Knowledge Center / RBI IT Outsourcing
Reserve Bank of India · India

RBI IT Outsourcing Directions Audit

Audit of IT outsourcing, cloud and supply-chain risk for RBI-regulated entities.

Introduction: The RBI IT Outsourcing Directions Audit

On 10 April 2023, the Reserve Bank of India (RBI) issued the Master Direction on Outsourcing of Information Technology Services (RBI/2023-24/102, DoS.CO.CSITEG/SEC.1/31.01.015/2023-24). These Directions, which became effective from 01 October 2023, fundamentally reshaped how regulated entities (REs) govern, contract, monitor and audit their reliance on third parties for information technology and IT-enabled services. The Directions apply to a broad universe of REs including scheduled commercial banks, small finance banks, payments banks, co-operative banks, NBFCs, credit information companies, All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, SIDBI) and, on a comply-or-explain basis, to their group entities and service providers operating within the financial ecosystem.

The RBI IT Outsourcing Directions sit alongside, and must be read with, the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (IT Governance Direction, November 2023), the earlier 2006 Outsourcing of Financial Services Guidelines, the Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services, the Cyber Security Framework in Banks (June 2016), and sector-specific instructions from NPCI, UIDAI, SEBI, IRDAI, PFRDA and CERT-In. A CyberSigma RBI IT Outsourcing Audit provides an independent, auditor-grade assessment of an RE's outsourcing governance, its due-diligence and contracting discipline, its ongoing monitoring, its concentration and country risk posture, its business continuity and exit arrangements, and its ability to demonstrate all of this to RBI Senior Supervisory Managers (SSMs) and inspecting officers.

Copyright and source note
The RBI Master Direction on Outsourcing of Information Technology Services and all associated RBI/NPCI/UIDAI/SEBI/CERT-In circulars are the copyrighted intellectual property of their respective issuers. This guide is an original CyberSigma work that paraphrases and interprets the regulatory obligations for assessment purposes. It does not reproduce the official text. Always obtain the authoritative circulars from the RBI website (rbi.org.in) and the relevant regulator, and treat those documents as the binding source. Regulatory positions evolve; verify the current version before relying on any control mapping herein.

What is the RBI IT Outsourcing Direction?

The RBI IT Outsourcing Direction is a principle-and-rule-based regulatory instrument that requires regulated entities to retain full accountability and control over outsourced IT activities even when the underlying work is performed by a third party, a group company, or a chain of sub-contractors. The core supervisory expectation is that outsourcing does not diminish the RE's obligations to its customers or to the RBI, nor does it impair the RBI's right and ability to supervise the RE. The RE's board and senior management remain ultimately responsible; outsourcing may transfer activity, but never accountability.

The Direction covers outsourcing of IT services, including but not limited to IT infrastructure management, network and security management, application development and maintenance, hosting, cloud computing, managed security services, data centre operations, IT-enabled services (ITeS) such as business process outsourcing that has an underlying IT component, and the use of financial technology (FinTech) and cloud service providers. It draws a distinction from the outsourcing of pure business/financial processes (governed by the 2006 financial-services outsourcing guidelines), though in practice the two regimes overlap and CyberSigma assesses both where relevant.

Structurally, the Direction is organised around a governance framework (board-approved policy, role of the board and senior management, and a designated senior official/committee), a comprehensive risk-management framework (due diligence, agreements/SLAs, confidentiality and security, business continuity, monitoring and control, right to audit), and specific chapters on cloud services, security, and cross-border/offshore outsourcing. It explicitly requires that the RE be able to demonstrate that outsourced IT activities are subject to the same standards of security, governance and audit as if they were performed in-house.

Who must comply?

The Direction applies to a wide set of RBI-regulated entities. The following table summarises the in-scope population and the practical triggers that bring an entity or an arrangement into scope.

Category of regulated entityIn-scope? / Notes
Scheduled Commercial Banks (excluding RRBs)Yes — full applicability, including foreign bank branches operating in India
Local Area Banks, Small Finance Banks, Payments BanksYes — full applicability
Primary (Urban) Co-operative BanksYes, subject to proportionality based on tier/size as specified by RBI
State and Central Co-operative BanksYes, where notified; proportionality applies
Non-Banking Financial Companies (NBFCs) and HFCsYes — Middle and Upper Layer NBFCs in particular; proportionate application to Base Layer
Credit Information Companies (CICs)Yes — full applicability
All India Financial Institutions (EXIM, NABARD, NaBFID, NHB, SIDBI)Yes — full applicability
Group and associate entities providing IT services to the REIn scope via the RE's responsibility for the whole outsourcing chain
Third-party service providers, cloud providers, sub-contractorsBound indirectly through the RE's contract, due diligence and right-to-audit clauses
  • An arrangement is 'outsourcing' when the RE relies on a third party (including a group entity) to perform, on a continuing basis, an IT activity that the RE would otherwise undertake itself and which is integral to the provision of banking/financial services.
  • One-off purchases of hardware/software, or standalone licences without ongoing managed services, are generally not treated as outsourcing — but SaaS, PaaS and managed services almost always are.
  • Sub-contracting and multi-tiered chains remain the RE's responsibility end-to-end; the RE must approve and control material sub-contracting.
  • Intra-group and offshore/cross-border arrangements attract additional country-risk, data-localisation and confidentiality obligations.

Structure of the RBI IT Outsourcing Direction

The Direction can be decomposed into the following control domains. CyberSigma uses this domain map as the backbone of the audit programme; each domain is decomposed further into testable requirements in the master assessment checklist.

Domain / chapterScope of control area
D1 Governance frameworkBoard-approved IT outsourcing policy; role of board and senior management; designated senior official; committee oversight
D2 Comprehensive assessment of need & riskMateriality determination; risk assessment before outsourcing; approval workflow
D3 Evaluation & due diligence of service providerFinancial, technical, reputational, security and operational due diligence; periodic re-assessment
D4 Outsourcing agreement / SLAContract content, service levels, confidentiality, IP, liability, termination, sub-contracting controls
D5 Confidentiality & securityData protection, access control, segregation, security controls at provider, incident handling
D6 Business continuity & disaster recoveryBCP/DR at provider, RTO/RPO, portability, contingency plans
D7 Monitoring & control of outsourced activitiesOngoing performance monitoring, MIS, SLA governance, service management
D8 Right to audit & inspectionRE's, its auditors' and RBI's access rights; audit rights over sub-contractors
D9 Concentration risk & vendor lock-inPortfolio-level concentration, single-point-of-failure, exit strategy
D10 Cloud computing servicesCloud-specific governance, shared responsibility, data location, cloud exit
D11 Cross-border / offshore outsourcingCountry risk, data sovereignty/localisation, jurisdiction, RBI access
D12 Outsourcing to group entitiesArm's-length terms, conflict of interest, ring-fencing
D13 Exit strategy & termination managementExit plan, step-in rights, data return/deletion, transition
D14 Reporting & regulatory notificationReporting to board, incident/adverse-event reporting to RBI, register of arrangements

Master assessment checklist

This is the core of the audit. Each control domain is enumerated below with an h3 heading and a table of specific verification points and the typical evidence an assessor should collect. Every domain is covered; no control area is skipped. Auditors should sample outsourcing arrangements across materiality tiers (at least all material arrangements, plus a risk-based sample of non-material ones) and test each requirement against them.

D1 — Governance framework

What to verifyTypical evidence
A board-approved IT outsourcing policy exists, is current, and covers all elements required by the DirectionSigned policy document with board approval minute, version history, annual review record
The board and a designated committee (e.g. IT Strategy Committee / Risk Management Committee) exercise oversight of material outsourcingCommittee terms of reference, meeting minutes, outsourcing risk dashboards tabled to the board
A senior management official / function is designated as accountable for the outsourcing frameworkRole description, appointment note, RACI, delegation of authority matrix
Roles, responsibilities and escalation paths for outsourcing decisions are definedGovernance charter, approval workflow, segregation-of-duties matrix
The policy defines materiality criteria and the approval authority commensurate with riskMateriality assessment methodology, approval thresholds table
Board is periodically apprised of the outsourcing portfolio, risks and adverse eventsBoard pack extracts, periodic MIS, adverse-event escalation records

D2 — Assessment of need and pre-outsourcing risk assessment

What to verifyTypical evidence
A documented business case and need assessment precedes each outsourcing decisionBusiness case, cost-benefit analysis, make-vs-buy note
A structured risk assessment is performed before outsourcing (strategic, reputational, operational, legal, compliance, concentration, country, exit risks)Pre-outsourcing risk assessment template, completed risk register per arrangement
Materiality of each arrangement is formally classifiedMateriality scorecard with rationale and sign-off
Regulatory permissibility of the activity being outsourced is checked (some activities cannot be outsourced)Permissibility check-list, legal/compliance opinion
Data classification of information the provider will handle is determined up frontData classification note, PII/SPDI/UIDAI-data flagging

D3 — Evaluation and due diligence of the service provider

What to verifyTypical evidence
Financial soundness of the provider is assessed (and periodically re-assessed)Audited financials, credit checks, financial due-diligence report
Technical capability, capacity, and track record are evaluatedTechnical evaluation, reference checks, past-performance review
Security posture of the provider is assessed (certifications, VAPT, control attestations)ISO 27001 certificate, SOC 2 Type II report, PCI DSS AOC, VAPT summary
Reputational, legal and regulatory standing (sanctions, litigation, adverse media) is checkedSanctions/PEP screening, adverse-media search, legal search results
Sub-contractor and supply-chain due diligence is performed for material sub-contractingSub-contractor disclosure, fourth-party assessment
Due diligence is refreshed periodically and on trigger eventsPeriodic re-assessment schedule and completed reviews
Business continuity capability of the provider is evaluatedProvider BCP/DR documentation, DR test evidence

D4 — Outsourcing agreement and service levels

What to verifyTypical evidence
A written, legally binding agreement exists for every arrangement before go-liveExecuted contract, master services agreement, statement of work
The contract defines scope, service levels, performance metrics, and penaltiesSLA schedule, KPI/KRI definitions, service-credit regime
Confidentiality, data protection, and information-security obligations are contractualConfidentiality clause, DPA/security schedule, data-handling annex
Ownership of data and intellectual property, and data-return obligations, are clearIP clause, data-ownership clause, data return/deletion clause
The contract restricts and controls sub-contracting (prior consent, flow-down of obligations)Sub-contracting clause with consent and flow-down provisions
Right-to-audit and RBI/regulatory access clauses are included and enforceableAudit-rights clause, regulator-access clause, cooperation clause
Business continuity, exit assistance and termination provisions are contractualBCP clause, exit-management schedule, termination and transition clauses
Liability, indemnity, breach notification timelines and dispute resolution/governing law are definedLiability/indemnity clauses, breach-notification SLA, governing-law clause
For cross-border contracts, jurisdiction and RBI access despite foreign location are securedJurisdiction clause, data-access-in-India provisions

D5 — Confidentiality and security of information

What to verifyTypical evidence
Customer and RE data is protected to standards at least equal to the RE's ownProvider security policy, control mapping to RE standards
Logical and physical access controls, least-privilege and segregation of the RE's data are enforcedAccess control matrix, IAM records, tenancy/segregation design
Encryption of data in transit and at rest is implemented for sensitive dataEncryption standards, key-management design, cipher configuration evidence
Data location, and any data localisation requirements (e.g. payment data storage in India), are metData-residency attestation, storage-location evidence, NPCI/RBI localisation compliance
Security incident detection, notification to the RE, and joint response are defined and testedIncident-response runbook, breach-notification records, tabletop/test evidence
Logging, monitoring and forensic-readiness at the provider are adequateLog-retention policy, SIEM integration, forensic-support clause
Vulnerability management and periodic VAPT of provider systems occurVAPT reports, patch-compliance evidence, remediation tracker
Segregation and secure handling where the provider serves multiple clients (multi-tenancy)Multi-tenant isolation design, penetration test of isolation

D6 — Business continuity and disaster recovery

What to verifyTypical evidence
The provider maintains a documented, tested BCP/DR aligned to the RE's requirementsProvider BCP/DR plan, alignment note with RE RTO/RPO
Agreed RTO and RPO are defined contractually and demonstrably achievableSLA RTO/RPO figures, DR drill reports meeting targets
The RE participates in or witnesses periodic DR drillsJoint DR test invitation, RE observation report
Data and processing can be recovered or repatriated if the provider failsData backup/portability evidence, recovery test
Contingency plans exist for provider failure, insolvency or exitContingency plan, alternate-provider readiness note
Dependencies on the provider's own sub-providers are continuity-testedFourth-party continuity assessment

D7 — Monitoring and control of outsourced activities

What to verifyTypical evidence
Ongoing performance and SLA compliance are actively monitoredSLA dashboards, monthly service reviews, KPI trend reports
A structured governance forum (service review) meets regularly with the providerGovernance meeting minutes, action logs
MIS on outsourced activities is produced and reviewed by RE managementOperational MIS, exception reports, escalation logs
Deviations, breaches and service failures are tracked to closure with penalties applied where dueBreach register, service-credit application records, RCA reports
Retained in-house capability exists to oversee, and if needed resume, the activityRetained-team org chart, knowledge-transfer records, runbooks
Changes by the provider (systems, locations, sub-contractors) are notified and controlledChange-notification log, change-approval evidence

D8 — Right to audit and inspection

What to verifyTypical evidence
The RE, its internal/external auditors and RBI have contractual right to audit the providerAudit-rights clause, regulator-access clause
Audit rights extend to material sub-contractorsFlow-down audit clause in sub-contracts
Periodic assurance is obtained (audit reports, control attestations, certifications)SOC 2 reports, ISO/PCI certificates, independent audit reports, pooled audits
The RE reviews assurance reports and tracks control gaps to remediationReport-review notes, gap tracker, remediation confirmations
Provider cooperation with regulatory inspections is demonstratedInspection-support records, information-access logs

D9 — Concentration risk and vendor lock-in

What to verifyTypical evidence
Portfolio-level concentration on any single provider/technology is measured and limitedConcentration analysis, exposure limits, board reporting
Single points of failure and systemic dependencies are identifiedDependency map, SPOF analysis
Vendor lock-in is mitigated through portability, open standards and multi-sourcing where feasiblePortability assessment, interoperability requirements in contracts
Concentration is reported to the board and factored into risk appetiteBoard MIS, risk-appetite statement references

D10 — Cloud computing services

What to verifyTypical evidence
Cloud adoption follows a board-approved cloud strategy and governance modelCloud policy, cloud governance framework
The shared-responsibility model is documented and control ownership is clear (RE vs CSP)Shared-responsibility matrix per service (IaaS/PaaS/SaaS)
Data location, residency and localisation in cloud are controlled and evidencedRegion configuration, data-residency attestation, localisation proof
Cloud security controls (IAM, encryption, network segmentation, logging, CSPM) are implementedCloud config baselines, CSPM findings, IAM policies, encryption/KMS evidence
Cloud exit and portability strategy exists (data export, re-platforming plan)Cloud exit plan, data-export test, portability design
Continuous monitoring of cloud posture and misconfiguration is in placeCSPM/CNAPP dashboards, drift-detection reports
Provider certifications and RBI/CERT-In empanelment where applicable are validatedCSP certifications, empanelment evidence, MeitY-empanelment where relevant

D11 — Cross-border and offshore outsourcing

What to verifyTypical evidence
Country risk of the offshore location is assessed and monitoredCountry-risk assessment, political/legal-risk review
Data sovereignty and Indian localisation requirements are met (e.g. payment system data)Data-flow diagram, localisation attestation, NPCI/RBI compliance evidence
RBI and the RE retain effective access to data, records and premises despite offshore locationContractual access rights, in-India copy of data/records
Applicable foreign laws do not impair the RE's or RBI's rightsLegal opinion on jurisdiction and enforceability
Cross-border data transfer complies with DPDP Act and sectoral rulesDPDP compliance note, transfer-impact assessment

D12 — Outsourcing to group / associate entities

What to verifyTypical evidence
Intra-group arrangements are on arm's-length terms and formally documentedGroup MSA, transfer-pricing/arm's-length documentation
Conflicts of interest are identified and managedConflict-of-interest register, mitigation controls
The same due-diligence, security and audit standards apply to group entities as to third partiesGroup-entity due-diligence file, audit evidence
Ring-fencing of the RE's data and operations within the group is enforcedSegregation design, access-control evidence

D13 — Exit strategy and termination management

What to verifyTypical evidence
A documented exit strategy exists for every material arrangement before go-liveExit plan per arrangement, exit-trigger definitions
Termination rights (for cause, convenience, regulatory direction) are contractualTermination clauses, step-in rights
Data return and secure deletion at exit are guaranteed and verifiableData-return/deletion clause, certificate-of-destruction template
Transition assistance and knowledge transfer obligations bind the providerTransition-services clause, reverse-transition plan
Alternate provider or in-sourcing readiness is assessedAlternate-sourcing analysis, insourcing feasibility note

D14 — Reporting and regulatory notification

What to verifyTypical evidence
A central register/inventory of all IT outsourcing arrangements is maintained and currentOutsourcing register with materiality, provider, data-class, review dates
Material adverse events, breaches and provider failures are reported to RBI as requiredIncident-notification records, CERT-In reporting (6-hour rule), RBI intimation
The board receives periodic reporting on the outsourcing portfolio and risksBoard MIS, periodic outsourcing risk report
Regulatory changes are tracked and reflected in policy and contractsRegulatory-change log, policy update records

Scoping the assessment

Correct scoping ensures the audit is proportionate and complete. CyberSigma establishes the assessment boundary by first building or validating the RE's outsourcing inventory, then stratifying arrangements by materiality and data sensitivity.

  • Enumerate all IT and IT-enabled outsourcing arrangements, including cloud, managed services, application development/maintenance, hosting, MSSP, and intra-group IT services.
  • Classify each by materiality using the RE's board-approved criteria (criticality to core banking/payments, volume/value of data, customer impact, substitutability).
  • Flag arrangements handling PII, SPDI, Aadhaar/UIDAI data, payment/card data (PCI DSS), and any data subject to localisation.
  • Include the full outsourcing chain — sub-contractors and fourth parties — for material arrangements.
  • Identify cross-border and group-entity arrangements for enhanced testing.
  • Confirm which activities are non-outsourceable or require prior regulatory approval and exclude/flag them appropriately.
  • Agree the sampling approach: 100% of material arrangements plus a risk-based sample of non-material ones.
Scoping tip
The single most common scoping failure is an incomplete outsourcing register. Shadow SaaS, departmental cloud subscriptions, and 'pilot' engagements that quietly became production are routinely missed. Begin the audit by reconciling the register against accounts-payable vendor data, cloud billing, and network egress/DNS logs to surface undeclared providers.

Implementation approach

Whether the RE is building the outsourcing governance framework for the first time or remediating gaps, CyberSigma recommends a phased approach. Each phase below lists indicative activities and deliverables.

Phase 1 — Discovery and gap assessment

  • Activities: build/validate the outsourcing inventory; classify materiality; assess current policy, contracts and monitoring against the Direction; identify gaps and quick wins.
  • Deliverables: outsourcing register; current-state gap assessment report; prioritised remediation roadmap; RACI.

Phase 2 — Policy and governance design

  • Activities: draft/update the board-approved IT outsourcing policy; define materiality methodology, approval workflows, committee mandates and reporting cadence.
  • Deliverables: board-approved policy; governance charter; materiality scorecard; standard operating procedures.

Phase 3 — Due diligence and contract remediation

  • Activities: run/refresh provider due diligence; remediate contracts to include audit rights, RBI access, security, BCP, exit and sub-contracting clauses; prioritise material and cross-border arrangements.
  • Deliverables: due-diligence dossiers; remediated contracts/addenda; standard contract clause library.

Phase 4 — Monitoring, security and continuity uplift

  • Activities: stand up SLA and risk monitoring; integrate provider security assurance (SOC 2/ISO/VAPT); align BCP/DR RTO-RPO; run joint DR drills; implement cloud posture monitoring.
  • Deliverables: SLA dashboards; assurance-review process; DR drill reports; cloud governance controls.

Phase 5 — Exit readiness and regulatory reporting

  • Activities: build exit strategies for material arrangements; establish adverse-event and CERT-In/RBI reporting; finalise board reporting.
  • Deliverables: exit plans; incident-reporting playbook; board reporting pack template.

Phase 6 — Assurance, testing and continuous improvement

  • Activities: independent audit against the Direction; remediate residual gaps; embed periodic re-assessment and continuous monitoring.
  • Deliverables: audit report with maturity rating; remediation tracker; annual review calendar.

Maturity and capability model

CyberSigma rates each control domain on a five-level capability scale. The rating drives the remediation roadmap and provides the board with a defensible, trendable measure of outsourcing risk maturity.

LevelDescriptor and characteristics
Level 1 — InitialAd hoc outsourcing; no board policy; contracts lack audit/RBI-access clauses; no register; monitoring is reactive
Level 2 — DevelopingPolicy drafted; partial register; some due diligence; inconsistent contract clauses; monitoring informal
Level 3 — DefinedBoard-approved policy; complete register; standard due-diligence and contract templates; SLA monitoring established
Level 4 — ManagedRisk-based, metric-driven monitoring; assurance reports reviewed; DR drills with providers; exit plans for material arrangements; concentration tracked
Level 5 — OptimisedContinuous monitoring and automation; predictive concentration/country-risk analytics; mature exit and portability; fully embedded in enterprise risk and board reporting

Assessment and audit approach

CyberSigma follows a structured, evidence-led methodology so that findings are defensible before internal audit, statutory auditors and RBI inspecting officers.

  1. Initiate: agree scope, materiality basis, sampling and timelines; obtain the outsourcing register and reconcile it against vendor/cloud billing data.
  2. Plan: map in-scope arrangements to the 14 control domains; design test procedures and evidence requests per domain.
  3. Assess governance: review the board-approved policy, committee minutes and designated-official arrangements against the Direction.
  4. Test arrangements: for each sampled arrangement, walk through due diligence, contract clauses, security, BCP/DR, monitoring, audit rights and exit.
  5. Deep-dive high risk: apply enhanced testing to material, cloud, cross-border and group-entity arrangements.
  6. Validate evidence: corroborate control operation with artefacts (contracts, SOC 2/ISO reports, DR drill results, SLA MIS, incident records), not just interviews.
  7. Rate maturity: score each domain on the five-level model and quantify residual risk.
  8. Report: produce findings with severity, root cause, regulatory reference, and prioritised, costed remediation.
  9. Remediate and re-test: track closure of gaps and re-verify high-severity items.
  10. Sustain: establish periodic re-assessment, continuous monitoring and regulatory-change tracking.

Evidence request list

The following categorised evidence list is issued at the start of fieldwork. Complete, well-organised evidence dramatically shortens the audit and strengthens the RE's inspection readiness.

  • Governance: board-approved IT outsourcing policy; committee terms of reference and minutes; designated-official appointment; delegation-of-authority matrix; board MIS on outsourcing.
  • Inventory: complete outsourcing register with materiality classification, data sensitivity, provider, location, sub-contractors, and review dates.
  • Due diligence: provider financials and credit checks; technical and security evaluations; sanctions/adverse-media screening; periodic re-assessment records.
  • Contracts: executed agreements/MSAs/SOWs; SLA schedules; DPAs/security schedules; audit-rights and RBI-access clauses; sub-contracting, exit and termination clauses.
  • Security: provider ISO 27001 / SOC 2 Type II / PCI DSS AOC; VAPT reports; encryption and key-management design; access-control matrices; data-residency attestations.
  • Continuity: provider BCP/DR plans; RTO/RPO definitions; DR drill reports; contingency plans; backup/portability evidence.
  • Monitoring: SLA dashboards; service-review minutes; breach/exception registers; service-credit records; change-notification logs.
  • Assurance: independent audit reports; pooled/third-party assurance; gap trackers and remediation confirmations.
  • Cloud: cloud policy; shared-responsibility matrices; CSPM/CNAPP reports; region/residency configuration; cloud exit plans.
  • Regulatory: incident-notification and CERT-In/RBI reporting records; concentration analysis; regulatory-change log.

Roles and responsibilities

RoleKey responsibilities
Board of DirectorsApprove the outsourcing policy and risk appetite; retain ultimate accountability; review portfolio risk and adverse events
IT Strategy / Risk Management CommitteeOversee the outsourcing framework; review material arrangements, concentration and assurance reports
Senior Management / Designated OfficialOwn the framework; ensure due diligence, contracting, monitoring and reporting are executed
Business/Service OwnerDefine requirements; manage the provider relationship and SLAs day to day
Risk & ComplianceAssess risk and permissibility; ensure regulatory alignment; track adverse events and reporting
Information Security (CISO)Set security requirements; validate provider security; oversee incident response and VAPT
Procurement / Vendor ManagementRun due diligence and contracting; maintain the register; manage exits
Internal AuditProvide independent assurance over the outsourcing framework and its operation
Service ProviderDeliver to SLA; maintain security and BCP; support audit and regulatory access; notify incidents and changes

KPIs to track

  • Percentage of outsourcing arrangements with a complete, board-compliant contract (target 100% for material).
  • Percentage of material arrangements with a documented, tested exit strategy.
  • Percentage of providers with current security assurance (SOC 2/ISO/PCI/VAPT) on file.
  • SLA compliance rate per material provider and count of SLA breaches with service credits applied.
  • Time to detect and notify (RE and CERT-In/RBI) provider security incidents.
  • DR drill success rate against contracted RTO/RPO for material arrangements.
  • Concentration exposure: share of critical services on the top provider(s) and single points of failure.
  • Due-diligence currency: percentage of providers within their re-assessment cycle.
  • Open outsourcing audit findings by severity and mean time to remediate.
  • Register completeness: reconciled outsourcing register vs vendor/cloud spend coverage.

Readiness checklist

  • Board-approved IT outsourcing policy in place, current, and covering all elements of the Direction.
  • Designated senior official and oversight committee formally mandated.
  • Complete, materiality-classified outsourcing register maintained and reconciled to spend.
  • Documented pre-outsourcing risk and permissibility assessment for each arrangement.
  • Due diligence completed and periodically refreshed for all material providers.
  • Contracts include audit rights, RBI/regulator access, security, BCP, exit and sub-contracting controls.
  • Provider security assurance (SOC 2/ISO/PCI/VAPT) obtained and reviewed.
  • Data localisation and residency requirements met and evidenced (payments/UIDAI/SPDI).
  • SLA and risk monitoring operational with regular service governance forums.
  • BCP/DR aligned to RTO/RPO with joint DR drills conducted.
  • Exit strategies documented and tested for material arrangements.
  • Concentration and country risk measured and reported to the board.
  • Incident and adverse-event reporting to RBI/CERT-In defined and rehearsed.
  • Retained in-house capability to oversee and, if needed, resume outsourced activities.

Common gaps

  • Incomplete outsourcing register — shadow SaaS and cloud subscriptions absent, so material arrangements go ungoverned.
  • Contracts missing RBI/regulator right-to-audit and access clauses, or lacking flow-down to sub-contractors.
  • No documented, tested exit strategy — the RE cannot leave without severe disruption (vendor lock-in).
  • Weak or stale provider due diligence; security assurance (SOC 2/VAPT) not obtained or never reviewed.
  • Data localisation breaches — payment or Aadhaar-linked data stored or replicated outside India.
  • BCP/DR RTO/RPO defined on paper but never jointly drill-tested with the provider.
  • Sub-contracting (fourth parties) not disclosed, assessed or controlled.
  • Concentration risk unmeasured; single provider underpins multiple critical services.
  • Cloud shared-responsibility model undocumented, leaving control gaps between RE and CSP.
  • Adverse-event and CERT-In 6-hour incident reporting obligations not operationalised.
  • Governance on paper only — committee does not actually review material arrangements or assurance reports.
  • Intra-group IT services treated informally without arm's-length terms, due diligence or audit rights.

RBI IT Outsourcing mapped to other frameworks

Outsourcing controls rarely exist in isolation. The following mapping helps REs reuse existing control evidence and demonstrate coherent, non-duplicative compliance across regulators and standards.

RBI IT Outsourcing domainRelated framework / control area
D1 GovernanceRBI IT Governance Direction (2023) board/committee roles; ISO 27001 A.5 org controls; ISO 27036 supplier governance
D3 Due diligenceISO 27036 supplier relationships; NIST CSF GV.SC (Supply Chain); SOC 2 vendor management
D4 Agreements / SLAISO 27001 A.5.19-A.5.22 supplier agreements; DPDP Act data-processor obligations; EBA/APRA outsourcing analogues
D5 Security & confidentialityISO 27001 Annex A; PCI DSS (payment data); RBI Cyber Security Framework; UIDAI Aadhaar security requirements
D6 BCP/DRISO 22301 business continuity; RBI IT Governance Direction BCP chapter; NIST CSF RC (Recover)
D8 Right to auditSOC 2 / ISAE 3402 assurance reporting; ISO 27001 A.5.35 independent review
D10 CloudMeitY empanelment; CSA CCM; ISO 27017/27018; RBI cloud expectations; CERT-In cloud advisories
D11 Cross-borderDPDP Act cross-border transfer; RBI/NPCI payment data localisation; data-sovereignty requirements
D14 ReportingCERT-In 6-hour incident reporting directions (2022); RBI cyber-incident reporting; SEBI/IRDAI/PFRDA sectoral reporting
How CyberSigma helps
As a CERT-In empanelled auditor and PCI QSA firm, CyberSigma delivers end-to-end RBI IT Outsourcing readiness — from building your outsourcing register and materiality model, through contract and due-diligence remediation, cloud and cross-border risk assessment, joint DR validation and exit-strategy design, to an independent, inspection-ready audit rated against a five-level maturity model. Our assessors combine hands-on knowledge of RBI, NPCI, UIDAI, SEBI and CERT-In expectations with ISO 27001, ISO 22301, PCI DSS and SOC 2 assurance, so you demonstrate coherent, defensible compliance to your board and to RBI Senior Supervisory Managers. Engage CyberSigma to close gaps before your next RBI inspection — not after.

Frequently asked questions

Does the RBI outsourcing direction cover cloud?
Yes — cloud is treated as IT outsourcing; the directions require governance, audit rights, data protection and exit controls over cloud service providers.

Need help with RBI IT Outsourcing?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.