Introduction: The RBI IT Outsourcing Directions Audit
On 10 April 2023, the Reserve Bank of India (RBI) issued the Master Direction on Outsourcing of Information Technology Services (RBI/2023-24/102, DoS.CO.CSITEG/SEC.1/31.01.015/2023-24). These Directions, which became effective from 01 October 2023, fundamentally reshaped how regulated entities (REs) govern, contract, monitor and audit their reliance on third parties for information technology and IT-enabled services. The Directions apply to a broad universe of REs including scheduled commercial banks, small finance banks, payments banks, co-operative banks, NBFCs, credit information companies, All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, SIDBI) and, on a comply-or-explain basis, to their group entities and service providers operating within the financial ecosystem.
The RBI IT Outsourcing Directions sit alongside, and must be read with, the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (IT Governance Direction, November 2023), the earlier 2006 Outsourcing of Financial Services Guidelines, the Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services, the Cyber Security Framework in Banks (June 2016), and sector-specific instructions from NPCI, UIDAI, SEBI, IRDAI, PFRDA and CERT-In. A CyberSigma RBI IT Outsourcing Audit provides an independent, auditor-grade assessment of an RE's outsourcing governance, its due-diligence and contracting discipline, its ongoing monitoring, its concentration and country risk posture, its business continuity and exit arrangements, and its ability to demonstrate all of this to RBI Senior Supervisory Managers (SSMs) and inspecting officers.
Copyright and source note
The RBI Master Direction on Outsourcing of Information Technology Services and all associated RBI/NPCI/UIDAI/SEBI/CERT-In circulars are the copyrighted intellectual property of their respective issuers. This guide is an original CyberSigma work that paraphrases and interprets the regulatory obligations for assessment purposes. It does not reproduce the official text. Always obtain the authoritative circulars from the RBI website (rbi.org.in) and the relevant regulator, and treat those documents as the binding source. Regulatory positions evolve; verify the current version before relying on any control mapping herein.
What is the RBI IT Outsourcing Direction?
The RBI IT Outsourcing Direction is a principle-and-rule-based regulatory instrument that requires regulated entities to retain full accountability and control over outsourced IT activities even when the underlying work is performed by a third party, a group company, or a chain of sub-contractors. The core supervisory expectation is that outsourcing does not diminish the RE's obligations to its customers or to the RBI, nor does it impair the RBI's right and ability to supervise the RE. The RE's board and senior management remain ultimately responsible; outsourcing may transfer activity, but never accountability.
The Direction covers outsourcing of IT services, including but not limited to IT infrastructure management, network and security management, application development and maintenance, hosting, cloud computing, managed security services, data centre operations, IT-enabled services (ITeS) such as business process outsourcing that has an underlying IT component, and the use of financial technology (FinTech) and cloud service providers. It draws a distinction from the outsourcing of pure business/financial processes (governed by the 2006 financial-services outsourcing guidelines), though in practice the two regimes overlap and CyberSigma assesses both where relevant.
Structurally, the Direction is organised around a governance framework (board-approved policy, role of the board and senior management, and a designated senior official/committee), a comprehensive risk-management framework (due diligence, agreements/SLAs, confidentiality and security, business continuity, monitoring and control, right to audit), and specific chapters on cloud services, security, and cross-border/offshore outsourcing. It explicitly requires that the RE be able to demonstrate that outsourced IT activities are subject to the same standards of security, governance and audit as if they were performed in-house.
Who must comply?
The Direction applies to a wide set of RBI-regulated entities. The following table summarises the in-scope population and the practical triggers that bring an entity or an arrangement into scope.
| Category of regulated entity | In-scope? / Notes |
|---|
| Scheduled Commercial Banks (excluding RRBs) | Yes — full applicability, including foreign bank branches operating in India |
| Local Area Banks, Small Finance Banks, Payments Banks | Yes — full applicability |
| Primary (Urban) Co-operative Banks | Yes, subject to proportionality based on tier/size as specified by RBI |
| State and Central Co-operative Banks | Yes, where notified; proportionality applies |
| Non-Banking Financial Companies (NBFCs) and HFCs | Yes — Middle and Upper Layer NBFCs in particular; proportionate application to Base Layer |
| Credit Information Companies (CICs) | Yes — full applicability |
| All India Financial Institutions (EXIM, NABARD, NaBFID, NHB, SIDBI) | Yes — full applicability |
| Group and associate entities providing IT services to the RE | In scope via the RE's responsibility for the whole outsourcing chain |
| Third-party service providers, cloud providers, sub-contractors | Bound indirectly through the RE's contract, due diligence and right-to-audit clauses |
- An arrangement is 'outsourcing' when the RE relies on a third party (including a group entity) to perform, on a continuing basis, an IT activity that the RE would otherwise undertake itself and which is integral to the provision of banking/financial services.
- One-off purchases of hardware/software, or standalone licences without ongoing managed services, are generally not treated as outsourcing — but SaaS, PaaS and managed services almost always are.
- Sub-contracting and multi-tiered chains remain the RE's responsibility end-to-end; the RE must approve and control material sub-contracting.
- Intra-group and offshore/cross-border arrangements attract additional country-risk, data-localisation and confidentiality obligations.
Structure of the RBI IT Outsourcing Direction
The Direction can be decomposed into the following control domains. CyberSigma uses this domain map as the backbone of the audit programme; each domain is decomposed further into testable requirements in the master assessment checklist.
| Domain / chapter | Scope of control area |
|---|
| D1 Governance framework | Board-approved IT outsourcing policy; role of board and senior management; designated senior official; committee oversight |
| D2 Comprehensive assessment of need & risk | Materiality determination; risk assessment before outsourcing; approval workflow |
| D3 Evaluation & due diligence of service provider | Financial, technical, reputational, security and operational due diligence; periodic re-assessment |
| D4 Outsourcing agreement / SLA | Contract content, service levels, confidentiality, IP, liability, termination, sub-contracting controls |
| D5 Confidentiality & security | Data protection, access control, segregation, security controls at provider, incident handling |
| D6 Business continuity & disaster recovery | BCP/DR at provider, RTO/RPO, portability, contingency plans |
| D7 Monitoring & control of outsourced activities | Ongoing performance monitoring, MIS, SLA governance, service management |
| D8 Right to audit & inspection | RE's, its auditors' and RBI's access rights; audit rights over sub-contractors |
| D9 Concentration risk & vendor lock-in | Portfolio-level concentration, single-point-of-failure, exit strategy |
| D10 Cloud computing services | Cloud-specific governance, shared responsibility, data location, cloud exit |
| D11 Cross-border / offshore outsourcing | Country risk, data sovereignty/localisation, jurisdiction, RBI access |
| D12 Outsourcing to group entities | Arm's-length terms, conflict of interest, ring-fencing |
| D13 Exit strategy & termination management | Exit plan, step-in rights, data return/deletion, transition |
| D14 Reporting & regulatory notification | Reporting to board, incident/adverse-event reporting to RBI, register of arrangements |
Master assessment checklist
This is the core of the audit. Each control domain is enumerated below with an h3 heading and a table of specific verification points and the typical evidence an assessor should collect. Every domain is covered; no control area is skipped. Auditors should sample outsourcing arrangements across materiality tiers (at least all material arrangements, plus a risk-based sample of non-material ones) and test each requirement against them.
D1 — Governance framework
| What to verify | Typical evidence |
|---|
| A board-approved IT outsourcing policy exists, is current, and covers all elements required by the Direction | Signed policy document with board approval minute, version history, annual review record |
| The board and a designated committee (e.g. IT Strategy Committee / Risk Management Committee) exercise oversight of material outsourcing | Committee terms of reference, meeting minutes, outsourcing risk dashboards tabled to the board |
| A senior management official / function is designated as accountable for the outsourcing framework | Role description, appointment note, RACI, delegation of authority matrix |
| Roles, responsibilities and escalation paths for outsourcing decisions are defined | Governance charter, approval workflow, segregation-of-duties matrix |
| The policy defines materiality criteria and the approval authority commensurate with risk | Materiality assessment methodology, approval thresholds table |
| Board is periodically apprised of the outsourcing portfolio, risks and adverse events | Board pack extracts, periodic MIS, adverse-event escalation records |
D2 — Assessment of need and pre-outsourcing risk assessment
| What to verify | Typical evidence |
|---|
| A documented business case and need assessment precedes each outsourcing decision | Business case, cost-benefit analysis, make-vs-buy note |
| A structured risk assessment is performed before outsourcing (strategic, reputational, operational, legal, compliance, concentration, country, exit risks) | Pre-outsourcing risk assessment template, completed risk register per arrangement |
| Materiality of each arrangement is formally classified | Materiality scorecard with rationale and sign-off |
| Regulatory permissibility of the activity being outsourced is checked (some activities cannot be outsourced) | Permissibility check-list, legal/compliance opinion |
| Data classification of information the provider will handle is determined up front | Data classification note, PII/SPDI/UIDAI-data flagging |
D3 — Evaluation and due diligence of the service provider
| What to verify | Typical evidence |
|---|
| Financial soundness of the provider is assessed (and periodically re-assessed) | Audited financials, credit checks, financial due-diligence report |
| Technical capability, capacity, and track record are evaluated | Technical evaluation, reference checks, past-performance review |
| Security posture of the provider is assessed (certifications, VAPT, control attestations) | ISO 27001 certificate, SOC 2 Type II report, PCI DSS AOC, VAPT summary |
| Reputational, legal and regulatory standing (sanctions, litigation, adverse media) is checked | Sanctions/PEP screening, adverse-media search, legal search results |
| Sub-contractor and supply-chain due diligence is performed for material sub-contracting | Sub-contractor disclosure, fourth-party assessment |
| Due diligence is refreshed periodically and on trigger events | Periodic re-assessment schedule and completed reviews |
| Business continuity capability of the provider is evaluated | Provider BCP/DR documentation, DR test evidence |
D4 — Outsourcing agreement and service levels
| What to verify | Typical evidence |
|---|
| A written, legally binding agreement exists for every arrangement before go-live | Executed contract, master services agreement, statement of work |
| The contract defines scope, service levels, performance metrics, and penalties | SLA schedule, KPI/KRI definitions, service-credit regime |
| Confidentiality, data protection, and information-security obligations are contractual | Confidentiality clause, DPA/security schedule, data-handling annex |
| Ownership of data and intellectual property, and data-return obligations, are clear | IP clause, data-ownership clause, data return/deletion clause |
| The contract restricts and controls sub-contracting (prior consent, flow-down of obligations) | Sub-contracting clause with consent and flow-down provisions |
| Right-to-audit and RBI/regulatory access clauses are included and enforceable | Audit-rights clause, regulator-access clause, cooperation clause |
| Business continuity, exit assistance and termination provisions are contractual | BCP clause, exit-management schedule, termination and transition clauses |
| Liability, indemnity, breach notification timelines and dispute resolution/governing law are defined | Liability/indemnity clauses, breach-notification SLA, governing-law clause |
| For cross-border contracts, jurisdiction and RBI access despite foreign location are secured | Jurisdiction clause, data-access-in-India provisions |
D5 — Confidentiality and security of information
| What to verify | Typical evidence |
|---|
| Customer and RE data is protected to standards at least equal to the RE's own | Provider security policy, control mapping to RE standards |
| Logical and physical access controls, least-privilege and segregation of the RE's data are enforced | Access control matrix, IAM records, tenancy/segregation design |
| Encryption of data in transit and at rest is implemented for sensitive data | Encryption standards, key-management design, cipher configuration evidence |
| Data location, and any data localisation requirements (e.g. payment data storage in India), are met | Data-residency attestation, storage-location evidence, NPCI/RBI localisation compliance |
| Security incident detection, notification to the RE, and joint response are defined and tested | Incident-response runbook, breach-notification records, tabletop/test evidence |
| Logging, monitoring and forensic-readiness at the provider are adequate | Log-retention policy, SIEM integration, forensic-support clause |
| Vulnerability management and periodic VAPT of provider systems occur | VAPT reports, patch-compliance evidence, remediation tracker |
| Segregation and secure handling where the provider serves multiple clients (multi-tenancy) | Multi-tenant isolation design, penetration test of isolation |
D6 — Business continuity and disaster recovery
| What to verify | Typical evidence |
|---|
| The provider maintains a documented, tested BCP/DR aligned to the RE's requirements | Provider BCP/DR plan, alignment note with RE RTO/RPO |
| Agreed RTO and RPO are defined contractually and demonstrably achievable | SLA RTO/RPO figures, DR drill reports meeting targets |
| The RE participates in or witnesses periodic DR drills | Joint DR test invitation, RE observation report |
| Data and processing can be recovered or repatriated if the provider fails | Data backup/portability evidence, recovery test |
| Contingency plans exist for provider failure, insolvency or exit | Contingency plan, alternate-provider readiness note |
| Dependencies on the provider's own sub-providers are continuity-tested | Fourth-party continuity assessment |
D7 — Monitoring and control of outsourced activities
| What to verify | Typical evidence |
|---|
| Ongoing performance and SLA compliance are actively monitored | SLA dashboards, monthly service reviews, KPI trend reports |
| A structured governance forum (service review) meets regularly with the provider | Governance meeting minutes, action logs |
| MIS on outsourced activities is produced and reviewed by RE management | Operational MIS, exception reports, escalation logs |
| Deviations, breaches and service failures are tracked to closure with penalties applied where due | Breach register, service-credit application records, RCA reports |
| Retained in-house capability exists to oversee, and if needed resume, the activity | Retained-team org chart, knowledge-transfer records, runbooks |
| Changes by the provider (systems, locations, sub-contractors) are notified and controlled | Change-notification log, change-approval evidence |
D8 — Right to audit and inspection
| What to verify | Typical evidence |
|---|
| The RE, its internal/external auditors and RBI have contractual right to audit the provider | Audit-rights clause, regulator-access clause |
| Audit rights extend to material sub-contractors | Flow-down audit clause in sub-contracts |
| Periodic assurance is obtained (audit reports, control attestations, certifications) | SOC 2 reports, ISO/PCI certificates, independent audit reports, pooled audits |
| The RE reviews assurance reports and tracks control gaps to remediation | Report-review notes, gap tracker, remediation confirmations |
| Provider cooperation with regulatory inspections is demonstrated | Inspection-support records, information-access logs |
D9 — Concentration risk and vendor lock-in
| What to verify | Typical evidence |
|---|
| Portfolio-level concentration on any single provider/technology is measured and limited | Concentration analysis, exposure limits, board reporting |
| Single points of failure and systemic dependencies are identified | Dependency map, SPOF analysis |
| Vendor lock-in is mitigated through portability, open standards and multi-sourcing where feasible | Portability assessment, interoperability requirements in contracts |
| Concentration is reported to the board and factored into risk appetite | Board MIS, risk-appetite statement references |
D10 — Cloud computing services
| What to verify | Typical evidence |
|---|
| Cloud adoption follows a board-approved cloud strategy and governance model | Cloud policy, cloud governance framework |
| The shared-responsibility model is documented and control ownership is clear (RE vs CSP) | Shared-responsibility matrix per service (IaaS/PaaS/SaaS) |
| Data location, residency and localisation in cloud are controlled and evidenced | Region configuration, data-residency attestation, localisation proof |
| Cloud security controls (IAM, encryption, network segmentation, logging, CSPM) are implemented | Cloud config baselines, CSPM findings, IAM policies, encryption/KMS evidence |
| Cloud exit and portability strategy exists (data export, re-platforming plan) | Cloud exit plan, data-export test, portability design |
| Continuous monitoring of cloud posture and misconfiguration is in place | CSPM/CNAPP dashboards, drift-detection reports |
| Provider certifications and RBI/CERT-In empanelment where applicable are validated | CSP certifications, empanelment evidence, MeitY-empanelment where relevant |
D11 — Cross-border and offshore outsourcing
| What to verify | Typical evidence |
|---|
| Country risk of the offshore location is assessed and monitored | Country-risk assessment, political/legal-risk review |
| Data sovereignty and Indian localisation requirements are met (e.g. payment system data) | Data-flow diagram, localisation attestation, NPCI/RBI compliance evidence |
| RBI and the RE retain effective access to data, records and premises despite offshore location | Contractual access rights, in-India copy of data/records |
| Applicable foreign laws do not impair the RE's or RBI's rights | Legal opinion on jurisdiction and enforceability |
| Cross-border data transfer complies with DPDP Act and sectoral rules | DPDP compliance note, transfer-impact assessment |
D12 — Outsourcing to group / associate entities
| What to verify | Typical evidence |
|---|
| Intra-group arrangements are on arm's-length terms and formally documented | Group MSA, transfer-pricing/arm's-length documentation |
| Conflicts of interest are identified and managed | Conflict-of-interest register, mitigation controls |
| The same due-diligence, security and audit standards apply to group entities as to third parties | Group-entity due-diligence file, audit evidence |
| Ring-fencing of the RE's data and operations within the group is enforced | Segregation design, access-control evidence |
D13 — Exit strategy and termination management
| What to verify | Typical evidence |
|---|
| A documented exit strategy exists for every material arrangement before go-live | Exit plan per arrangement, exit-trigger definitions |
| Termination rights (for cause, convenience, regulatory direction) are contractual | Termination clauses, step-in rights |
| Data return and secure deletion at exit are guaranteed and verifiable | Data-return/deletion clause, certificate-of-destruction template |
| Transition assistance and knowledge transfer obligations bind the provider | Transition-services clause, reverse-transition plan |
| Alternate provider or in-sourcing readiness is assessed | Alternate-sourcing analysis, insourcing feasibility note |
D14 — Reporting and regulatory notification
| What to verify | Typical evidence |
|---|
| A central register/inventory of all IT outsourcing arrangements is maintained and current | Outsourcing register with materiality, provider, data-class, review dates |
| Material adverse events, breaches and provider failures are reported to RBI as required | Incident-notification records, CERT-In reporting (6-hour rule), RBI intimation |
| The board receives periodic reporting on the outsourcing portfolio and risks | Board MIS, periodic outsourcing risk report |
| Regulatory changes are tracked and reflected in policy and contracts | Regulatory-change log, policy update records |
Scoping the assessment
Correct scoping ensures the audit is proportionate and complete. CyberSigma establishes the assessment boundary by first building or validating the RE's outsourcing inventory, then stratifying arrangements by materiality and data sensitivity.
- Enumerate all IT and IT-enabled outsourcing arrangements, including cloud, managed services, application development/maintenance, hosting, MSSP, and intra-group IT services.
- Classify each by materiality using the RE's board-approved criteria (criticality to core banking/payments, volume/value of data, customer impact, substitutability).
- Flag arrangements handling PII, SPDI, Aadhaar/UIDAI data, payment/card data (PCI DSS), and any data subject to localisation.
- Include the full outsourcing chain — sub-contractors and fourth parties — for material arrangements.
- Identify cross-border and group-entity arrangements for enhanced testing.
- Confirm which activities are non-outsourceable or require prior regulatory approval and exclude/flag them appropriately.
- Agree the sampling approach: 100% of material arrangements plus a risk-based sample of non-material ones.
Scoping tip
The single most common scoping failure is an incomplete outsourcing register. Shadow SaaS, departmental cloud subscriptions, and 'pilot' engagements that quietly became production are routinely missed. Begin the audit by reconciling the register against accounts-payable vendor data, cloud billing, and network egress/DNS logs to surface undeclared providers.
Implementation approach
Whether the RE is building the outsourcing governance framework for the first time or remediating gaps, CyberSigma recommends a phased approach. Each phase below lists indicative activities and deliverables.
Phase 1 — Discovery and gap assessment
- Activities: build/validate the outsourcing inventory; classify materiality; assess current policy, contracts and monitoring against the Direction; identify gaps and quick wins.
- Deliverables: outsourcing register; current-state gap assessment report; prioritised remediation roadmap; RACI.
Phase 2 — Policy and governance design
- Activities: draft/update the board-approved IT outsourcing policy; define materiality methodology, approval workflows, committee mandates and reporting cadence.
- Deliverables: board-approved policy; governance charter; materiality scorecard; standard operating procedures.
Phase 3 — Due diligence and contract remediation
- Activities: run/refresh provider due diligence; remediate contracts to include audit rights, RBI access, security, BCP, exit and sub-contracting clauses; prioritise material and cross-border arrangements.
- Deliverables: due-diligence dossiers; remediated contracts/addenda; standard contract clause library.
Phase 4 — Monitoring, security and continuity uplift
- Activities: stand up SLA and risk monitoring; integrate provider security assurance (SOC 2/ISO/VAPT); align BCP/DR RTO-RPO; run joint DR drills; implement cloud posture monitoring.
- Deliverables: SLA dashboards; assurance-review process; DR drill reports; cloud governance controls.
Phase 5 — Exit readiness and regulatory reporting
- Activities: build exit strategies for material arrangements; establish adverse-event and CERT-In/RBI reporting; finalise board reporting.
- Deliverables: exit plans; incident-reporting playbook; board reporting pack template.
Phase 6 — Assurance, testing and continuous improvement
- Activities: independent audit against the Direction; remediate residual gaps; embed periodic re-assessment and continuous monitoring.
- Deliverables: audit report with maturity rating; remediation tracker; annual review calendar.
Maturity and capability model
CyberSigma rates each control domain on a five-level capability scale. The rating drives the remediation roadmap and provides the board with a defensible, trendable measure of outsourcing risk maturity.
| Level | Descriptor and characteristics |
|---|
| Level 1 — Initial | Ad hoc outsourcing; no board policy; contracts lack audit/RBI-access clauses; no register; monitoring is reactive |
| Level 2 — Developing | Policy drafted; partial register; some due diligence; inconsistent contract clauses; monitoring informal |
| Level 3 — Defined | Board-approved policy; complete register; standard due-diligence and contract templates; SLA monitoring established |
| Level 4 — Managed | Risk-based, metric-driven monitoring; assurance reports reviewed; DR drills with providers; exit plans for material arrangements; concentration tracked |
| Level 5 — Optimised | Continuous monitoring and automation; predictive concentration/country-risk analytics; mature exit and portability; fully embedded in enterprise risk and board reporting |
Assessment and audit approach
CyberSigma follows a structured, evidence-led methodology so that findings are defensible before internal audit, statutory auditors and RBI inspecting officers.
- Initiate: agree scope, materiality basis, sampling and timelines; obtain the outsourcing register and reconcile it against vendor/cloud billing data.
- Plan: map in-scope arrangements to the 14 control domains; design test procedures and evidence requests per domain.
- Assess governance: review the board-approved policy, committee minutes and designated-official arrangements against the Direction.
- Test arrangements: for each sampled arrangement, walk through due diligence, contract clauses, security, BCP/DR, monitoring, audit rights and exit.
- Deep-dive high risk: apply enhanced testing to material, cloud, cross-border and group-entity arrangements.
- Validate evidence: corroborate control operation with artefacts (contracts, SOC 2/ISO reports, DR drill results, SLA MIS, incident records), not just interviews.
- Rate maturity: score each domain on the five-level model and quantify residual risk.
- Report: produce findings with severity, root cause, regulatory reference, and prioritised, costed remediation.
- Remediate and re-test: track closure of gaps and re-verify high-severity items.
- Sustain: establish periodic re-assessment, continuous monitoring and regulatory-change tracking.
Evidence request list
The following categorised evidence list is issued at the start of fieldwork. Complete, well-organised evidence dramatically shortens the audit and strengthens the RE's inspection readiness.
- Governance: board-approved IT outsourcing policy; committee terms of reference and minutes; designated-official appointment; delegation-of-authority matrix; board MIS on outsourcing.
- Inventory: complete outsourcing register with materiality classification, data sensitivity, provider, location, sub-contractors, and review dates.
- Due diligence: provider financials and credit checks; technical and security evaluations; sanctions/adverse-media screening; periodic re-assessment records.
- Contracts: executed agreements/MSAs/SOWs; SLA schedules; DPAs/security schedules; audit-rights and RBI-access clauses; sub-contracting, exit and termination clauses.
- Security: provider ISO 27001 / SOC 2 Type II / PCI DSS AOC; VAPT reports; encryption and key-management design; access-control matrices; data-residency attestations.
- Continuity: provider BCP/DR plans; RTO/RPO definitions; DR drill reports; contingency plans; backup/portability evidence.
- Monitoring: SLA dashboards; service-review minutes; breach/exception registers; service-credit records; change-notification logs.
- Assurance: independent audit reports; pooled/third-party assurance; gap trackers and remediation confirmations.
- Cloud: cloud policy; shared-responsibility matrices; CSPM/CNAPP reports; region/residency configuration; cloud exit plans.
- Regulatory: incident-notification and CERT-In/RBI reporting records; concentration analysis; regulatory-change log.
Roles and responsibilities
| Role | Key responsibilities |
|---|
| Board of Directors | Approve the outsourcing policy and risk appetite; retain ultimate accountability; review portfolio risk and adverse events |
| IT Strategy / Risk Management Committee | Oversee the outsourcing framework; review material arrangements, concentration and assurance reports |
| Senior Management / Designated Official | Own the framework; ensure due diligence, contracting, monitoring and reporting are executed |
| Business/Service Owner | Define requirements; manage the provider relationship and SLAs day to day |
| Risk & Compliance | Assess risk and permissibility; ensure regulatory alignment; track adverse events and reporting |
| Information Security (CISO) | Set security requirements; validate provider security; oversee incident response and VAPT |
| Procurement / Vendor Management | Run due diligence and contracting; maintain the register; manage exits |
| Internal Audit | Provide independent assurance over the outsourcing framework and its operation |
| Service Provider | Deliver to SLA; maintain security and BCP; support audit and regulatory access; notify incidents and changes |
KPIs to track
- Percentage of outsourcing arrangements with a complete, board-compliant contract (target 100% for material).
- Percentage of material arrangements with a documented, tested exit strategy.
- Percentage of providers with current security assurance (SOC 2/ISO/PCI/VAPT) on file.
- SLA compliance rate per material provider and count of SLA breaches with service credits applied.
- Time to detect and notify (RE and CERT-In/RBI) provider security incidents.
- DR drill success rate against contracted RTO/RPO for material arrangements.
- Concentration exposure: share of critical services on the top provider(s) and single points of failure.
- Due-diligence currency: percentage of providers within their re-assessment cycle.
- Open outsourcing audit findings by severity and mean time to remediate.
- Register completeness: reconciled outsourcing register vs vendor/cloud spend coverage.
Readiness checklist
- Board-approved IT outsourcing policy in place, current, and covering all elements of the Direction.
- Designated senior official and oversight committee formally mandated.
- Complete, materiality-classified outsourcing register maintained and reconciled to spend.
- Documented pre-outsourcing risk and permissibility assessment for each arrangement.
- Due diligence completed and periodically refreshed for all material providers.
- Contracts include audit rights, RBI/regulator access, security, BCP, exit and sub-contracting controls.
- Provider security assurance (SOC 2/ISO/PCI/VAPT) obtained and reviewed.
- Data localisation and residency requirements met and evidenced (payments/UIDAI/SPDI).
- SLA and risk monitoring operational with regular service governance forums.
- BCP/DR aligned to RTO/RPO with joint DR drills conducted.
- Exit strategies documented and tested for material arrangements.
- Concentration and country risk measured and reported to the board.
- Incident and adverse-event reporting to RBI/CERT-In defined and rehearsed.
- Retained in-house capability to oversee and, if needed, resume outsourced activities.
Common gaps
- Incomplete outsourcing register — shadow SaaS and cloud subscriptions absent, so material arrangements go ungoverned.
- Contracts missing RBI/regulator right-to-audit and access clauses, or lacking flow-down to sub-contractors.
- No documented, tested exit strategy — the RE cannot leave without severe disruption (vendor lock-in).
- Weak or stale provider due diligence; security assurance (SOC 2/VAPT) not obtained or never reviewed.
- Data localisation breaches — payment or Aadhaar-linked data stored or replicated outside India.
- BCP/DR RTO/RPO defined on paper but never jointly drill-tested with the provider.
- Sub-contracting (fourth parties) not disclosed, assessed or controlled.
- Concentration risk unmeasured; single provider underpins multiple critical services.
- Cloud shared-responsibility model undocumented, leaving control gaps between RE and CSP.
- Adverse-event and CERT-In 6-hour incident reporting obligations not operationalised.
- Governance on paper only — committee does not actually review material arrangements or assurance reports.
- Intra-group IT services treated informally without arm's-length terms, due diligence or audit rights.
RBI IT Outsourcing mapped to other frameworks
Outsourcing controls rarely exist in isolation. The following mapping helps REs reuse existing control evidence and demonstrate coherent, non-duplicative compliance across regulators and standards.
| RBI IT Outsourcing domain | Related framework / control area |
|---|
| D1 Governance | RBI IT Governance Direction (2023) board/committee roles; ISO 27001 A.5 org controls; ISO 27036 supplier governance |
| D3 Due diligence | ISO 27036 supplier relationships; NIST CSF GV.SC (Supply Chain); SOC 2 vendor management |
| D4 Agreements / SLA | ISO 27001 A.5.19-A.5.22 supplier agreements; DPDP Act data-processor obligations; EBA/APRA outsourcing analogues |
| D5 Security & confidentiality | ISO 27001 Annex A; PCI DSS (payment data); RBI Cyber Security Framework; UIDAI Aadhaar security requirements |
| D6 BCP/DR | ISO 22301 business continuity; RBI IT Governance Direction BCP chapter; NIST CSF RC (Recover) |
| D8 Right to audit | SOC 2 / ISAE 3402 assurance reporting; ISO 27001 A.5.35 independent review |
| D10 Cloud | MeitY empanelment; CSA CCM; ISO 27017/27018; RBI cloud expectations; CERT-In cloud advisories |
| D11 Cross-border | DPDP Act cross-border transfer; RBI/NPCI payment data localisation; data-sovereignty requirements |
| D14 Reporting | CERT-In 6-hour incident reporting directions (2022); RBI cyber-incident reporting; SEBI/IRDAI/PFRDA sectoral reporting |
How CyberSigma helps
As a CERT-In empanelled auditor and PCI QSA firm, CyberSigma delivers end-to-end RBI IT Outsourcing readiness — from building your outsourcing register and materiality model, through contract and due-diligence remediation, cloud and cross-border risk assessment, joint DR validation and exit-strategy design, to an independent, inspection-ready audit rated against a five-level maturity model. Our assessors combine hands-on knowledge of RBI, NPCI, UIDAI, SEBI and CERT-In expectations with ISO 27001, ISO 22301, PCI DSS and SOC 2 assurance, so you demonstrate coherent, defensible compliance to your board and to RBI Senior Supervisory Managers. Engage CyberSigma to close gaps before your next RBI inspection — not after.