Cybersigma Consulting Services LLP is listed in the CERT-In empanelled-auditor directory with capabilities across network, web, API, mobile, thick-client and wireless audits; compliance audits; finance-sector audits covering SWIFT, NPCI, ATMs, APIs and payment gateways; ICS/OT; and cloud-security audits — with CISA and PCI QSA-qualified personnel.
Master list of audits CyberSigma can offer
| Regulator / ecosystem | Organisations covered | Audits CyberSigma can offer |
|---|---|---|
| RBI — Banks | Commercial banks, SFBs, payment banks, foreign bank branches, applicable AIFIs | IT governance & risk-based IS audit; cybersecurity audit; VA/PT; internet/mobile-banking & API audit; CBS review; SWIFT CSCF; ATM/switch & card-system audit; SOC/SIEM; IAM/PAM; source-code review; cloud; BCP/DR; data-centre; third-party IT audit |
| RBI — Co-operative banks | UCBs, scheduled UCBs | Basic & Comprehensive (graded) cyber-framework audit; internet-banking CISA audit; mobile-banking VAPT; CBS/ATM/network; BCP/DR; vendor & SOC review |
| RBI — NBFCs | NBFC Base/Middle/Upper/Top layers; MFI, Factor, IFC, IDF, P2P, AA | NBFC cyber & IS audit; IT governance; DLA/LSP audit; outsourcing; privacy & data-security; KYC/V-CIP; fraud-monitoring; cloud; VAPT; BCP/DR; API & application review |
| RBI — Housing finance | HFCs & housing-loan platforms | HFC IS/CISA audit; LOS/LMS audit; digital-lending review; KYC/V-CIP; vendor & cloud; BCP/DR; VAPT; access/logging/data-integrity audit |
| RBI — Payment systems | PSOs, PAs, PGs, PPIs, card networks, remittance, TReDS | Pre-authorization & annual SAR; data-localisation SAR; PA/PG audit; PPI system audit; cyber-resilience & payment-security audit; merchant platform; escrow/reconciliation controls; API/mobile/cloud/VAPT/DR |
| NPCI ecosystem | Sponsor/PSP banks, TPAPs, issuers, acquirers, switch & technical providers | UPI, IMPS, RuPay, AePS, APB, NACH, BBPS, NFS/ATM, NETC FASTag, CTS security audits; application/API/VAPT; switch review; reconciliation & settlement; DR; source code; cloud & vendor |
| UIDAI / Aadhaar | AUA, KUA, Sub-AUA, Sub-KUA, ASA & Aadhaar tech providers | Pre-onboarding & annual AUA/KUA audit; Sub-AUA/KUA & ASA audit; authentication app/SDK audit; Aadhaar Data Vault; consent/privacy/logging; cloud ADV; VAPT; encryption/HSM |
| SEBI | Exchanges, CCs, depositories, brokers, DPs, AMCs, MFs, RTAs, KRAs, CRAs, PMs, AIFs | CSCRF cyber audit; VAPT; stock-broker & PCM system audit; MII audit; cloud-framework audit; SOC/M-SOC; BCP/DR; application/API/source-code & vendor audit |
| IRDAI | Insurers, reinsurers, brokers, web aggregators, TPAs, corporate agents, InsurTechs | Information & cybersecurity audit; ISNP audit; cyber-incident preparedness; VAPT; application/API/mobile; SOC; cloud; data protection; vendor & BCP/DR |
| PFRDA | CRA, NPS Trust, pension funds, custodian, trustee bank, PoPs, retirement advisers | Information & cybersecurity audit; annual cyber-security certificate support; cloud audit; CRA/PoP technology audit; VAPT; BCP/DR; incident-response & data-security review |
| IFSCA | Banks, finance cos, funds, insurers, broker-dealers, clearing members, MIIs in GIFT IFSC | Cyber-resilience audit; MII cyber audit; cloud & third-party audit; VAPT; SOC; BCP/DR; incident management; application & infrastructure review |
| CERT-In / MeitY | Government, PSU, critical-sector & private organisations | Comprehensive cybersecurity audit; VAPT; configuration audit; network/web/mobile/API/thick-client/wireless; source-code review; cloud; incident-readiness & log-compliance review |
| Cross-industry | BFSI, fintech, SaaS, government, enterprises | PCI DSS; PCI PIN readiness; SWIFT CSCF; ISO 27001 internal/readiness; SOC readiness; DPDP privacy audit; ITGC; TPRA; red teaming; architecture & configuration review |
Core regulatory circular register
Restricted to instruments that directly create or influence cybersecurity, IS/system audit, data, outsourcing, resilience, VAPT or technology-control obligations. Every proposal attaches the applicable circular title, reference, date, amendment status, client applicability, required auditor qualification, audit frequency, submission authority and report format.
RBI, NBFC, HFC & payment systems
| Instrument | Date / reference | Audit relevance |
|---|---|---|
| RBI IT Governance, Risk, Controls & Assurance Practices Directions, 2023 | 7 Nov 2023; eff. 1 Apr 2024 | Main IT governance, IS audit, cyber, VAPT, BCP/DR & assurance framework |
| RBI Outsourcing of IT Services Directions, 2023 | 10 Apr 2023 | IT outsourcing, cloud, audit rights, concentration & supply-chain risk |
| Cyber Security Framework in Banks | 2 Jun 2016 | Bank cybersecurity baseline, SOC & incident preparedness |
| Digital Payment Security Controls Directions, 2021 | 18 Feb 2021 | Internet, mobile, card & digital-payment security |
| Cyber Resilience & Digital Payment Security Controls for non-bank PSOs | 30 Jul 2024 | Non-bank PSO governance, detection, response, testing & resilience |
| Storage of Payment System Data | 6 Apr 2018 | India-only payment-data storage & localisation audit |
| Scope & Coverage of System Audit of Payment Systems | 10 Jan 2020 | SAR scope & coverage |
| Guidelines on Regulation of Payment Aggregators & Payment Gateways | 17 Mar 2020 | PA authorization, security, merchant, data & audit controls |
| Master Directions on Prepaid Payment Instruments | 27 Aug 2021 (amended) | PPI technology, KYC, interoperability & system controls |
| RBI Digital Lending Directions | 2025 | DLA/LSP, consent, data, privacy, disbursement & customer protection |
| Master Direction — KYC | 2016; updated Aug 2025 | KYC, V-CIP, records & technology controls |
| Master Directions on Fraud Risk Management in REs | 15 Jul 2024 | Fraud governance, monitoring, classification & reporting |
| NBFC Scale-Based Regulation Directions | 2025 | NBFC category & layer applicability |
| RBI Housing Finance Companies Directions | 2025 | Current HFC regulatory & IS-audit baseline |
| Basic / Comprehensive Cyber Security Framework for UCBs | Current | Baseline & graded co-operative-bank cyber controls & VA/PT |
UIDAI / Aadhaar
| Instrument | Date / reference | Audit relevance |
|---|---|---|
| AUA/KUA Compliance Checklist | v2.0, May 2025 | Current AUA/KUA compliance criteria |
| Sub-AUA/Sub-KUA Compliance Checklist | v2.0, May 2025 | Current Sub-AUA/Sub-KUA audit criteria |
| ASA Audit Compliance Checklist | v3.0, Nov 2022 | ASA infrastructure & network audit (CERT-In auditor required) |
| Circular 2 of 2025 — Sub-AUA/KUA app & undertaking | Feb 2025 | Annual entity & app/SDK audit by CERT-In auditor |
| Circular 14 of 2025 | 4 Nov 2025 | GCC/ADV/cloud & annual SOC 2 Type II audit |
| Aadhaar Authentication & Offline Verification Regulations, 2021 | Current | Authentication, consent, e-KYC & data controls |
SEBI
| Instrument | Date / reference | Audit relevance |
|---|---|---|
| CSCRF for SEBI REs | SEBI/HO/ITD-1/…/2024/113; 20 Aug 2024 | Principal CSCRF audit standard |
| CSCRF implementation extensions & clarifications | 2024–2025 | Timelines, categorisation, controls & audit clarifications |
| Framework for Adoption of Cloud Services by SEBI REs | 6 Mar 2023 | Cloud governance, contracts, audit & exit controls |
| Monitoring & Supervision of System Audit of Stock Brokers | SEBI/…/2025/10; 31 Jan 2025 | Technology-based stock-broker system audit |
| System Audit of Professional Clearing Members | 20 Jun 2024 | PCM system-audit scope |
| Annual System Audit of MIIs | 7 Jan 2020 | Annual exchange, CC & depository audit |
IRDAI
| Instrument | Date / reference | Audit relevance |
|---|---|---|
| IRDAI Information & Cybersecurity Guidelines, 2026 | Apr 2026 | Primary insurance-sector cyber & information-security framework |
| Circular on Cyber Incident or Crisis Preparedness | 26 Mar 2025 | Incident & crisis exercises |
| Insurance e-commerce / ISNP requirements | Current | Annual security review of digital insurance platforms |
PFRDA
| Instrument | Date / reference | Audit relevance |
|---|---|---|
| Information & Cyber Security Policy Guidelines — 2024 | PFRDA/2024/14/ICS/01 | Main cyber framework |
| Policy on Adoption of Cloud Services | PFRDA/2023/33/ICS/01; 23 Nov 2023 | Cloud governance, risk & audit |
| CERT-In Cyber Security Directions adoption | PFRDA/2022/14/I&CS/02 | Incident reporting, logs & time sync |
| PoP operational guidelines (NPS/APY/NPS-Lite) | 27 Feb 2026 | Annual cybersecurity certificate |
| Audit of PoPs (NPS/APY/NPS-Lite) | PFRDA/2026/36-38/SUP-POP; 17 Jun 2026 | PoP operational audits |
IFSCA
| Instrument | Date / reference | Audit relevance |
|---|---|---|
| Guidelines on Cyber Security & Cyber Resilience for REs in IFSCs | 10 Mar 2025 | Principal IFSC cyber framework |
| Guidelines on Cyber Security & Cyber Resilience for MIIs in IFSC | IFSCA-CSD/MSC/2/2026-DCS; 20 Apr 2026 | Prescriptive MII audit framework |
CERT-In
| Instrument | Date / reference | Audit relevance |
|---|---|---|
| CERT-In Directions under section 70B of the IT Act | 28 Apr 2022 | 6-hour incident reporting, logs, time sync & point of contact |
| Comprehensive Cyber Security Audit Policy Guidelines | v1.0; 25 Jul 2025 | Audit planning, execution, reporting, evidence & auditor conduct |
| Current CERT-In empanelled-auditor list | Current | Auditor eligibility validation |
Audits we position with the correct qualification
Some engagements require a specific professional or accredited body to sign. CyberSigma performs the technical/cyber testing; the reserved sign-off is by the prescribed authority.
| Audit | Correct positioning |
|---|---|
| RBI/NBFC/HFC statutory financial audit | Separate from cyber/IS audit — requires an eligible ICAI statutory auditor |
| SEBI compliance audits reserved for CA/CS/CMA | CyberSigma performs cyber & technology testing; regulated sign-off by the prescribed professional |
| PFRDA PoP operational audit | Verify the 2026 circular’s prescribed auditor qualification before accepting the signing engagement |
| ISO 27001 certification | CyberSigma provides readiness, implementation & internal audit; the certificate is issued by an accredited certification body |
| SOC 1 / SOC 2 attestation | CyberSigma provides readiness & technical testing; the formal AICPA report is issued by an eligible CPA firm |
| DPDP “certification” | CyberSigma offers DPDP gap assessment, privacy audit & implementation — not a government DPDP certificate |
| NPCI certification | Audit against the current product circular; not an automatic NPCI approval |
Regulatory audit service menu
Need a regulatory audit scoped to your entity?
Our CERT-In empanelled, PCI QSA senior auditors map the exact circulars, auditor qualification and report format to your registration category — then deliver.
