Knowledge Center / RBI IT Governance MD
Reserve Bank of India · India

RBI IT Governance, Risk, Controls & Assurance

RBI’s master direction on IT governance, risk, controls and IS assurance practices.

The RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023, effective April 2024) consolidates and strengthens RBI’s expectations on how regulated entities govern technology, manage IT and information-security risk, and assure controls through IS audit. It formalises board and senior-management responsibilities for IT.

Who must comply

  • Scheduled commercial banks (excluding regional rural banks).
  • Certain co-operative banks (as specified).
  • NBFCs in specified layers (per the scale-based regulation).
  • Credit information companies and All-India Financial Institutions (EXIM, NABARD, NaBFID, NHB, SIDBI).

The four pillars

PillarKey requirements
IT GovernanceBoard-level IT Strategy Committee, IT governance framework, roles and accountability, strategy alignment
IT Infrastructure & ServicesIT operations, project management, change and access management, capacity, third-party/outsourcing management
IT & Information Security RiskIT/IS risk management, cyber security, data governance, business continuity and disaster recovery
Assurance (IS Audit)An independent, competent Information Systems (IS) audit function with defined scope and periodicity

The IS audit function

  • Independent of IT operations, with competent resources (internal and/or external).
  • A risk-based IS audit plan covering critical systems, applications and processes.
  • Reporting to the Audit Committee of the Board, with tracked remediation.
  • Often supported by CERT-In empanelled external auditors.

Implementation roadmap

  1. Establish/refresh the IT governance structure (IT Strategy Committee, roles).
  2. Perform a gap assessment against the four pillars.
  3. Strengthen IT operations, change/access controls and outsourcing management.
  4. Mature IT/IS risk management, cyber security and data governance.
  5. Test business continuity and DR.
  6. Stand up/strengthen the IS audit function and run the first IS audit.
  7. Remediate, report to the Audit Committee and maintain annual assurance.

Evidence checklist

  • IT Strategy Committee charter and minutes; IT governance framework.
  • IT/IS risk register and treatment plans.
  • Change, access and outsourcing management records.
  • Business continuity and DR plans with test evidence.
  • Risk-based IS audit plan, reports and Audit Committee minutes.
  • Remediation tracker for audit findings.
How CyberSigma helps
We perform the IS audit and gap assessment against the RBI IT Governance master direction, help establish the governance structure and IT/IS risk controls, and support your Audit Committee reporting — as a CERT-In empanelled auditor.

Frequently asked questions

Does the IT Governance Master Direction replace earlier RBI IT guidance?
It consolidates and supersedes several earlier circulars/guidance on IT governance and IS audit, providing a single, strengthened reference for covered entities.
Who performs the IS audit?
An independent, competent IS audit function — often supported by CERT-In empanelled external auditors like CyberSigma.

Need help with RBI IT Governance MD?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.