Introduction to the PFRDA Cyber Security & IS Audit Framework
The Pension Fund Regulatory and Development Authority (PFRDA) is the statutory regulator constituted under the PFRDA Act, 2013, charged with promoting old-age income security and regulating the National Pension System (NPS) and the Atal Pension Yojana (APY). As the pension ecosystem has digitised, PFRDA has progressively hardened its expectations around information security, cyber resilience and technology governance for every intermediary that touches subscriber data or contributions. This guide is an auditor-grade deep-dive into the PFRDA Cyber Security & IS Audit framework as expressed through PFRDA's cyber security guidelines, the Central Recordkeeping Agency (CRA) technology standards, and the periodic Information Systems (IS) Audit and Cyber Security Audit obligations imposed on intermediaries such as Points of Presence (PoP), Pension Funds (PFs), Custodians, the Trustee Bank, Annuity Service Providers (ASPs) and the CRAs.
Unlike a single monolithic standard, PFRDA's cyber posture is a layered construct: it draws on RBI's cyber security frameworks (given many intermediaries are banks or NBFCs), SEBI's cyber security and cyber resilience framework (given overlaps with market intermediaries), CERT-In directions of 28 April 2022 on incident reporting and log retention, the DPDP Act 2023 for personal data, and PFRDA's own circulars mandating annual IS audits and vulnerability assessments. This page treats the framework as a consolidated control set that a CERT-In empanelled auditor would test in the field, and gives implementers a concrete build-and-remediate roadmap.
Copyright & source note
This guide is original CyberSigma content. It paraphrases publicly stated regulatory obligations and does not reproduce PFRDA, RBI, SEBI, CERT-In or NPCI copyrighted circular text. Intermediaries must always read the operative PFRDA circulars, the CRA/NPS Trust technology guidelines and their empanelment terms in full; where this guide and an official circular differ, the circular prevails.
What is PFRDA Cyber Security & IS Audit?
PFRDA Cyber Security & IS Audit is the composite set of information-security, cyber-resilience and technology-governance requirements that PFRDA imposes on NPS/APY intermediaries, verified through an independent, periodic audit conducted by a CERT-In empanelled auditor or a qualified IS audit firm. The audit tests whether the intermediary's systems that store, process or transmit subscriber data, PRAN (Permanent Retirement Account Number) records, contribution flows and scheme information are governed, protected, monitored and recoverable to the standard PFRDA expects.
The framework has three intertwined objectives. First, confidentiality and integrity of subscriber and scheme data, including PRAN, nominee, KYC, bank and contribution records. Second, availability and resilience of NPS transaction processing, so that contributions, withdrawals, exits and annuity issuance are not disrupted. Third, accountability and auditability, so that PFRDA and the NPS Trust can obtain assurance that intermediaries meet their technology and cyber obligations on a continuing basis.
In practice the framework manifests as: (a) a board/senior-management approved information security and cyber security policy; (b) technical controls across network, application, endpoint, data and identity layers; (c) continuous monitoring including a SOC and log retention; (d) periodic Vulnerability Assessment and Penetration Testing (VAPT); (e) an annual IS Audit and a Cyber Security Audit; and (f) incident response and reporting aligned to CERT-In and PFRDA timelines. The IS Audit component specifically evaluates IT general controls (ITGC), application controls, change management, data centre operations and business continuity.
Who must comply?
The obligation attaches to every regulated intermediary within the NPS/APY architecture, scaled by the criticality and volume of subscriber data and transactions each handles. The following entities are typically in scope.
| Intermediary | Role in NPS/APY | Cyber & IS audit expectation |
|---|
| Central Recordkeeping Agency (CRA) | Maintains PRAN records, processes contributions and exits | Highest tier: full IS audit, VAPT, SOC, DR, and continuous PFRDA/NPS Trust oversight |
| Pension Fund (PF) | Manages and invests subscriber corpus | Annual IS audit, cyber security policy, VAPT, data protection controls |
| Point of Presence (PoP) / PoP-SP | Subscriber onboarding, contribution collection, servicing | Cyber security policy, VAPT, secure onboarding and KYC data protection |
| Custodian | Safekeeping of scheme securities and assets | IS audit aligned to SEBI custodian norms plus PFRDA expectations |
| Trustee Bank | Fund flow and settlement for NPS | RBI cyber framework plus PFRDA settlement-integrity controls |
| Annuity Service Provider (ASP) | Provides annuities on exit | IRDAI cyber controls plus PFRDA data-sharing security |
| Aggregators / APY service providers | APY enrolment and servicing | Proportionate cyber controls and secure data exchange with CRA |
| NPS Trust | Oversight of NPS funds and intermediaries | Governance oversight, receives audit assurance from intermediaries |
| Retirement Adviser / eNPS platforms | Digital advisory and self-onboarding | Web/app security, secure authentication, data protection |
- Entities registered or empanelled with PFRDA under NPS/APY regulations, irrespective of whether they are also RBI-, SEBI- or IRDAI-regulated.
- Material outsourced/technology service providers and cloud vendors supporting in-scope systems (via contractual flow-down and right-to-audit).
- Any subsidiary, branch or gateway that processes PRAN, contribution, nominee, KYC or bank-mandate data on behalf of an intermediary.
Structure of the PFRDA Cyber Security & IS Audit framework
The framework can be decomposed into governance, technical and assurance control domains. The table below sets out the domains an auditor tests, the indicative control families within each, and the primary regulatory anchor. Identifiers (e.g. GOV-1) are CyberSigma working references used consistently across this guide's checklist; they are not official PFRDA control numbers.
| Domain | Control families | Primary regulatory anchor |
|---|
| Governance & Policy (GOV) | Cyber security policy, board oversight, roles, risk assessment, cyber crisis management plan | PFRDA cyber guidelines; RBI/SEBI cyber frameworks |
| Identity & Access Management (IAM) | Authentication, authorisation, privileged access, MFA, joiner-mover-leaver | PFRDA; RBI IT framework; SEBI CSCRF |
| Network Security (NET) | Segmentation, firewalls, IDS/IPS, DDoS, secure gateways | RBI/SEBI; CERT-In |
| Application & Secure Development (APP) | Secure SDLC, application controls, API security, source-code review | PFRDA CRA tech standards; OWASP-aligned |
| Data Protection & Privacy (DAT) | Encryption, classification, DLP, PRAN/KYC handling, data localisation | DPDP Act 2023; RBI data localisation; PFRDA |
| Endpoint & Server Security (END) | Hardening, EDR/AV, patch management, configuration baselines | RBI baseline; CIS benchmarks |
| Vulnerability & Threat Management (VTM) | VAPT, patch SLAs, threat intelligence, red teaming | PFRDA VAPT mandate; CERT-In |
| Security Monitoring & SOC (MON) | SIEM, log management, log retention, correlation, alerting | CERT-In 28-Apr-2022; SEBI CSCRF |
| Incident Response & Reporting (IR) | IR plan, CERT-In reporting, PFRDA reporting, forensics | CERT-In directions; PFRDA incident circulars |
| Business Continuity & DR (BCP) | BCP, DR site, RTO/RPO, drills, resilience | RBI BCP; PFRDA availability expectations |
| Third-Party & Cloud Risk (TPR) | Vendor due diligence, cloud security, outsourcing governance | RBI/SEBI outsourcing; MeitY cloud |
| IS Audit & Assurance (AUD) | ITGC, change management, IS audit, board reporting | PFRDA IS audit mandate; ISACA IS audit standards |
Master assessment checklist
This is the operative section for both auditors and implementers. Each control family below is enumerated with a h3 heading and a table mapping what an auditor verifies against the typical evidence an intermediary must produce. No domain is skipped. Implementers should read the 'What to verify' column as a build requirement and the 'Typical evidence' column as the artefact to maintain.
GOV — Governance & Policy
| What to verify | Typical evidence |
|---|
| A board/senior-management approved information & cyber security policy exists and is reviewed at least annually | Signed policy, board/IT committee minutes, version history and review date |
| A defined governance structure with a CISO/designated security officer and clear roles | Org chart, CISO appointment letter, RACI matrix |
| Documented cyber risk assessment covering NPS/APY systems and data | Risk register, risk-assessment methodology, residual-risk sign-off |
| A Cyber Crisis Management Plan (CCMP) aligned to CERT-In guidance | CCMP document, escalation matrix, invocation records |
| Security objectives cascaded into measurable KPIs reported to the board | Board dashboards, quarterly cyber MIS packs |
| Budget and resourcing allocated to cyber security | Approved budget lines, headcount plan, tooling inventory |
IAM — Identity & Access Management
| What to verify | Typical evidence |
|---|
| Unique user IDs; no shared/generic accounts for privileged actions | User inventory, IAM export, shared-account exception register |
| Role-based access control enforcing least privilege on PRAN/contribution systems | Role-permission matrix, access-provisioning tickets |
| Multi-factor authentication for admin, remote and privileged access | MFA policy, IdP/PAM configuration screenshots, auth logs |
| Joiner-mover-leaver process with timely revocation on exit | JML SOP, HR-triggered de-provisioning tickets, revocation timestamps |
| Privileged Access Management with session recording and just-in-time access | PAM tool config, session logs, break-glass procedure |
| Periodic (at least half-yearly) user access recertification | Access-review reports signed by data owners |
| Password policy meeting complexity, rotation and lockout standards | Password/GPO policy, sample configuration |
NET — Network Security
| What to verify | Typical evidence |
|---|
| Network segmentation isolating NPS production, DMZ, and corporate zones | Network architecture diagram, VLAN/firewall zone map |
| Next-generation firewalls with reviewed rule bases and default-deny | Firewall config, rule-review reports, change tickets |
| IDS/IPS deployed and tuned at perimeter and critical segments | IDS/IPS policy, alert samples, tuning records |
| Anti-DDoS protection for internet-facing NPS/eNPS services | DDoS service contract, mitigation reports, drill evidence |
| Secure remote access via VPN with MFA and no split tunnelling | VPN config, MFA enforcement, connection logs |
| Egress filtering and outbound traffic control to prevent exfiltration | Proxy/egress policy, blocked-destination logs |
APP — Application & Secure Development
| What to verify | Typical evidence |
|---|
| Secure SDLC with security requirements in design and code review | SDLC policy, design review notes, secure-coding standard |
| Application security testing (SAST/DAST) before release | Scan reports, defect-tracking tickets, sign-off gates |
| Input validation, output encoding and session management (OWASP-aligned) | Pen-test findings, code-review evidence, remediation log |
| API security: authentication, rate limiting, schema validation for CRA/eNPS APIs | API gateway config, token policy, API pen-test report |
| Application controls ensuring contribution/PRAN transaction integrity | Control matrix, maker-checker config, reconciliation logs |
| Segregation of dev/test/prod with no production data in lower environments | Environment diagram, data-masking evidence, access controls |
DAT — Data Protection & Privacy
| What to verify | Typical evidence |
|---|
| Data classification identifying PRAN, KYC, nominee, bank and contribution data as sensitive | Data classification policy, data inventory/flow map |
| Encryption at rest for databases holding subscriber data | Encryption config, key-management (KMS/HSM) records |
| Encryption in transit (TLS 1.2+) for all subscriber-data channels | TLS scan results, cipher policy, certificate inventory |
| Data Loss Prevention on endpoints, email and web egress | DLP policy, incident/alert samples, coverage report |
| DPDP Act 2023 alignment: consent, purpose limitation, data-principal rights | Consent records, privacy notice, DPO/grievance process |
| RBI data-localisation compliance for payment/bank data where applicable | Data-residency attestation, storage-location evidence |
| Secure data disposal and media sanitisation | Disposal SOP, destruction certificates, wipe logs |
END — Endpoint & Server Security
| What to verify | Typical evidence |
|---|
| Hardened server/endpoint baselines aligned to CIS/vendor benchmarks | Hardening standard, baseline scan, deviation register |
| EDR/anti-malware deployed with central management and up-to-date signatures | EDR console coverage report, definition-currency evidence |
| Patch management with defined SLAs for critical/high vulnerabilities | Patch policy, patch-compliance dashboard, exception log |
| Removable-media and USB controls on sensitive systems | Device-control policy, blocked-device logs |
| Time synchronisation (NTP) across servers for reliable logging | NTP configuration evidence |
| Golden-image and configuration management for consistent builds | Build documentation, config-management tool records |
VTM — Vulnerability & Threat Management
| What to verify | Typical evidence |
|---|
| Periodic VAPT (at least annually, and on major change) by a CERT-In empanelled firm | VAPT reports, empanelment proof, scope document |
| Closure of findings within risk-based SLAs with re-testing | Remediation tracker, re-test reports, closure sign-off |
| Regular authenticated vulnerability scanning of internal and external assets | Scan schedules, scan reports, asset coverage |
| Threat intelligence feeds informing detection and patch prioritisation | TI subscription, advisories actioned, CERT-In advisory tracking |
| Application and infrastructure pen testing including eNPS/mobile apps | Pen-test reports for web, API and mobile |
| Asset inventory completeness underpinning vulnerability coverage | CMDB/asset register reconciled to scan results |
MON — Security Monitoring & SOC
| What to verify | Typical evidence |
|---|
| SIEM aggregating logs from critical NPS systems, network and security tools | SIEM architecture, log-source inventory, coverage report |
| Log retention meeting CERT-In 180-day (rolling, in India) requirement | Retention policy, storage evidence, sample log queries |
| 24x7 monitoring/SOC with defined use cases and correlation rules | SOC runbook, use-case library, staffing roster |
| Alert triage, severity classification and escalation within SLA | Alert tickets, MTTA/MTTR metrics, escalation records |
| Integrity and tamper-protection of logs | Log-forwarding/WORM config, access controls on log store |
| Clock synchronisation to Indian standard reference (NPL/NTP) for log accuracy | NTP source configuration per CERT-In direction |
IR — Incident Response & Reporting
| What to verify | Typical evidence |
|---|
| Documented incident response plan with roles, phases and playbooks | IR plan, ransomware/phishing/data-breach playbooks |
| Reporting of cyber incidents to CERT-In within 6 hours of detection | Incident register, CERT-In submission acknowledgements |
| Prompt notification of material incidents to PFRDA/NPS Trust | PFRDA notification records, timelines evidenced |
| DPDP breach notification to the Data Protection Board and affected principals | Breach-assessment records, notification templates |
| Forensic readiness and evidence preservation procedures | Forensic SOP, chain-of-custody templates, retained artefacts |
| Post-incident reviews with root-cause and corrective actions | PIR reports, lessons-learned, CAPA tracker |
BCP — Business Continuity & Disaster Recovery
| What to verify | Typical evidence |
|---|
| Business Impact Analysis identifying critical NPS processes and RTO/RPO | BIA document, criticality ratings, RTO/RPO targets |
| Geographically separate DR site with tested failover for NPS systems | DR architecture, DC-DR distance evidence, replication config |
| Periodic (at least half-yearly) DR drills including near-live failover | DR drill reports, success/gap analysis, sign-off |
| Backup strategy with encryption, offsite copies and restoration testing | Backup policy, backup logs, restore-test evidence |
| Documented and communicated business continuity plan | BCP document, call trees, alternate-site arrangements |
| Resilience of third-party/cloud dependencies | Vendor DR attestations, contractual continuity clauses |
TPR — Third-Party & Cloud Risk
| What to verify | Typical evidence |
|---|
| Security due diligence before onboarding vendors handling NPS data | Due-diligence questionnaires, risk-rating records |
| Contracts with security, confidentiality, audit-rights and breach-notification clauses | Executed contracts/SLAs, right-to-audit clauses |
| Cloud security configuration and shared-responsibility understanding | Cloud config review, CSPM report, responsibility matrix |
| Ongoing vendor monitoring and periodic reassessment | Vendor review reports, SOC 2/ISO 27001 certificates on file |
| Data-processing agreements aligned to DPDP for processors | DPAs, sub-processor register |
| Outsourcing governance aligned to RBI/SEBI norms where applicable | Outsourcing policy, board-approved material-outsourcing list |
AUD — IS Audit & Assurance
| What to verify | Typical evidence |
|---|
| Annual IS Audit covering ITGC, application and data-centre controls | IS audit report, scope, auditor credentials |
| Change management with authorisation, testing and segregation of duties | Change tickets, CAB minutes, emergency-change log |
| Findings tracked to closure with management action plans | Audit-issue tracker, remediation status, board reporting |
| Cyber security audit distinct from IS audit, testing technical controls | Cyber audit report, VAPT integration |
| Independence and competence of the auditor (CERT-In empanelled) | Empanelment certificate, engagement letter, independence declaration |
| Audit results and remediation reported to board and to PFRDA on request | Board minutes, PFRDA submission records |
Scoping the assessment
Scoping determines which systems, data, locations, people and third parties fall within the PFRDA cyber and IS audit. A defensible scope starts from the data: every system that stores, processes or transmits PRAN, KYC, nominee, bank-mandate or contribution data is in scope, together with the systems that secure or administer them.
- In scope: NPS/APY production applications, CRA-interfacing systems, eNPS web/mobile platforms, subscriber and contribution databases, payment and settlement interfaces, and the identity, logging and security infrastructure that supports them.
- In scope: data centres and DR sites, cloud tenancies hosting in-scope workloads, and the network paths connecting subscribers, PoPs and the CRA.
- In scope: privileged administrators, developers with production access, and outsourced/managed service providers touching in-scope systems.
- Scope reduction: strong segmentation, tokenisation of identifiers and isolation of non-NPS corporate systems can legitimately reduce scope, provided the isolation is evidenced and tested.
- Out of scope only where demonstrably isolated: general corporate IT with no path to NPS data. This must be justified in writing and validated by the auditor.
- Time boundary: define the audit period (typically the preceding financial year) and the point-in-time configuration review date.
Implementation approach
A phased programme moves an intermediary from an unstructured state to a defensible, audit-ready posture. Each phase below lists the core activities and the deliverables an auditor will later expect to see.
Phase 1 — Discover & Baseline (Weeks 1-4)
- Activities: establish governance sponsorship; inventory in-scope systems, data flows and third parties; map applicable circulars (PFRDA, RBI, SEBI, CERT-In, DPDP); perform a gap assessment against the domains in this guide.
- Deliverables: asset and data-flow inventory, applicability/regulatory-mapping matrix, gap-assessment report with prioritised findings, project charter.
Phase 2 — Design & Policy (Weeks 4-8)
- Activities: draft/refresh the cyber security policy, standards and procedures; define RACI and the CISO mandate; design target-state architecture for segmentation, IAM, logging and encryption; establish the CCMP and IR plan.
- Deliverables: board-approved policy suite, RACI matrix, target-state architecture, CCMP, incident response plan and playbooks.
Phase 3 — Build & Remediate (Weeks 8-20)
- Activities: implement MFA and PAM; deploy/tune SIEM and EDR; enforce encryption and DLP; harden systems; remediate open VAPT findings; segment networks; operationalise change management and JML.
- Deliverables: hardened baselines, deployed control tooling with coverage evidence, remediated VAPT report, updated network architecture, change-management records.
Phase 4 — Operate & Monitor (Weeks 16-24, ongoing)
- Activities: run the SOC with defined use cases; perform access recertification; execute DR drills; conduct threat intelligence and patch cycles; track KPIs to the board.
- Deliverables: SOC runbooks and metrics, access-review records, DR drill reports, patch-compliance dashboards, board MIS.
Phase 5 — Assure & Certify (Weeks 24-28)
- Activities: engage a CERT-In empanelled auditor; conduct the IS Audit and Cyber Security Audit; validate remediation; prepare PFRDA-facing assurance.
- Deliverables: IS audit report, cyber audit report, closed-findings tracker, board sign-off, PFRDA submission pack.
Maturity / capability model
CyberSigma scores each domain against a five-level capability model so that the intermediary and PFRDA can see trajectory, not just a pass/fail snapshot. The target for a regulated NPS intermediary is Level 4 (Managed) or higher on all critical domains.
| Level | Name | Characteristics | Illustrative evidence |
|---|
| 0 | Non-existent | Control absent; ad hoc or reactive only | No policy, no records |
| 1 | Initial | Control performed informally by individuals | Isolated emails, undocumented actions |
| 2 | Repeatable | Documented but inconsistently applied | Draft policy, partial coverage |
| 3 | Defined | Standardised, approved and applied across scope | Approved policy, consistent tickets |
| 4 | Managed | Measured with KPIs and periodic independent review | Dashboards, audit reports, recertification |
| 5 | Optimised | Continuously improved, automated and threat-informed | Automation, red-team feedback loops, trend metrics |
Assessment and audit approach
The audit follows a structured methodology so findings are repeatable and defensible before PFRDA.
- Engagement setup: agree scope, audit period, criteria (this domain set plus applicable circulars), and access; confirm auditor independence and CERT-In empanelment.
- Documentation review: examine policies, network diagrams, prior VAPT/IS audit reports, incident logs and risk registers.
- Interviews and walkthroughs: interview the CISO, IT operations, application, DR and vendor-management owners to understand design intent.
- Configuration and technical testing: sample-review firewall, IAM, encryption, logging and hardening configurations against baselines.
- Vulnerability assessment and penetration testing: conduct or validate VAPT across external, internal, application, API and mobile surfaces.
- Control operating-effectiveness testing: sample transactions, access provisioning, change tickets, backups and DR drills across the period.
- Evidence evaluation and gap analysis: rate each control by design and operating effectiveness; classify gaps by risk.
- Reporting: issue a draft report with findings, risk ratings and recommendations; obtain management responses and target dates.
- Remediation and re-test: validate closure of high/critical findings; update the tracker.
- Final report and board/PFRDA reporting: issue signed IS and cyber audit reports and support PFRDA submission.
Evidence request list
Assemble the following categorised artefacts before fieldwork to compress the audit timeline.
- Governance: cyber security policy, risk assessment, board/IT-committee minutes, CISO appointment, CCMP.
- Identity: user access lists, role matrices, PAM configuration, JML records, access-review reports, MFA policy.
- Network: architecture diagrams, firewall rule bases and reviews, IDS/IPS and DDoS configurations, VPN policy.
- Application: SDLC standard, SAST/DAST reports, code-review evidence, API security configuration, application-control matrices.
- Data: data classification and inventory, encryption and key-management config, DLP policy, DPDP consent and privacy records.
- Endpoint/Server: hardening baselines, EDR coverage, patch-compliance dashboards, configuration-management records.
- Vulnerability: VAPT reports and scope, scan schedules, remediation trackers, empanelment proof.
- Monitoring: SIEM log-source inventory, retention configuration, SOC runbooks, alert samples and metrics.
- Incident: IR plan and playbooks, incident register, CERT-In and PFRDA reporting records, PIR reports.
- Continuity: BIA, DR architecture, DR drill reports, backup and restore-test logs, BCP document.
- Third party: vendor due-diligence, contracts with audit rights, DPAs, SOC 2/ISO certificates, outsourcing register.
- Assurance: prior IS and cyber audit reports, change-management records, findings trackers, board reporting.
Roles and responsibilities
| Role | Primary responsibilities | Cyber/IS audit involvement |
|---|
| Board / IT Committee | Approve policy, oversee cyber risk, allocate budget | Receive and act on audit results; approve remediation |
| CISO / Security Officer | Own cyber programme, policies, monitoring and incidents | Primary audit interface; drives remediation |
| Chief Technology / IT Head | Deliver secure infrastructure and applications | Provides technical evidence and implements fixes |
| Data Protection Officer | DPDP compliance, consent, breach notification | Evidence for privacy and data-protection controls |
| IT Operations | Patching, hardening, backups, DR, monitoring | Operating-effectiveness evidence |
| Application / Dev Teams | Secure SDLC, application controls, API security | Code-review, testing and control evidence |
| Vendor / Outsourcing Manager | Third-party due diligence and monitoring | Vendor and cloud evidence, right-to-audit |
| Internal Audit | Independent assurance and follow-up | Coordinates external audit, tracks findings |
| External CERT-In Auditor | Independent IS and cyber audit and VAPT | Conducts assessment, issues signed reports |
KPIs to track
- Percentage of critical/high VAPT findings closed within SLA.
- Mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents.
- Patch-compliance rate for critical vulnerabilities across servers and endpoints.
- MFA and PAM coverage across privileged and remote accounts.
- Access-review completion rate and orphaned/stale account count.
- Percentage of critical log sources onboarded to SIEM with retention meeting 180 days.
- DR drill success rate and achieved RTO/RPO versus target.
- Number of overdue audit findings and average age of open findings.
- CERT-In and PFRDA incident-reporting timeliness (within mandated windows).
- Percentage of material vendors with current security due diligence and DPAs.
Readiness checklist
- Board-approved cyber security policy in force and reviewed within 12 months.
- CISO/security officer appointed with a defined mandate and RACI.
- Complete asset and data-flow inventory covering all NPS/APY systems.
- MFA enforced on all privileged, remote and administrative access.
- Privileged Access Management with session recording operational.
- Network segmentation isolating NPS production from corporate zones.
- Encryption at rest and in transit for all subscriber data.
- SIEM with 180-day log retention and 24x7 monitoring.
- Annual VAPT completed by a CERT-In empanelled firm with findings closed.
- Incident response plan with CERT-In 6-hour reporting capability tested.
- DR site with a successful half-yearly failover drill.
- DPDP consent, privacy notice and breach-notification process in place.
- Vendor contracts include security, audit-rights and breach clauses.
- Annual IS Audit and Cyber Security Audit reports available with remediation tracked.
Common gaps
- Policies exist on paper but are outdated, unapproved or not operationalised across all in-scope systems.
- MFA and PAM gaps on legacy or vendor-managed systems, and shared administrator accounts.
- Incomplete SIEM log-source coverage and log retention shorter than the CERT-In 180-day requirement.
- VAPT performed but critical findings left open beyond SLA, or no re-testing evidence.
- DR site present but drills are tabletop-only, with no near-live failover of NPS transaction systems.
- Weak third-party governance: missing due diligence, absent audit-rights clauses, no DPDP data-processing agreements.
- Production data present in test/dev environments without masking.
- CERT-In and PFRDA incident-reporting timelines not evidenced, and no forensic-readiness procedures.
- DPDP Act obligations (consent, purpose limitation, breach notification) not yet mapped to controls.
- Change management without segregation of duties or proper authorisation trails.
PFRDA Cyber Security mapped to other frameworks
Because most NPS intermediaries carry overlapping regulatory obligations, mapping PFRDA domains to adjacent frameworks lets a single control set satisfy multiple regulators. The mapping below is indicative and should be confirmed against each framework's current version.
| PFRDA domain | ISO/IEC 27001:2022 | NIST CSF 2.0 | RBI / SEBI CSCRF | CERT-In / DPDP |
|---|
| Governance & Policy | A.5 Organisational controls | GV (Govern) | Board oversight; cyber policy | CCMP guidance |
| Identity & Access | A.5.15-A.5.18, A.8.2-A.8.5 | PR.AA | MFA, privileged access controls | - |
| Network Security | A.8.20-A.8.22 | PR.IR | Segmentation, perimeter controls | - |
| Application & SDLC | A.8.25-A.8.29 | PR.PS | Secure SDLC; application security | - |
| Data Protection & Privacy | A.5.34, A.8.10-A.8.12 | PR.DS | Encryption; data localisation | DPDP Act 2023 |
| Endpoint & Server | A.8.7-A.8.9, A.8.19 | PR.PS | Baseline hardening; patching | - |
| Vulnerability & Threat Mgmt | A.8.8 | ID.RA, DE.CM | VAPT mandate; patch SLAs | Advisory tracking |
| Security Monitoring & SOC | A.8.15-A.8.16 | DE.CM, DE.AE | SOC; log correlation | 180-day log retention |
| Incident Response | A.5.24-A.5.28 | RS, RC | Incident management | 6-hour CERT-In reporting |
| Business Continuity & DR | A.5.29-A.5.30, A.8.13-A.8.14 | RC.RP | BCP; RTO/RPO drills | - |
| Third-Party & Cloud | A.5.19-A.5.23 | GV.SC | Outsourcing governance | DPA/processor obligations |
| IS Audit & Assurance | A.5.35-A.5.36 | GV.OV, ID.IM | Annual IS audit | - |
How CyberSigma helps
CyberSigma is a CERT-In empanelled cyber security auditor and PCI QSA firm that runs end-to-end PFRDA Cyber Security & IS Audit engagements for CRAs, Pension Funds, PoPs, Custodians, Trustee Banks and ASPs. We deliver a structured gap assessment against every domain in this guide, remediation support across IAM, SOC, encryption, DR and DPDP alignment, full-scope VAPT (external, internal, application, API and mobile), and the independent IS Audit and Cyber Security Audit reports PFRDA expects, with board-ready and regulator-ready assurance. Talk to CyberSigma to move from gap assessment to a defensible, continuously audit-ready NPS cyber posture.