reports, ACB minutes, remediation tracker |
Security Awareness and Human Resources Security
| What to verify | Typical evidence |
|---|
| Periodic security-awareness training is delivered to all staff and role-based training to key staff | Training records, completion rates, content |
| Phishing simulations and awareness campaigns are run and measured | Simulation results, trend reports |
| Background verification and confidentiality/acceptable-use agreements apply to staff and contractors | BGV records, signed NDAs and AUPs |
Scoping the NBFC IT Framework assessment
Scoping determines which entities, systems, processes, locations and third parties are examined and to what depth. Because obligations scale with the NBFC's layer, the first scoping act is to confirm the regulatory layer (Base/Middle/Upper) and any special status (deposit-taking, digital-lending, AA/P2P/HFC). The scope should then be built around the systems that support critical or customer-facing functions.
- Confirm the NBFC layer under Scale Based Regulation and any sector-specific directions that add controls.
- Define the technology estate in scope: core lending/loan-management system, LOS/LMS, mobile and web channels, payment interfaces, data warehouse, and supporting infrastructure.
- Include hosting locations: on-premises data centre, colocation, and every cloud region and account.
- Bring material outsourced and cloud service providers into scope through their contracts and right-to-audit.
- Identify data flows for customer, payment and 'system' data to test data-localisation compliance.
- Determine the assessment depth per system based on criticality (design-only vs design plus operating effectiveness).
- State exclusions explicitly with rationale (e.g. decommissioned systems) so the scope is defensible.
Scoping pitfall
Shadow IT and unregistered SaaS tools are the most common cause of scope failure. Reconcile the asset inventory against network egress logs, expense/procurement records and identity-provider app catalogues before finalising scope, or the assessment will miss real risk.
Implementation approach
A phased approach converts the framework from a document into an operating control environment. The following four phases each list core activities and the deliverables an assessor will expect to see.
Phase 1 - Governance foundation and gap assessment
- Activities: confirm regulatory layer and applicability; constitute the IT Strategy Committee and IT Steering Committee; appoint/confirm CISO; run a baseline gap assessment against every framework domain; establish the IT risk register and risk appetite.
- Deliverables: applicability determination note; Board-approved IT governance charter; committee terms of reference; gap assessment report with prioritised findings; risk register.
Phase 2 - Policy, control design and quick wins
- Activities: author/refresh the policy and standard suite; define hardening baselines; design IAM, PAM and MFA controls; establish change/incident/patch processes; close high-risk quick wins (MFA on remote/privileged access, patch backlog, exposed services).
- Deliverables: approved policy suite; hardening standards; IAM/PAM design; change and incident management procedures; quick-win closure evidence.
Phase 3 - Control build-out and technology deployment
- Activities: deploy SIEM and establish SOC/CSOC monitoring use-cases; implement DLP and encryption/key management; stand up VAPT and vulnerability management cadence; build BCP/DR, backups and run a first DR drill; formalise outsourcing/cloud governance and contracts.
- Deliverables: SOC runbooks and monitoring evidence; VAPT and remediation reports; BCP/DR plan with BIA and drill results; backup restore-test logs; updated vendor contracts with right-to-audit.
Phase 4 - Assurance, IS audit and continuous improvement
- Activities: conduct the risk-based IS audit; report to the Audit Committee; remediate findings; institutionalise KPI/KRI reporting to the Board; prepare the RBI inspection evidence pack; embed a review cycle.
- Deliverables: IS audit report; ACB minutes; remediation tracker at closure; Board dashboards; inspection-ready evidence repository; annual review calendar.
Maturity and capability model
Although the RBI does not mandate a specific maturity scale, assessors commonly express readiness on a five-level capability model to communicate the state of each domain to the Board and to prioritise investment. The following levels are recommended for NBFC IT/cyber programmes.
| Maturity level | Characteristics for an NBFC |
|---|
| Level 1 - Initial / Ad hoc | Controls are informal and person-dependent; little documentation; reactive to incidents; no board oversight of IT risk. High supervisory concern. |
| Level 2 - Developing / Repeatable | Key policies exist and some processes are followed, but inconsistently; governance committees formed but not fully effective; gaps in evidence. |
| Level 3 - Defined | Policies, standards and processes are documented, approved and consistently applied; committees functioning; IS audit operating; the baseline expected of Middle Layer NBFCs. |
| Level 4 - Managed / Measured | Controls are measured with KRIs/KPIs; risk-based decisions; effective SOC, VAPT and DR drills; continuous monitoring; expected of Upper Layer NBFCs. |
| Level 5 - Optimised | Controls are continuously improved using metrics, threat intelligence and automation; resilience is demonstrated; leading practice beyond the minimum baseline. |
Assessment and audit approach
An IS audit or readiness assessment against the NBFC IT Framework follows a disciplined, evidence-driven sequence. The steps below describe a defensible engagement flow.
- Confirm scope and applicability: fix the NBFC layer, systems, locations, third parties and the audit universe, and agree the engagement charter with the Audit Committee.
- Plan on a risk basis: rank the audit universe by inherent risk and criticality, and allocate testing depth accordingly.
- Review control design: examine policies, standards, architecture and configurations to confirm controls are adequately designed for each domain.
- Test operating effectiveness: sample transactions, tickets, logs and configurations over the review period to confirm controls actually operate.
- Perform technical validation: run or review VAPT, configuration-compliance scans, access recertifications and DR drill results.
- Evaluate third-party and cloud controls: review due diligence, contracts, SOC 2/ISO reports and independent assessments.
- Rate and document findings: assign risk ratings, root causes and business impact; distinguish design vs operating deficiencies.
- Agree remediation: obtain management responses with owners and target dates; classify as immediate, short-term or strategic.
- Report to the Audit Committee of the Board and, where required, prepare inputs for the RBI inspection.
- Track to closure and retest: verify remediation and update the risk register; feed results into the next risk-based plan.
Evidence request list
The following categorised list is the standard evidence pack an NBFC should assemble ahead of an IS audit or RBI inspection. Having this repository current and version-controlled dramatically shortens assessment time.
- Governance: Board/ITSC/Steering committee charters and minutes; IT strategy; organisation chart; CISO appointment; risk appetite statement; IT and cyber risk registers.
- Policies and standards: full policy suite with approval and review records; hardening baselines; exception register.
- Access management: IAM/PAM configuration; access matrices; JML records; access recertification reports; MFA coverage.
- Security operations: SIEM log-source inventory and retention config; SOC/CSOC runbooks and monitoring evidence; alert and escalation records.
- Vulnerability and testing: VAPT reports and remediation trackers; configuration-compliance scans; patch reports; EOL register.
- Application security: SDLC policy; SAST/DAST reports; code-review records; environment segregation and change tickets; API security testing.
- Data protection: encryption and key-management evidence; DLP reports; data-classification and retention schedules; data-localisation attestations.
- Incident and continuity: cyber-incident response plan; incident logs; RBI/CERT-In reporting records; BCP/DR policy and BIA; DR drill and backup restore-test logs.
- Third party and cloud: due-diligence and materiality assessments; executed contracts with right-to-audit and exit clauses; CSP compliance reports; vendor monitoring records.
- Assurance and training: IS audit charter, plan and reports; ACB minutes; remediation trackers; awareness-training and phishing-simulation records.
- Digital channels: app security assessments; Digital Lending Guidelines compliance mapping; fraud-monitoring evidence; grievance MIS.
Roles and responsibilities
| Role | Key IT/cyber responsibilities under the framework |
|---|
| Board of Directors | Owns IT governance; approves IT strategy, policies and risk appetite; ensures adequate resourcing; reviews IT/cyber risk and IS audit outcomes. |
| IT Strategy Committee (of the Board) | Chaired by an independent director with IT competence; oversees IT strategy, major IT investments, IT risk and resilience; meets at least quarterly. |
| Audit Committee of the Board (ACB) | Oversees the IS audit function; approves the IS audit charter and plan; reviews findings and tracks remediation. |
| MD / CEO | Accountable for implementing Board-approved IT strategy and for the overall control environment. |
| Head of IT / CIO | Delivers and operates IT infrastructure, services and projects; owns IT operations, change, capacity and service management. |
| Chief Information Security Officer (CISO) | Independent of IT operations; owns information/cyber-security strategy, policy, monitoring, incident response and regulatory security reporting. |
| IT Steering Committee | Executive-level prioritisation of IT initiatives, budgets and project governance; reports to the ITSC. |
| Risk Management Committee / CRO | Integrates IT and cyber risk into enterprise risk management and monitors the risk appetite. |
| IS Auditors (internal/external) | Provide independent assurance over IT controls; report to the ACB; must be competent and independent. |
| Business/Data owners | Classify data, define access requirements, own control operation within their processes. |
| Third-party / cloud providers | Deliver contracted services within agreed security, SLA, audit and data-protection obligations. |
KPIs to track
- Percentage of critical and high vulnerabilities remediated within SLA.
- Mean time to detect (MTTD) and mean time to respond (MTTR) for security incidents.
- Patch compliance rate for critical patches across servers, endpoints and network devices.
- Percentage of privileged and remote access covered by MFA and PAM.
- Access recertification completion rate and count of overdue reviews.
- Number and severity of cyber incidents, and timeliness of RBI/CERT-In reporting.
- DR drill success rate and achievement of RTO/RPO targets.
- Backup restore-test success rate.
- IS audit findings by severity and percentage closed within target dates.
- Security-awareness training completion rate and phishing-simulation failure trend.
- Percentage of material third parties with current due diligence and contractual right-to-audit.
- System/service availability against SLA for critical applications.
Readiness checklist
- Regulatory layer (Base/Middle/Upper) and applicable sector directions confirmed and documented.
- Board-approved IT governance framework and functioning IT Strategy Committee in place.
- CISO appointed with independence from IT operations and a direct reporting line.
- Complete, Board/senior-management-approved IT and information-security policy suite with review cycle.
- IAM, PAM and MFA implemented for privileged, remote and critical access; access recertification current.
- Hardening baselines applied and configuration compliance monitored; patch SLAs met.
- SIEM with SOC/CSOC monitoring, defined log retention and time synchronisation operational.
- Periodic VAPT completed with findings remediated and retested.
- Data at rest and in transit encrypted; key management and DLP operating; data-localisation confirmed.
- Cyber-incident response plan tested; RBI and CERT-In reporting timelines understood and rehearsed.
- BCP/DR with BIA, defined RTO/RPO, a functioning DR site and a completed DR drill.
- Backups encrypted, offsite/immutable and restore-tested.
- Material IT/cloud outsourcing governed by contracts with right-to-audit, SLA and exit clauses.
- Independent, risk-based IS audit completed and reported to the Audit Committee with remediation tracked.
- Security-awareness training and phishing simulations delivered and measured.
- Inspection-ready, version-controlled evidence repository maintained.
Common gaps
- IT Strategy Committee exists on paper but does not meet quarterly or lacks a director with genuine IT competence.
- CISO reports into the Head of IT, breaching the required independence from IT operations.
- MFA not enforced universally on remote and privileged access; long-lived shared/service accounts persist.
- Vulnerability findings identified but not remediated within SLA, with weak retest and closure evidence.
- BCP/DR documented but never drilled, or drills that do not actually achieve the stated RTO/RPO.
- Backups taken but restore-tests not performed, and no immutability/air-gap against ransomware.
- Outsourcing and cloud contracts missing the RBI right-to-audit, data-localisation or exit clauses.
- Data-localisation of payment/system data not evidenced, especially with global cloud regions.
- Digital lending apps not mapped to the RBI Digital Lending Guidelines (consent, LSP governance, data access).
- Cyber-incident reporting timelines (RBI and CERT-In 6-hour window) not rehearsed, risking late reporting.
- IS audit not risk-based, under-scoped, or performed by insufficiently independent/competent auditors.
- Shadow IT and unmanaged SaaS outside the asset inventory and monitoring perimeter.
NBFC IT Framework mapped to other frameworks
NBFCs frequently pursue complementary certifications and comply with adjacent regulations. The following mapping helps rationalise a single control set across multiple obligations, reducing duplicate effort.
| NBFC IT Framework domain | Corresponding controls in other frameworks |
|---|
| IT Governance | ISO/IEC 27001 Clauses 5-6 (leadership, planning); COBIT 2019 EDM and APO domains; NIST CSF Govern function |
| IT & Information Security Risk Management | ISO/IEC 27001 Clause 6 & Annex A; NIST CSF Identify/Protect/Detect; PCI DSS Requirements 1-8, 10-12 |
| Identity & Access Management | ISO 27001 A.5.15-A.5.18 / A.8.2-A.8.5; PCI DSS Req 7-8; NIST CSF PR.AA |
| Secure Configuration & Patch | ISO 27001 A.8.8-A.8.9; CIS Controls 4 & 7; PCI DSS Req 2, 6, 11 |
| Application Security / SDLC | ISO 27001 A.8.25-A.8.31; OWASP ASVS; PCI DSS Req 6; NIST SSDF |
| Data Security & Encryption | ISO 27001 A.8.10-A.8.12, A.8.24; PCI DSS Req 3-4; DPDP Act 2023 obligations |
| Security Operations & Monitoring | ISO 27001 A.8.15-A.8.16; NIST CSF Detect; PCI DSS Req 10-11 |
| Cyber Incident Response & Reporting | ISO 27001 A.5.24-A.5.28; NIST CSF Respond/Recover; CERT-In Directions (6-hour reporting) |
| Business Continuity & DR | ISO 22301; ISO 27001 A.5.29-A.5.30; NIST CSF Recover |
| Outsourcing / Third-Party & Cloud | ISO 27001 A.5.19-A.5.23; RBI Outsourcing of IT Services Master Direction; SOC 2; CSA CCM |
| IS Audit / Assurance | ISO 27001 Clause 9 (internal audit); COBIT MEA domain; ISACA IS audit standards |
| Digital Channels & Data Localisation | RBI Digital Lending Guidelines; RBI Payment Data Storage circular; DPDP Act 2023 |
How CyberSigma helps
Partner with CyberSigma for RBI NBFC IT Framework readiness
CyberSigma is a CERT-In empanelled cyber-security assessor with deep experience across the RBI IT Framework for NBFCs, the 2023 IT Governance, Risk, Controls and Assurance Master Direction and Scale Based Regulation. We take NBFCs end to end: layer-based applicability determination, board-level governance uplift, a full control-by-control gap assessment, policy and architecture design, VAPT and configuration hardening, SOC/CSOC and BCP/DR build-out, third-party and cloud risk governance, and independent Information Systems (IS) audit. Our assessors translate every requirement into evidence your Board and the RBI inspection team will accept, and we integrate readiness tracking into your GRC and CRM workflows so remediation is owned, measured and closed. Engage CyberSigma to move from ad hoc compliance to a demonstrably resilient, inspection-ready IT and cyber programme.