Knowledge Center / PFRDA Cyber Security
PFRDA · India

PFRDA Cyber Security & IS Audit

Information and cyber security audit for the pension (NPS) ecosystem.

Introduction to the PFRDA Cyber Security & IS Audit Framework

The Pension Fund Regulatory and Development Authority (PFRDA) is the statutory regulator constituted under the PFRDA Act, 2013, charged with promoting old-age income security and regulating the National Pension System (NPS) and the Atal Pension Yojana (APY). As the pension ecosystem has digitised, PFRDA has progressively hardened its expectations around information security, cyber resilience and technology governance for every intermediary that touches subscriber data or contributions. This guide is an auditor-grade deep-dive into the PFRDA Cyber Security & IS Audit framework as expressed through PFRDA's cyber security guidelines, the Central Recordkeeping Agency (CRA) technology standards, and the periodic Information Systems (IS) Audit and Cyber Security Audit obligations imposed on intermediaries such as Points of Presence (PoP), Pension Funds (PFs), Custodians, the Trustee Bank, Annuity Service Providers (ASPs) and the CRAs.

Unlike a single monolithic standard, PFRDA's cyber posture is a layered construct: it draws on RBI's cyber security frameworks (given many intermediaries are banks or NBFCs), SEBI's cyber security and cyber resilience framework (given overlaps with market intermediaries), CERT-In directions of 28 April 2022 on incident reporting and log retention, the DPDP Act 2023 for personal data, and PFRDA's own circulars mandating annual IS audits and vulnerability assessments. This page treats the framework as a consolidated control set that a CERT-In empanelled auditor would test in the field, and gives implementers a concrete build-and-remediate roadmap.

Copyright & source note
This guide is original CyberSigma content. It paraphrases publicly stated regulatory obligations and does not reproduce PFRDA, RBI, SEBI, CERT-In or NPCI copyrighted circular text. Intermediaries must always read the operative PFRDA circulars, the CRA/NPS Trust technology guidelines and their empanelment terms in full; where this guide and an official circular differ, the circular prevails.

What is PFRDA Cyber Security & IS Audit?

PFRDA Cyber Security & IS Audit is the composite set of information-security, cyber-resilience and technology-governance requirements that PFRDA imposes on NPS/APY intermediaries, verified through an independent, periodic audit conducted by a CERT-In empanelled auditor or a qualified IS audit firm. The audit tests whether the intermediary's systems that store, process or transmit subscriber data, PRAN (Permanent Retirement Account Number) records, contribution flows and scheme information are governed, protected, monitored and recoverable to the standard PFRDA expects.

The framework has three intertwined objectives. First, confidentiality and integrity of subscriber and scheme data, including PRAN, nominee, KYC, bank and contribution records. Second, availability and resilience of NPS transaction processing, so that contributions, withdrawals, exits and annuity issuance are not disrupted. Third, accountability and auditability, so that PFRDA and the NPS Trust can obtain assurance that intermediaries meet their technology and cyber obligations on a continuing basis.

In practice the framework manifests as: (a) a board/senior-management approved information security and cyber security policy; (b) technical controls across network, application, endpoint, data and identity layers; (c) continuous monitoring including a SOC and log retention; (d) periodic Vulnerability Assessment and Penetration Testing (VAPT); (e) an annual IS Audit and a Cyber Security Audit; and (f) incident response and reporting aligned to CERT-In and PFRDA timelines. The IS Audit component specifically evaluates IT general controls (ITGC), application controls, change management, data centre operations and business continuity.

Who must comply?

The obligation attaches to every regulated intermediary within the NPS/APY architecture, scaled by the criticality and volume of subscriber data and transactions each handles. The following entities are typically in scope.

IntermediaryRole in NPS/APYCyber & IS audit expectation
Central Recordkeeping Agency (CRA)Maintains PRAN records, processes contributions and exitsHighest tier: full IS audit, VAPT, SOC, DR, and continuous PFRDA/NPS Trust oversight
Pension Fund (PF)Manages and invests subscriber corpusAnnual IS audit, cyber security policy, VAPT, data protection controls
Point of Presence (PoP) / PoP-SPSubscriber onboarding, contribution collection, servicingCyber security policy, VAPT, secure onboarding and KYC data protection
CustodianSafekeeping of scheme securities and assetsIS audit aligned to SEBI custodian norms plus PFRDA expectations
Trustee BankFund flow and settlement for NPSRBI cyber framework plus PFRDA settlement-integrity controls
Annuity Service Provider (ASP)Provides annuities on exitIRDAI cyber controls plus PFRDA data-sharing security
Aggregators / APY service providersAPY enrolment and servicingProportionate cyber controls and secure data exchange with CRA
NPS TrustOversight of NPS funds and intermediariesGovernance oversight, receives audit assurance from intermediaries
Retirement Adviser / eNPS platformsDigital advisory and self-onboardingWeb/app security, secure authentication, data protection
  • Entities registered or empanelled with PFRDA under NPS/APY regulations, irrespective of whether they are also RBI-, SEBI- or IRDAI-regulated.
  • Material outsourced/technology service providers and cloud vendors supporting in-scope systems (via contractual flow-down and right-to-audit).
  • Any subsidiary, branch or gateway that processes PRAN, contribution, nominee, KYC or bank-mandate data on behalf of an intermediary.

Structure of the PFRDA Cyber Security & IS Audit framework

The framework can be decomposed into governance, technical and assurance control domains. The table below sets out the domains an auditor tests, the indicative control families within each, and the primary regulatory anchor. Identifiers (e.g. GOV-1) are CyberSigma working references used consistently across this guide's checklist; they are not official PFRDA control numbers.

DomainControl familiesPrimary regulatory anchor
Governance & Policy (GOV)Cyber security policy, board oversight, roles, risk assessment, cyber crisis management planPFRDA cyber guidelines; RBI/SEBI cyber frameworks
Identity & Access Management (IAM)Authentication, authorisation, privileged access, MFA, joiner-mover-leaverPFRDA; RBI IT framework; SEBI CSCRF
Network Security (NET)Segmentation, firewalls, IDS/IPS, DDoS, secure gatewaysRBI/SEBI; CERT-In
Application & Secure Development (APP)Secure SDLC, application controls, API security, source-code reviewPFRDA CRA tech standards; OWASP-aligned
Data Protection & Privacy (DAT)Encryption, classification, DLP, PRAN/KYC handling, data localisationDPDP Act 2023; RBI data localisation; PFRDA
Endpoint & Server Security (END)Hardening, EDR/AV, patch management, configuration baselinesRBI baseline; CIS benchmarks
Vulnerability & Threat Management (VTM)VAPT, patch SLAs, threat intelligence, red teamingPFRDA VAPT mandate; CERT-In
Security Monitoring & SOC (MON)SIEM, log management, log retention, correlation, alertingCERT-In 28-Apr-2022; SEBI CSCRF
Incident Response & Reporting (IR)IR plan, CERT-In reporting, PFRDA reporting, forensicsCERT-In directions; PFRDA incident circulars
Business Continuity & DR (BCP)BCP, DR site, RTO/RPO, drills, resilienceRBI BCP; PFRDA availability expectations
Third-Party & Cloud Risk (TPR)Vendor due diligence, cloud security, outsourcing governanceRBI/SEBI outsourcing; MeitY cloud
IS Audit & Assurance (AUD)ITGC, change management, IS audit, board reportingPFRDA IS audit mandate; ISACA IS audit standards

Master assessment checklist

This is the operative section for both auditors and implementers. Each control family below is enumerated with a h3 heading and a table mapping what an auditor verifies against the typical evidence an intermediary must produce. No domain is skipped. Implementers should read the 'What to verify' column as a build requirement and the 'Typical evidence' column as the artefact to maintain.

GOV — Governance & Policy

What to verifyTypical evidence
A board/senior-management approved information & cyber security policy exists and is reviewed at least annuallySigned policy, board/IT committee minutes, version history and review date
A defined governance structure with a CISO/designated security officer and clear rolesOrg chart, CISO appointment letter, RACI matrix
Documented cyber risk assessment covering NPS/APY systems and dataRisk register, risk-assessment methodology, residual-risk sign-off
A Cyber Crisis Management Plan (CCMP) aligned to CERT-In guidanceCCMP document, escalation matrix, invocation records
Security objectives cascaded into measurable KPIs reported to the boardBoard dashboards, quarterly cyber MIS packs
Budget and resourcing allocated to cyber securityApproved budget lines, headcount plan, tooling inventory

IAM — Identity & Access Management

What to verifyTypical evidence
Unique user IDs; no shared/generic accounts for privileged actionsUser inventory, IAM export, shared-account exception register
Role-based access control enforcing least privilege on PRAN/contribution systemsRole-permission matrix, access-provisioning tickets
Multi-factor authentication for admin, remote and privileged accessMFA policy, IdP/PAM configuration screenshots, auth logs
Joiner-mover-leaver process with timely revocation on exitJML SOP, HR-triggered de-provisioning tickets, revocation timestamps
Privileged Access Management with session recording and just-in-time accessPAM tool config, session logs, break-glass procedure
Periodic (at least half-yearly) user access recertificationAccess-review reports signed by data owners
Password policy meeting complexity, rotation and lockout standardsPassword/GPO policy, sample configuration

NET — Network Security

What to verifyTypical evidence
Network segmentation isolating NPS production, DMZ, and corporate zonesNetwork architecture diagram, VLAN/firewall zone map
Next-generation firewalls with reviewed rule bases and default-denyFirewall config, rule-review reports, change tickets
IDS/IPS deployed and tuned at perimeter and critical segmentsIDS/IPS policy, alert samples, tuning records
Anti-DDoS protection for internet-facing NPS/eNPS servicesDDoS service contract, mitigation reports, drill evidence
Secure remote access via VPN with MFA and no split tunnellingVPN config, MFA enforcement, connection logs
Egress filtering and outbound traffic control to prevent exfiltrationProxy/egress policy, blocked-destination logs

APP — Application & Secure Development

What to verifyTypical evidence
Secure SDLC with security requirements in design and code reviewSDLC policy, design review notes, secure-coding standard
Application security testing (SAST/DAST) before releaseScan reports, defect-tracking tickets, sign-off gates
Input validation, output encoding and session management (OWASP-aligned)Pen-test findings, code-review evidence, remediation log
API security: authentication, rate limiting, schema validation for CRA/eNPS APIsAPI gateway config, token policy, API pen-test report
Application controls ensuring contribution/PRAN transaction integrityControl matrix, maker-checker config, reconciliation logs
Segregation of dev/test/prod with no production data in lower environmentsEnvironment diagram, data-masking evidence, access controls

DAT — Data Protection & Privacy

What to verifyTypical evidence
Data classification identifying PRAN, KYC, nominee, bank and contribution data as sensitiveData classification policy, data inventory/flow map
Encryption at rest for databases holding subscriber dataEncryption config, key-management (KMS/HSM) records
Encryption in transit (TLS 1.2+) for all subscriber-data channelsTLS scan results, cipher policy, certificate inventory
Data Loss Prevention on endpoints, email and web egressDLP policy, incident/alert samples, coverage report
DPDP Act 2023 alignment: consent, purpose limitation, data-principal rightsConsent records, privacy notice, DPO/grievance process
RBI data-localisation compliance for payment/bank data where applicableData-residency attestation, storage-location evidence
Secure data disposal and media sanitisationDisposal SOP, destruction certificates, wipe logs

END — Endpoint & Server Security

What to verifyTypical evidence
Hardened server/endpoint baselines aligned to CIS/vendor benchmarksHardening standard, baseline scan, deviation register
EDR/anti-malware deployed with central management and up-to-date signaturesEDR console coverage report, definition-currency evidence
Patch management with defined SLAs for critical/high vulnerabilitiesPatch policy, patch-compliance dashboard, exception log
Removable-media and USB controls on sensitive systemsDevice-control policy, blocked-device logs
Time synchronisation (NTP) across servers for reliable loggingNTP configuration evidence
Golden-image and configuration management for consistent buildsBuild documentation, config-management tool records

VTM — Vulnerability & Threat Management

What to verifyTypical evidence
Periodic VAPT (at least annually, and on major change) by a CERT-In empanelled firmVAPT reports, empanelment proof, scope document
Closure of findings within risk-based SLAs with re-testingRemediation tracker, re-test reports, closure sign-off
Regular authenticated vulnerability scanning of internal and external assetsScan schedules, scan reports, asset coverage
Threat intelligence feeds informing detection and patch prioritisationTI subscription, advisories actioned, CERT-In advisory tracking
Application and infrastructure pen testing including eNPS/mobile appsPen-test reports for web, API and mobile
Asset inventory completeness underpinning vulnerability coverageCMDB/asset register reconciled to scan results

MON — Security Monitoring & SOC

What to verifyTypical evidence
SIEM aggregating logs from critical NPS systems, network and security toolsSIEM architecture, log-source inventory, coverage report
Log retention meeting CERT-In 180-day (rolling, in India) requirementRetention policy, storage evidence, sample log queries
24x7 monitoring/SOC with defined use cases and correlation rulesSOC runbook, use-case library, staffing roster
Alert triage, severity classification and escalation within SLAAlert tickets, MTTA/MTTR metrics, escalation records
Integrity and tamper-protection of logsLog-forwarding/WORM config, access controls on log store
Clock synchronisation to Indian standard reference (NPL/NTP) for log accuracyNTP source configuration per CERT-In direction

IR — Incident Response & Reporting

What to verifyTypical evidence
Documented incident response plan with roles, phases and playbooksIR plan, ransomware/phishing/data-breach playbooks
Reporting of cyber incidents to CERT-In within 6 hours of detectionIncident register, CERT-In submission acknowledgements
Prompt notification of material incidents to PFRDA/NPS TrustPFRDA notification records, timelines evidenced
DPDP breach notification to the Data Protection Board and affected principalsBreach-assessment records, notification templates
Forensic readiness and evidence preservation proceduresForensic SOP, chain-of-custody templates, retained artefacts
Post-incident reviews with root-cause and corrective actionsPIR reports, lessons-learned, CAPA tracker

BCP — Business Continuity & Disaster Recovery

What to verifyTypical evidence
Business Impact Analysis identifying critical NPS processes and RTO/RPOBIA document, criticality ratings, RTO/RPO targets
Geographically separate DR site with tested failover for NPS systemsDR architecture, DC-DR distance evidence, replication config
Periodic (at least half-yearly) DR drills including near-live failoverDR drill reports, success/gap analysis, sign-off
Backup strategy with encryption, offsite copies and restoration testingBackup policy, backup logs, restore-test evidence
Documented and communicated business continuity planBCP document, call trees, alternate-site arrangements
Resilience of third-party/cloud dependenciesVendor DR attestations, contractual continuity clauses

TPR — Third-Party & Cloud Risk

What to verifyTypical evidence
Security due diligence before onboarding vendors handling NPS dataDue-diligence questionnaires, risk-rating records
Contracts with security, confidentiality, audit-rights and breach-notification clausesExecuted contracts/SLAs, right-to-audit clauses
Cloud security configuration and shared-responsibility understandingCloud config review, CSPM report, responsibility matrix
Ongoing vendor monitoring and periodic reassessmentVendor review reports, SOC 2/ISO 27001 certificates on file
Data-processing agreements aligned to DPDP for processorsDPAs, sub-processor register
Outsourcing governance aligned to RBI/SEBI norms where applicableOutsourcing policy, board-approved material-outsourcing list

AUD — IS Audit & Assurance

What to verifyTypical evidence
Annual IS Audit covering ITGC, application and data-centre controlsIS audit report, scope, auditor credentials
Change management with authorisation, testing and segregation of dutiesChange tickets, CAB minutes, emergency-change log
Findings tracked to closure with management action plansAudit-issue tracker, remediation status, board reporting
Cyber security audit distinct from IS audit, testing technical controlsCyber audit report, VAPT integration
Independence and competence of the auditor (CERT-In empanelled)Empanelment certificate, engagement letter, independence declaration
Audit results and remediation reported to board and to PFRDA on requestBoard minutes, PFRDA submission records

Scoping the assessment

Scoping determines which systems, data, locations, people and third parties fall within the PFRDA cyber and IS audit. A defensible scope starts from the data: every system that stores, processes or transmits PRAN, KYC, nominee, bank-mandate or contribution data is in scope, together with the systems that secure or administer them.

  • In scope: NPS/APY production applications, CRA-interfacing systems, eNPS web/mobile platforms, subscriber and contribution databases, payment and settlement interfaces, and the identity, logging and security infrastructure that supports them.
  • In scope: data centres and DR sites, cloud tenancies hosting in-scope workloads, and the network paths connecting subscribers, PoPs and the CRA.
  • In scope: privileged administrators, developers with production access, and outsourced/managed service providers touching in-scope systems.
  • Scope reduction: strong segmentation, tokenisation of identifiers and isolation of non-NPS corporate systems can legitimately reduce scope, provided the isolation is evidenced and tested.
  • Out of scope only where demonstrably isolated: general corporate IT with no path to NPS data. This must be justified in writing and validated by the auditor.
  • Time boundary: define the audit period (typically the preceding financial year) and the point-in-time configuration review date.

Implementation approach

A phased programme moves an intermediary from an unstructured state to a defensible, audit-ready posture. Each phase below lists the core activities and the deliverables an auditor will later expect to see.

Phase 1 — Discover & Baseline (Weeks 1-4)

  • Activities: establish governance sponsorship; inventory in-scope systems, data flows and third parties; map applicable circulars (PFRDA, RBI, SEBI, CERT-In, DPDP); perform a gap assessment against the domains in this guide.
  • Deliverables: asset and data-flow inventory, applicability/regulatory-mapping matrix, gap-assessment report with prioritised findings, project charter.

Phase 2 — Design & Policy (Weeks 4-8)

  • Activities: draft/refresh the cyber security policy, standards and procedures; define RACI and the CISO mandate; design target-state architecture for segmentation, IAM, logging and encryption; establish the CCMP and IR plan.
  • Deliverables: board-approved policy suite, RACI matrix, target-state architecture, CCMP, incident response plan and playbooks.

Phase 3 — Build & Remediate (Weeks 8-20)

  • Activities: implement MFA and PAM; deploy/tune SIEM and EDR; enforce encryption and DLP; harden systems; remediate open VAPT findings; segment networks; operationalise change management and JML.
  • Deliverables: hardened baselines, deployed control tooling with coverage evidence, remediated VAPT report, updated network architecture, change-management records.

Phase 4 — Operate & Monitor (Weeks 16-24, ongoing)

  • Activities: run the SOC with defined use cases; perform access recertification; execute DR drills; conduct threat intelligence and patch cycles; track KPIs to the board.
  • Deliverables: SOC runbooks and metrics, access-review records, DR drill reports, patch-compliance dashboards, board MIS.

Phase 5 — Assure & Certify (Weeks 24-28)

  • Activities: engage a CERT-In empanelled auditor; conduct the IS Audit and Cyber Security Audit; validate remediation; prepare PFRDA-facing assurance.
  • Deliverables: IS audit report, cyber audit report, closed-findings tracker, board sign-off, PFRDA submission pack.

Maturity / capability model

CyberSigma scores each domain against a five-level capability model so that the intermediary and PFRDA can see trajectory, not just a pass/fail snapshot. The target for a regulated NPS intermediary is Level 4 (Managed) or higher on all critical domains.

LevelNameCharacteristicsIllustrative evidence
0Non-existentControl absent; ad hoc or reactive onlyNo policy, no records
1InitialControl performed informally by individualsIsolated emails, undocumented actions
2RepeatableDocumented but inconsistently appliedDraft policy, partial coverage
3DefinedStandardised, approved and applied across scopeApproved policy, consistent tickets
4ManagedMeasured with KPIs and periodic independent reviewDashboards, audit reports, recertification
5OptimisedContinuously improved, automated and threat-informedAutomation, red-team feedback loops, trend metrics

Assessment and audit approach

The audit follows a structured methodology so findings are repeatable and defensible before PFRDA.

  1. Engagement setup: agree scope, audit period, criteria (this domain set plus applicable circulars), and access; confirm auditor independence and CERT-In empanelment.
  2. Documentation review: examine policies, network diagrams, prior VAPT/IS audit reports, incident logs and risk registers.
  3. Interviews and walkthroughs: interview the CISO, IT operations, application, DR and vendor-management owners to understand design intent.
  4. Configuration and technical testing: sample-review firewall, IAM, encryption, logging and hardening configurations against baselines.
  5. Vulnerability assessment and penetration testing: conduct or validate VAPT across external, internal, application, API and mobile surfaces.
  6. Control operating-effectiveness testing: sample transactions, access provisioning, change tickets, backups and DR drills across the period.
  7. Evidence evaluation and gap analysis: rate each control by design and operating effectiveness; classify gaps by risk.
  8. Reporting: issue a draft report with findings, risk ratings and recommendations; obtain management responses and target dates.
  9. Remediation and re-test: validate closure of high/critical findings; update the tracker.
  10. Final report and board/PFRDA reporting: issue signed IS and cyber audit reports and support PFRDA submission.

Evidence request list

Assemble the following categorised artefacts before fieldwork to compress the audit timeline.

  • Governance: cyber security policy, risk assessment, board/IT-committee minutes, CISO appointment, CCMP.
  • Identity: user access lists, role matrices, PAM configuration, JML records, access-review reports, MFA policy.
  • Network: architecture diagrams, firewall rule bases and reviews, IDS/IPS and DDoS configurations, VPN policy.
  • Application: SDLC standard, SAST/DAST reports, code-review evidence, API security configuration, application-control matrices.
  • Data: data classification and inventory, encryption and key-management config, DLP policy, DPDP consent and privacy records.
  • Endpoint/Server: hardening baselines, EDR coverage, patch-compliance dashboards, configuration-management records.
  • Vulnerability: VAPT reports and scope, scan schedules, remediation trackers, empanelment proof.
  • Monitoring: SIEM log-source inventory, retention configuration, SOC runbooks, alert samples and metrics.
  • Incident: IR plan and playbooks, incident register, CERT-In and PFRDA reporting records, PIR reports.
  • Continuity: BIA, DR architecture, DR drill reports, backup and restore-test logs, BCP document.
  • Third party: vendor due-diligence, contracts with audit rights, DPAs, SOC 2/ISO certificates, outsourcing register.
  • Assurance: prior IS and cyber audit reports, change-management records, findings trackers, board reporting.

Roles and responsibilities

RolePrimary responsibilitiesCyber/IS audit involvement
Board / IT CommitteeApprove policy, oversee cyber risk, allocate budgetReceive and act on audit results; approve remediation
CISO / Security OfficerOwn cyber programme, policies, monitoring and incidentsPrimary audit interface; drives remediation
Chief Technology / IT HeadDeliver secure infrastructure and applicationsProvides technical evidence and implements fixes
Data Protection OfficerDPDP compliance, consent, breach notificationEvidence for privacy and data-protection controls
IT OperationsPatching, hardening, backups, DR, monitoringOperating-effectiveness evidence
Application / Dev TeamsSecure SDLC, application controls, API securityCode-review, testing and control evidence
Vendor / Outsourcing ManagerThird-party due diligence and monitoringVendor and cloud evidence, right-to-audit
Internal AuditIndependent assurance and follow-upCoordinates external audit, tracks findings
External CERT-In AuditorIndependent IS and cyber audit and VAPTConducts assessment, issues signed reports

KPIs to track

  • Percentage of critical/high VAPT findings closed within SLA.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents.
  • Patch-compliance rate for critical vulnerabilities across servers and endpoints.
  • MFA and PAM coverage across privileged and remote accounts.
  • Access-review completion rate and orphaned/stale account count.
  • Percentage of critical log sources onboarded to SIEM with retention meeting 180 days.
  • DR drill success rate and achieved RTO/RPO versus target.
  • Number of overdue audit findings and average age of open findings.
  • CERT-In and PFRDA incident-reporting timeliness (within mandated windows).
  • Percentage of material vendors with current security due diligence and DPAs.

Readiness checklist

  • Board-approved cyber security policy in force and reviewed within 12 months.
  • CISO/security officer appointed with a defined mandate and RACI.
  • Complete asset and data-flow inventory covering all NPS/APY systems.
  • MFA enforced on all privileged, remote and administrative access.
  • Privileged Access Management with session recording operational.
  • Network segmentation isolating NPS production from corporate zones.
  • Encryption at rest and in transit for all subscriber data.
  • SIEM with 180-day log retention and 24x7 monitoring.
  • Annual VAPT completed by a CERT-In empanelled firm with findings closed.
  • Incident response plan with CERT-In 6-hour reporting capability tested.
  • DR site with a successful half-yearly failover drill.
  • DPDP consent, privacy notice and breach-notification process in place.
  • Vendor contracts include security, audit-rights and breach clauses.
  • Annual IS Audit and Cyber Security Audit reports available with remediation tracked.

Common gaps

  • Policies exist on paper but are outdated, unapproved or not operationalised across all in-scope systems.
  • MFA and PAM gaps on legacy or vendor-managed systems, and shared administrator accounts.
  • Incomplete SIEM log-source coverage and log retention shorter than the CERT-In 180-day requirement.
  • VAPT performed but critical findings left open beyond SLA, or no re-testing evidence.
  • DR site present but drills are tabletop-only, with no near-live failover of NPS transaction systems.
  • Weak third-party governance: missing due diligence, absent audit-rights clauses, no DPDP data-processing agreements.
  • Production data present in test/dev environments without masking.
  • CERT-In and PFRDA incident-reporting timelines not evidenced, and no forensic-readiness procedures.
  • DPDP Act obligations (consent, purpose limitation, breach notification) not yet mapped to controls.
  • Change management without segregation of duties or proper authorisation trails.

PFRDA Cyber Security mapped to other frameworks

Because most NPS intermediaries carry overlapping regulatory obligations, mapping PFRDA domains to adjacent frameworks lets a single control set satisfy multiple regulators. The mapping below is indicative and should be confirmed against each framework's current version.

PFRDA domainISO/IEC 27001:2022NIST CSF 2.0RBI / SEBI CSCRFCERT-In / DPDP
Governance & PolicyA.5 Organisational controlsGV (Govern)Board oversight; cyber policyCCMP guidance
Identity & AccessA.5.15-A.5.18, A.8.2-A.8.5PR.AAMFA, privileged access controls-
Network SecurityA.8.20-A.8.22PR.IRSegmentation, perimeter controls-
Application & SDLCA.8.25-A.8.29PR.PSSecure SDLC; application security-
Data Protection & PrivacyA.5.34, A.8.10-A.8.12PR.DSEncryption; data localisationDPDP Act 2023
Endpoint & ServerA.8.7-A.8.9, A.8.19PR.PSBaseline hardening; patching-
Vulnerability & Threat MgmtA.8.8ID.RA, DE.CMVAPT mandate; patch SLAsAdvisory tracking
Security Monitoring & SOCA.8.15-A.8.16DE.CM, DE.AESOC; log correlation180-day log retention
Incident ResponseA.5.24-A.5.28RS, RCIncident management6-hour CERT-In reporting
Business Continuity & DRA.5.29-A.5.30, A.8.13-A.8.14RC.RPBCP; RTO/RPO drills-
Third-Party & CloudA.5.19-A.5.23GV.SCOutsourcing governanceDPA/processor obligations
IS Audit & AssuranceA.5.35-A.5.36GV.OV, ID.IMAnnual IS audit-
How CyberSigma helps
CyberSigma is a CERT-In empanelled cyber security auditor and PCI QSA firm that runs end-to-end PFRDA Cyber Security & IS Audit engagements for CRAs, Pension Funds, PoPs, Custodians, Trustee Banks and ASPs. We deliver a structured gap assessment against every domain in this guide, remediation support across IAM, SOC, encryption, DR and DPDP alignment, full-scope VAPT (external, internal, application, API and mobile), and the independent IS Audit and Cyber Security Audit reports PFRDA expects, with board-ready and regulator-ready assurance. Talk to CyberSigma to move from gap assessment to a defensible, continuously audit-ready NPS cyber posture.

Frequently asked questions

Who needs a PFRDA cyber security certificate?
Points of Presence must obtain an annual cyber security compliance certificate; CRAs, pension funds and other NPS entities undergo information and cyber security audits.
Official documents

Need help with PFRDA Cyber Security?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.