Knowledge Center / NBFC IT Framework
Reserve Bank of India · India

RBI IT Framework for NBFCs

RBI’s IT governance, security and audit expectations for NBFCs.

Introduction to the RBI IT Framework for NBFCs

The Reserve Bank of India (RBI) IT Framework for Non-Banking Financial Companies (NBFCs) is a supervisory baseline that codifies the minimum information technology, information security, cyber security, business continuity and IT governance expectations for the NBFC sector in India. It was first articulated through the RBI Master Direction on Information Technology Framework for the NBFC Sector (DNBS.PPD.No.04/66.15.001/2016-17, dated 8 June 2017), and its expectations have subsequently been strengthened, harmonised and extended by the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (Direction DoS.CO.CSITEG/SEC.7/31.01.015/2023-24, dated 7 November 2023, commonly referred to as the IT Governance Master Direction or 'ITGRCA'), which came into effect on 1 April 2024 and consolidated IT governance requirements across banks, NBFCs and other Regulated Entities.

For an NBFC, adherence is not optional gloss on top of the business model; it is a licence-preserving expectation. The RBI examines IT and cyber resilience during its statutory inspection, expects the Board and Senior Management to own IT risk, and requires periodic assurance (Information Systems Audit) evidence to be produced on demand. This guide provides an auditor-grade, control-by-control walkthrough of what an NBFC must implement, how a CERT-In empanelled assessor or Information Systems (IS) auditor evaluates each area, and the exact evidence that satisfies a supervisory reviewer.

Copyright and source note
The RBI IT Framework for NBFCs and the associated Master Directions are published by the Reserve Bank of India and remain the copyright of the RBI. This guide is an original, independent interpretation written for educational and readiness purposes. It paraphrases requirements and does not reproduce the RBI's copyrighted text. Always refer to the current, authoritative RBI Master Directions on the RBI website (rbi.org.in) and any subsequent circulars, as the regulator periodically amends applicability thresholds and control expectations.

What is the NBFC IT Framework

The NBFC IT Framework is a principles-plus-controls regime. Rather than prescribing a single checklist of technical settings, it establishes governance obligations (who is accountable), risk-management obligations (how IT and cyber risk is identified and treated), and a set of concrete control domains that the RBI expects to see operating with evidence. The 2017 Master Direction organised these expectations into IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning, and IT Services Outsourcing. The 2023 IT Governance Master Direction refactored and elevated the same subject matter into four principal chapters: IT Governance; IT Infrastructure & Services Management; IT & Information Security Risk Management; and Business Continuity & Disaster Recovery Management, with a distinct chapter on Information Systems (IS) Audit.

A defining characteristic is proportionality. The framework recognises that a small, asset-light NBFC does not carry the same systemic risk as a large, deposit-taking or systemically important company. Historically the 2017 Direction distinguished NBFCs with asset size of Rs 500 crore and above (which had to meet the full framework) from smaller NBFCs (which followed a simplified, best-effort set). Since October 2022 the RBI's Scale Based Regulation (SBR) framework classifies NBFCs into Base Layer (NBFC-BL), Middle Layer (NBFC-ML), Upper Layer (NBFC-UL) and Top Layer (NBFC-TL), and IT/cyber expectations are calibrated to these layers, with heavier obligations rising up the layers.

  • It is issued as a Master Direction (delegated legislation) under the powers of the RBI, making it binding on covered NBFCs, not merely advisory guidance.
  • It is outcome-oriented: the RBI expects demonstrable control effectiveness, board oversight and independent assurance rather than mere policy existence.
  • It is layered by Scale Based Regulation: obligations scale with the NBFC's size, complexity and systemic importance.
  • It integrates with adjacent RBI directions on cyber security, digital lending, outsourcing of IT services, and storage of payment/system data within India.

Who must comply with the NBFC IT Framework

Applicability is defined by entity type and by the NBFC's regulatory layer under Scale Based Regulation. The IT Governance Master Direction (2023) applies to a broad set of Regulated Entities, and within the NBFC universe the practical rule is that Middle Layer and Upper Layer NBFCs must meet the full IT governance, risk, control and assurance requirements, while Base Layer NBFCs meet a proportionate subset. Certain entities (for example Core Investment Companies below thresholds, and specifically exempted categories) may have tailored applicability; the definitive position is stated in the applicability clause of the relevant Master Direction.

NBFC category / layerIT Framework applicability
NBFC - Upper Layer (NBFC-UL)Full framework: comprehensive IT governance, IT & information security risk management, BCP/DR, and independent IS audit. Highest supervisory expectation, including board-level IT Strategy and IT Risk oversight.
NBFC - Middle Layer (NBFC-ML)Full framework applies; expected to implement all control domains with board oversight, dedicated CISO/IT function and periodic IS audit.
NBFC - Base Layer (NBFC-BL)Proportionate application; core hygiene controls, basic IT policy, access control, BCP and cyber-security baseline expected, calibrated to size and complexity.
Deposit-taking NBFCs (NBFC-D)Full framework irrespective of size due to public-deposit risk; stringent BCP and IS audit expectations.
NBFC-HFC (Housing Finance Companies)Regulated by RBI post-2019; IT framework and cyber-security expectations apply per applicable layer.
NBFC-Account Aggregators, NBFC-P2P, NBFC-FactorsSubject to the framework plus sector-specific technical and data-security conditions in their respective directions.
Digital lending NBFCs and their LSPsIT framework plus the RBI Digital Lending Guidelines governing data, app security and outsourcing.
  • The Board of Directors and Senior Management carry ultimate accountability; compliance cannot be wholly delegated to a vendor.
  • Group entities and outsourced service providers are brought in scope indirectly through the outsourcing and third-party risk provisions.
  • Foreign-owned NBFCs operating in India are equally bound; there is no exemption on grounds of a global group policy.

Structure of the NBFC IT Framework

The following table maps the principal control domains as consolidated under the 2023 IT Governance Master Direction (which now governs NBFC obligations), cross-referenced to the seven areas of the original 2017 IT Framework. An assessor should treat these domains as the top-level scope of any readiness or IS-audit engagement.

Domain / chapterScope and core control families
1. IT GovernanceBoard and Board-level IT Strategy Committee; IT Governance framework; roles of MD/CEO, Head of IT, CISO; IT strategy aligned to business; IT policy and standards; enterprise IT risk appetite; management of IT projects and resources.
2. IT Infrastructure & Services ManagementIT service management (change, incident, problem, patch, capacity management); IT and network architecture; cryptographic and key management; data centre and infrastructure controls; API and integration security; project and change governance.
3. IT & Information Security Risk ManagementInformation security policy; CISO office; identity and access management; vulnerability and patch management; secure configuration; application/software security (SDLC); network security; data security and DLP; cyber-security operations (SOC/CSOC); security testing (VAPT); cyber incident response and reporting; cyber-crisis management; security awareness.
4. Business Continuity & Disaster Recovery ManagementBCP/DR policy; Business Impact Analysis; Recovery Time and Recovery Point Objectives; DR site and periodic drills; resilience of critical systems; crisis communication.
5. Information Systems (IS) AuditIndependent IS audit charter; risk-based IS audit plan; audit universe covering all IT domains; competency of auditors; reporting to Audit Committee of the Board; tracking of remediation.
Cross-cutting: Outsourcing of IT ServicesGovernance of IT and IT-enabled service outsourcing; due diligence; contractual controls; right to audit; concentration and exit strategy; cloud and managed-service risk (aligned to the 2023 Outsourcing of IT Services Master Direction).
Cross-cutting: Digital Channels & Data LocalisationSecurity of mobile/internet channels, digital lending apps; storage of payment and system data within India; customer data protection consistent with the DPDP Act.

Master assessment checklist

This is the core of the guide. Each control group below is presented with a h3 heading and a table stating precisely what an assessor must verify and the evidence that a well-run NBFC should be able to produce. No control area is skipped. During an IS audit or CERT-In style assessment, each row becomes a test of design and a test of operating effectiveness.

IT Governance and Board Oversight

What to verifyTypical evidence
An IT governance framework is Board-approved and reviewed at least annuallyBoard-approved IT governance policy with version history and Board minute references
An IT Strategy Committee (ITSC) of the Board exists with the required composition (chaired by an independent director with IT domain competence) and meets at least quarterlyITSC charter, member profiles, quarterly meeting minutes and attendance registers
An IT Steering Committee at executive level operates and reports upwardIT Steering Committee terms of reference and minutes
Clear roles for MD/CEO, Head of IT, and CISO are defined with segregation of dutiesOrganisation chart, role mandates, appointment letters, RACI matrix
IT strategy is aligned to business strategy and risk appetiteApproved IT strategy document, IT budget, alignment mapping to business plan
IT-related risks are integrated into enterprise risk management with a defined risk appetiteRisk appetite statement, IT risk register presented to the Board/RMC
MIS on IT performance and risk is presented to the Board periodicallyBoard/ITSC dashboards, KRI/KPI reports

IT Policy, Standards and Documentation

What to verifyTypical evidence
A hierarchy of IT and information security policies, standards and procedures exists and is Board/senior-management approvedPolicy suite index, approval records, review dates
Policies are reviewed at defined intervals and after major changesVersion-controlled documents with change logs and review calendar
Policies are communicated to and acknowledged by staffAcknowledgement records, intranet publication evidence
Exceptions to policy are formally approved and time-boundException register with approvals and expiry dates

Identity and Access Management

What to verifyTypical evidence
Access is granted on least-privilege and need-to-know with formal approvalAccess request/approval workflow records, role-based access matrix
Joiner-mover-leaver process revokes access promptly on exit or role changeJML tickets, HR-IT reconciliation, timely deprovisioning logs
Privileged access is controlled via a PAM solution with session loggingPAM configuration, privileged session recordings, break-glass procedure
Multi-factor authentication is enforced for remote, privileged and critical application accessMFA policy, authentication logs, coverage report
Periodic user access reviews (recertification) are performed for critical systemsSigned access recertification reports at least half-yearly
Default, shared and dormant accounts are disabled or controlledAccount inventory, dormant-account disabling evidence

Information and Cyber Security (CISO Office)

What to verifyTypical evidence
A CISO is appointed with sufficient seniority, independence from IT operations, and a direct reporting lineCISO appointment letter, reporting structure, role charter
A Board-approved information/cyber-security policy and a cyber-security framework existApproved policies, cyber-security framework document
Assets are classified and information is handled per its classificationAsset inventory, data classification policy, labelling evidence
A threat and vulnerability management programme operates continuouslyVM tool reports, remediation SLA tracking
Security controls are calibrated to the RBI cyber-security baseline and to the NBFC's risk profileControl mapping to RBI baseline, gap and treatment plan

Secure Configuration and Patch Management

What to verifyTypical evidence
Hardening baselines (e.g. CIS-aligned) exist for OS, databases, network devices and applicationsDocumented baselines, configuration-compliance scan results
Patches are risk-rated and applied within defined SLAs, with critical patches expeditedPatch policy, patch deployment reports, exception approvals
Unsupported/end-of-life software is inventoried and remediated or compensatedEOL register, mitigation plans
Configuration changes follow change management and are baselinedChange tickets, configuration management database extracts

Network and Perimeter Security

What to verifyTypical evidence
Network is segmented (DMZ, internal, management, PCI/sensitive zones) with documented architectureNetwork diagrams, firewall zone policy, segmentation rules
Firewall and IPS/IDS rule bases are reviewed periodically and least-permissiveFirewall rule-review reports, IPS signatures/update logs
Secure remote access (VPN with MFA) and no unauthorised direct exposure of internal systemsVPN config, external attack-surface scan, exposed-service review
DDoS protection and anti-malware/EDR are deployed on endpoints and serversEDR coverage report, DDoS service evidence, malware detection logs

Application and Software Development Security (SDLC)

What to verifyTypical evidence
A secure SDLC integrates security requirements, threat modelling and secure-coding standardsSDLC policy, secure-coding guidelines, threat-model artefacts
Application security testing (SAST/DAST) and code review occur before releaseSAST/DAST reports, code-review records, release gate approvals
Segregation between development, test and production environments with controlled promotionEnvironment access matrix, deployment approval records
No production data is used in test without masking; data minimisation appliesData-masking procedure, test-data governance evidence
APIs are authenticated, rate-limited, logged and security-testedAPI gateway config, API VAPT results

Data Security, Encryption and DLP

What to verifyTypical evidence
Data at rest and in transit is encrypted using strong, approved algorithmsEncryption standard, TLS configuration, database/disk encryption evidence
Cryptographic key management (generation, storage, rotation, destruction) is controlled, ideally via HSMKey-management policy, HSM records, key-rotation logs
Data Loss Prevention controls monitor sensitive data egress channelsDLP policy, DLP incident reports
Customer, payment and 'system' data are stored within India per RBI localisation requirementsData-residency attestation, hosting location evidence, storage architecture
Data retention and secure disposal follow policy and legal requirementsRetention schedule, media-sanitisation certificates

IT Operations and Service Management

What to verifyTypical evidence
Change management is formal, with risk assessment, approval, testing and rollbackChange tickets, CAB minutes, rollback plans
Incident and problem management with defined SLAs and root-cause analysisIncident tickets, RCA reports, SLA performance
Capacity and performance are monitored to avoid resource exhaustionCapacity plans, utilisation dashboards
Job scheduling, batch processing and reconciliation controls operate reliablyBatch schedules, reconciliation reports, failure-handling logs
Data centre physical and environmental controls (access, fire, power, cooling) are in placeDC access logs, environmental monitoring, UPS/genset test records

Logging, Monitoring and Security Operations (SOC/CSOC)

What to verifyTypical evidence
Centralised log collection (SIEM) covers critical systems with defined retentionSIEM architecture, log-source inventory, retention configuration
A Security Operations Centre / Cyber Security Operations Centre provides continuous monitoring and use-case-based detectionSOC/CSOC runbook, correlation use-cases, monitoring roster
Time synchronisation (NTP) and log integrity protection are enforcedNTP config, log tamper-protection evidence
Alerts are triaged and escalated within defined timelinesAlert triage records, escalation matrix

Vulnerability Assessment and Penetration Testing (VAPT)

What to verifyTypical evidence
Periodic VAPT is performed on internet-facing and critical internal assets, and after major changesVAPT scope, reports and executive summaries
Findings are risk-rated and remediated within SLA; retesting confirms closureRemediation tracker, retest/closure evidence
Independent/third-party (CERT-In empanelled) testing is used where requiredEmpanelment credentials, engagement letters
Red-team or scenario-based testing is considered for higher-layer NBFCsRed-team reports (where applicable)

Cyber Incident Response and Reporting

What to verifyTypical evidence
A cyber-incident response plan defines roles, severity, containment and recoveryApproved CIRP, playbooks, contact tree
Significant cyber incidents are reported to the RBI within the prescribed timelineIncident-report copies, RBI acknowledgement, reporting log
Incidents are reported to CERT-In within the mandated 6-hour windowCERT-In reporting records
Post-incident reviews capture lessons learned and drive control improvementsPIR reports, corrective-action tracking
Tabletop/simulation exercises test the response capability periodicallyExercise reports and participation records

Business Continuity and Disaster Recovery (BCP/DR)

What to verifyTypical evidence
A Board-approved BCP/DR policy with a Business Impact Analysis existsApproved BCP/DR policy, BIA document
RTO and RPO are defined for critical systems and are technically achievableRTO/RPO register, DR architecture, replication configuration
A geographically separate DR site (or resilient cloud region) is maintainedDR site details, distance/region evidence
DR drills are conducted at defined frequency with documented results and gapsDR drill reports, switchover logs, gap remediation
Backups are taken, encrypted, tested for restorability and stored offsite/immutableBackup schedule, restore-test logs, immutability/air-gap evidence
Crisis communication and dependency (vendor/utility) resilience are addressedCrisis-comms plan, third-party continuity attestations

Outsourcing and Third-Party / Cloud Risk Management

What to verifyTypical evidence
Materiality assessment and due diligence precede outsourcing of IT/IT-enabled servicesDue-diligence reports, materiality assessment records
Contracts include security, data-protection, right-to-audit, SLA, sub-contracting and exit clausesExecuted contracts / MSAs with the required clauses
The RBI's right to inspect the service provider is preserved in the contractContract clause reference, regulator-access provision
Concentration risk and viable exit/portability strategy are documentedConcentration analysis, exit plan, data-return provisions
Cloud deployments meet data-localisation, shared-responsibility and configuration-security requirementsCloud security assessment, CSP compliance certificates, shared-responsibility matrix
Ongoing monitoring of provider performance and security posture occursVendor performance reviews, SOC 2/ISO reports, periodic assessments

Digital Channels, Payments and Customer Protection

What to verifyTypical evidence
Mobile and internet channels enforce strong authentication and session securityApp security assessment, authentication design, session-management evidence
Digital lending apps comply with RBI Digital Lending Guidelines (data access, consent, LSP governance)DLG compliance mapping, consent-flow evidence, LSP agreements
Fraud-monitoring and transaction-risk controls are in placeFraud-monitoring rules, alerting evidence
Customer grievance redressal for IT/digital issues is defined and trackedGrievance policy, SLA, resolution MIS

Information Systems (IS) Audit

What to verifyTypical evidence
An independent IS audit function/charter approved by the Audit Committee existsIS audit charter, ACB approval
A risk-based IS audit plan covers the full IT audit universe on a defined cycleAudit universe, annual risk-based plan
IS auditors possess adequate competency and independence (CISA/DISA or empanelled firms)Auditor credentials, engagement independence declarations
Findings are reported to the Audit Committee and remediation is tracked to closureIS audit reports, ACB minutes, remediation tracker

Security Awareness and Human Resources Security

What to verifyTypical evidence
Periodic security-awareness training is delivered to all staff and role-based training to key staffTraining records, completion rates, content
Phishing simulations and awareness campaigns are run and measuredSimulation results, trend reports
Background verification and confidentiality/acceptable-use agreements apply to staff and contractorsBGV records, signed NDAs and AUPs

Scoping the NBFC IT Framework assessment

Scoping determines which entities, systems, processes, locations and third parties are examined and to what depth. Because obligations scale with the NBFC's layer, the first scoping act is to confirm the regulatory layer (Base/Middle/Upper) and any special status (deposit-taking, digital-lending, AA/P2P/HFC). The scope should then be built around the systems that support critical or customer-facing functions.

  • Confirm the NBFC layer under Scale Based Regulation and any sector-specific directions that add controls.
  • Define the technology estate in scope: core lending/loan-management system, LOS/LMS, mobile and web channels, payment interfaces, data warehouse, and supporting infrastructure.
  • Include hosting locations: on-premises data centre, colocation, and every cloud region and account.
  • Bring material outsourced and cloud service providers into scope through their contracts and right-to-audit.
  • Identify data flows for customer, payment and 'system' data to test data-localisation compliance.
  • Determine the assessment depth per system based on criticality (design-only vs design plus operating effectiveness).
  • State exclusions explicitly with rationale (e.g. decommissioned systems) so the scope is defensible.
Scoping pitfall
Shadow IT and unregistered SaaS tools are the most common cause of scope failure. Reconcile the asset inventory against network egress logs, expense/procurement records and identity-provider app catalogues before finalising scope, or the assessment will miss real risk.

Implementation approach

A phased approach converts the framework from a document into an operating control environment. The following four phases each list core activities and the deliverables an assessor will expect to see.

Phase 1 - Governance foundation and gap assessment

  • Activities: confirm regulatory layer and applicability; constitute the IT Strategy Committee and IT Steering Committee; appoint/confirm CISO; run a baseline gap assessment against every framework domain; establish the IT risk register and risk appetite.
  • Deliverables: applicability determination note; Board-approved IT governance charter; committee terms of reference; gap assessment report with prioritised findings; risk register.

Phase 2 - Policy, control design and quick wins

  • Activities: author/refresh the policy and standard suite; define hardening baselines; design IAM, PAM and MFA controls; establish change/incident/patch processes; close high-risk quick wins (MFA on remote/privileged access, patch backlog, exposed services).
  • Deliverables: approved policy suite; hardening standards; IAM/PAM design; change and incident management procedures; quick-win closure evidence.

Phase 3 - Control build-out and technology deployment

  • Activities: deploy SIEM and establish SOC/CSOC monitoring use-cases; implement DLP and encryption/key management; stand up VAPT and vulnerability management cadence; build BCP/DR, backups and run a first DR drill; formalise outsourcing/cloud governance and contracts.
  • Deliverables: SOC runbooks and monitoring evidence; VAPT and remediation reports; BCP/DR plan with BIA and drill results; backup restore-test logs; updated vendor contracts with right-to-audit.

Phase 4 - Assurance, IS audit and continuous improvement

  • Activities: conduct the risk-based IS audit; report to the Audit Committee; remediate findings; institutionalise KPI/KRI reporting to the Board; prepare the RBI inspection evidence pack; embed a review cycle.
  • Deliverables: IS audit report; ACB minutes; remediation tracker at closure; Board dashboards; inspection-ready evidence repository; annual review calendar.

Maturity and capability model

Although the RBI does not mandate a specific maturity scale, assessors commonly express readiness on a five-level capability model to communicate the state of each domain to the Board and to prioritise investment. The following levels are recommended for NBFC IT/cyber programmes.

Maturity levelCharacteristics for an NBFC
Level 1 - Initial / Ad hocControls are informal and person-dependent; little documentation; reactive to incidents; no board oversight of IT risk. High supervisory concern.
Level 2 - Developing / RepeatableKey policies exist and some processes are followed, but inconsistently; governance committees formed but not fully effective; gaps in evidence.
Level 3 - DefinedPolicies, standards and processes are documented, approved and consistently applied; committees functioning; IS audit operating; the baseline expected of Middle Layer NBFCs.
Level 4 - Managed / MeasuredControls are measured with KRIs/KPIs; risk-based decisions; effective SOC, VAPT and DR drills; continuous monitoring; expected of Upper Layer NBFCs.
Level 5 - OptimisedControls are continuously improved using metrics, threat intelligence and automation; resilience is demonstrated; leading practice beyond the minimum baseline.

Assessment and audit approach

An IS audit or readiness assessment against the NBFC IT Framework follows a disciplined, evidence-driven sequence. The steps below describe a defensible engagement flow.

  1. Confirm scope and applicability: fix the NBFC layer, systems, locations, third parties and the audit universe, and agree the engagement charter with the Audit Committee.
  2. Plan on a risk basis: rank the audit universe by inherent risk and criticality, and allocate testing depth accordingly.
  3. Review control design: examine policies, standards, architecture and configurations to confirm controls are adequately designed for each domain.
  4. Test operating effectiveness: sample transactions, tickets, logs and configurations over the review period to confirm controls actually operate.
  5. Perform technical validation: run or review VAPT, configuration-compliance scans, access recertifications and DR drill results.
  6. Evaluate third-party and cloud controls: review due diligence, contracts, SOC 2/ISO reports and independent assessments.
  7. Rate and document findings: assign risk ratings, root causes and business impact; distinguish design vs operating deficiencies.
  8. Agree remediation: obtain management responses with owners and target dates; classify as immediate, short-term or strategic.
  9. Report to the Audit Committee of the Board and, where required, prepare inputs for the RBI inspection.
  10. Track to closure and retest: verify remediation and update the risk register; feed results into the next risk-based plan.

Evidence request list

The following categorised list is the standard evidence pack an NBFC should assemble ahead of an IS audit or RBI inspection. Having this repository current and version-controlled dramatically shortens assessment time.

  • Governance: Board/ITSC/Steering committee charters and minutes; IT strategy; organisation chart; CISO appointment; risk appetite statement; IT and cyber risk registers.
  • Policies and standards: full policy suite with approval and review records; hardening baselines; exception register.
  • Access management: IAM/PAM configuration; access matrices; JML records; access recertification reports; MFA coverage.
  • Security operations: SIEM log-source inventory and retention config; SOC/CSOC runbooks and monitoring evidence; alert and escalation records.
  • Vulnerability and testing: VAPT reports and remediation trackers; configuration-compliance scans; patch reports; EOL register.
  • Application security: SDLC policy; SAST/DAST reports; code-review records; environment segregation and change tickets; API security testing.
  • Data protection: encryption and key-management evidence; DLP reports; data-classification and retention schedules; data-localisation attestations.
  • Incident and continuity: cyber-incident response plan; incident logs; RBI/CERT-In reporting records; BCP/DR policy and BIA; DR drill and backup restore-test logs.
  • Third party and cloud: due-diligence and materiality assessments; executed contracts with right-to-audit and exit clauses; CSP compliance reports; vendor monitoring records.
  • Assurance and training: IS audit charter, plan and reports; ACB minutes; remediation trackers; awareness-training and phishing-simulation records.
  • Digital channels: app security assessments; Digital Lending Guidelines compliance mapping; fraud-monitoring evidence; grievance MIS.

Roles and responsibilities

RoleKey IT/cyber responsibilities under the framework
Board of DirectorsOwns IT governance; approves IT strategy, policies and risk appetite; ensures adequate resourcing; reviews IT/cyber risk and IS audit outcomes.
IT Strategy Committee (of the Board)Chaired by an independent director with IT competence; oversees IT strategy, major IT investments, IT risk and resilience; meets at least quarterly.
Audit Committee of the Board (ACB)Oversees the IS audit function; approves the IS audit charter and plan; reviews findings and tracks remediation.
MD / CEOAccountable for implementing Board-approved IT strategy and for the overall control environment.
Head of IT / CIODelivers and operates IT infrastructure, services and projects; owns IT operations, change, capacity and service management.
Chief Information Security Officer (CISO)Independent of IT operations; owns information/cyber-security strategy, policy, monitoring, incident response and regulatory security reporting.
IT Steering CommitteeExecutive-level prioritisation of IT initiatives, budgets and project governance; reports to the ITSC.
Risk Management Committee / CROIntegrates IT and cyber risk into enterprise risk management and monitors the risk appetite.
IS Auditors (internal/external)Provide independent assurance over IT controls; report to the ACB; must be competent and independent.
Business/Data ownersClassify data, define access requirements, own control operation within their processes.
Third-party / cloud providersDeliver contracted services within agreed security, SLA, audit and data-protection obligations.

KPIs to track

  • Percentage of critical and high vulnerabilities remediated within SLA.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) for security incidents.
  • Patch compliance rate for critical patches across servers, endpoints and network devices.
  • Percentage of privileged and remote access covered by MFA and PAM.
  • Access recertification completion rate and count of overdue reviews.
  • Number and severity of cyber incidents, and timeliness of RBI/CERT-In reporting.
  • DR drill success rate and achievement of RTO/RPO targets.
  • Backup restore-test success rate.
  • IS audit findings by severity and percentage closed within target dates.
  • Security-awareness training completion rate and phishing-simulation failure trend.
  • Percentage of material third parties with current due diligence and contractual right-to-audit.
  • System/service availability against SLA for critical applications.

Readiness checklist

  • Regulatory layer (Base/Middle/Upper) and applicable sector directions confirmed and documented.
  • Board-approved IT governance framework and functioning IT Strategy Committee in place.
  • CISO appointed with independence from IT operations and a direct reporting line.
  • Complete, Board/senior-management-approved IT and information-security policy suite with review cycle.
  • IAM, PAM and MFA implemented for privileged, remote and critical access; access recertification current.
  • Hardening baselines applied and configuration compliance monitored; patch SLAs met.
  • SIEM with SOC/CSOC monitoring, defined log retention and time synchronisation operational.
  • Periodic VAPT completed with findings remediated and retested.
  • Data at rest and in transit encrypted; key management and DLP operating; data-localisation confirmed.
  • Cyber-incident response plan tested; RBI and CERT-In reporting timelines understood and rehearsed.
  • BCP/DR with BIA, defined RTO/RPO, a functioning DR site and a completed DR drill.
  • Backups encrypted, offsite/immutable and restore-tested.
  • Material IT/cloud outsourcing governed by contracts with right-to-audit, SLA and exit clauses.
  • Independent, risk-based IS audit completed and reported to the Audit Committee with remediation tracked.
  • Security-awareness training and phishing simulations delivered and measured.
  • Inspection-ready, version-controlled evidence repository maintained.

Common gaps

  • IT Strategy Committee exists on paper but does not meet quarterly or lacks a director with genuine IT competence.
  • CISO reports into the Head of IT, breaching the required independence from IT operations.
  • MFA not enforced universally on remote and privileged access; long-lived shared/service accounts persist.
  • Vulnerability findings identified but not remediated within SLA, with weak retest and closure evidence.
  • BCP/DR documented but never drilled, or drills that do not actually achieve the stated RTO/RPO.
  • Backups taken but restore-tests not performed, and no immutability/air-gap against ransomware.
  • Outsourcing and cloud contracts missing the RBI right-to-audit, data-localisation or exit clauses.
  • Data-localisation of payment/system data not evidenced, especially with global cloud regions.
  • Digital lending apps not mapped to the RBI Digital Lending Guidelines (consent, LSP governance, data access).
  • Cyber-incident reporting timelines (RBI and CERT-In 6-hour window) not rehearsed, risking late reporting.
  • IS audit not risk-based, under-scoped, or performed by insufficiently independent/competent auditors.
  • Shadow IT and unmanaged SaaS outside the asset inventory and monitoring perimeter.

NBFC IT Framework mapped to other frameworks

NBFCs frequently pursue complementary certifications and comply with adjacent regulations. The following mapping helps rationalise a single control set across multiple obligations, reducing duplicate effort.

NBFC IT Framework domainCorresponding controls in other frameworks
IT GovernanceISO/IEC 27001 Clauses 5-6 (leadership, planning); COBIT 2019 EDM and APO domains; NIST CSF Govern function
IT & Information Security Risk ManagementISO/IEC 27001 Clause 6 & Annex A; NIST CSF Identify/Protect/Detect; PCI DSS Requirements 1-8, 10-12
Identity & Access ManagementISO 27001 A.5.15-A.5.18 / A.8.2-A.8.5; PCI DSS Req 7-8; NIST CSF PR.AA
Secure Configuration & PatchISO 27001 A.8.8-A.8.9; CIS Controls 4 & 7; PCI DSS Req 2, 6, 11
Application Security / SDLCISO 27001 A.8.25-A.8.31; OWASP ASVS; PCI DSS Req 6; NIST SSDF
Data Security & EncryptionISO 27001 A.8.10-A.8.12, A.8.24; PCI DSS Req 3-4; DPDP Act 2023 obligations
Security Operations & MonitoringISO 27001 A.8.15-A.8.16; NIST CSF Detect; PCI DSS Req 10-11
Cyber Incident Response & ReportingISO 27001 A.5.24-A.5.28; NIST CSF Respond/Recover; CERT-In Directions (6-hour reporting)
Business Continuity & DRISO 22301; ISO 27001 A.5.29-A.5.30; NIST CSF Recover
Outsourcing / Third-Party & CloudISO 27001 A.5.19-A.5.23; RBI Outsourcing of IT Services Master Direction; SOC 2; CSA CCM
IS Audit / AssuranceISO 27001 Clause 9 (internal audit); COBIT MEA domain; ISACA IS audit standards
Digital Channels & Data LocalisationRBI Digital Lending Guidelines; RBI Payment Data Storage circular; DPDP Act 2023

How CyberSigma helps

Partner with CyberSigma for RBI NBFC IT Framework readiness
CyberSigma is a CERT-In empanelled cyber-security assessor with deep experience across the RBI IT Framework for NBFCs, the 2023 IT Governance, Risk, Controls and Assurance Master Direction and Scale Based Regulation. We take NBFCs end to end: layer-based applicability determination, board-level governance uplift, a full control-by-control gap assessment, policy and architecture design, VAPT and configuration hardening, SOC/CSOC and BCP/DR build-out, third-party and cloud risk governance, and independent Information Systems (IS) audit. Our assessors translate every requirement into evidence your Board and the RBI inspection team will accept, and we integrate readiness tracking into your GRC and CRM workflows so remediation is owned, measured and closed. Engage CyberSigma to move from ad hoc compliance to a demonstrably resilient, inspection-ready IT and cyber programme.

Frequently asked questions

Do all NBFCs have the same IT requirements?
No — requirements are graded by the NBFC’s layer under scale-based regulation, with larger and systemically important NBFCs facing fuller IT governance and IS audit obligations.

Need help with NBFC IT Framework?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.