CERT-In empanelled · PCI QSA

Regulatory Audit Catalogue & Circular Register

The regulatory cybersecurity and information-systems audits CyberSigma delivers across RBI, NBFC, HFC, payment systems, NPCI, UIDAI, SEBI, IRDAI, PFRDA, IFSCA and CERT-In — mapped to the governing circulars.

Cybersigma Consulting Services LLP is listed in the CERT-In empanelled-auditor directory with capabilities across network, web, API, mobile, thick-client and wireless audits; compliance audits; finance-sector audits covering SWIFT, NPCI, ATMs, APIs and payment gateways; ICS/OT; and cloud-security audits — with CISA and PCI QSA-qualified personnel.

Scope of authority
This supports a broad regulatory cybersecurity and IS-audit portfolio. It does not automatically authorise CyberSigma to sign statutory financial audits, secretarial audits or attestations reserved for CA, CS, CMA, CPA or accredited certification bodies. Every proposal contains an applicability determination and the required auditor qualification.

Master list of audits CyberSigma can offer

Regulator / ecosystemOrganisations coveredAudits CyberSigma can offer
RBI — BanksCommercial banks, SFBs, payment banks, foreign bank branches, applicable AIFIsIT governance & risk-based IS audit; cybersecurity audit; VA/PT; internet/mobile-banking & API audit; CBS review; SWIFT CSCF; ATM/switch & card-system audit; SOC/SIEM; IAM/PAM; source-code review; cloud; BCP/DR; data-centre; third-party IT audit
RBI — Co-operative banksUCBs, scheduled UCBsBasic & Comprehensive (graded) cyber-framework audit; internet-banking CISA audit; mobile-banking VAPT; CBS/ATM/network; BCP/DR; vendor & SOC review
RBI — NBFCsNBFC Base/Middle/Upper/Top layers; MFI, Factor, IFC, IDF, P2P, AANBFC cyber & IS audit; IT governance; DLA/LSP audit; outsourcing; privacy & data-security; KYC/V-CIP; fraud-monitoring; cloud; VAPT; BCP/DR; API & application review
RBI — Housing financeHFCs & housing-loan platformsHFC IS/CISA audit; LOS/LMS audit; digital-lending review; KYC/V-CIP; vendor & cloud; BCP/DR; VAPT; access/logging/data-integrity audit
RBI — Payment systemsPSOs, PAs, PGs, PPIs, card networks, remittance, TReDSPre-authorization & annual SAR; data-localisation SAR; PA/PG audit; PPI system audit; cyber-resilience & payment-security audit; merchant platform; escrow/reconciliation controls; API/mobile/cloud/VAPT/DR
NPCI ecosystemSponsor/PSP banks, TPAPs, issuers, acquirers, switch & technical providersUPI, IMPS, RuPay, AePS, APB, NACH, BBPS, NFS/ATM, NETC FASTag, CTS security audits; application/API/VAPT; switch review; reconciliation & settlement; DR; source code; cloud & vendor
UIDAI / AadhaarAUA, KUA, Sub-AUA, Sub-KUA, ASA & Aadhaar tech providersPre-onboarding & annual AUA/KUA audit; Sub-AUA/KUA & ASA audit; authentication app/SDK audit; Aadhaar Data Vault; consent/privacy/logging; cloud ADV; VAPT; encryption/HSM
SEBIExchanges, CCs, depositories, brokers, DPs, AMCs, MFs, RTAs, KRAs, CRAs, PMs, AIFsCSCRF cyber audit; VAPT; stock-broker & PCM system audit; MII audit; cloud-framework audit; SOC/M-SOC; BCP/DR; application/API/source-code & vendor audit
IRDAIInsurers, reinsurers, brokers, web aggregators, TPAs, corporate agents, InsurTechsInformation & cybersecurity audit; ISNP audit; cyber-incident preparedness; VAPT; application/API/mobile; SOC; cloud; data protection; vendor & BCP/DR
PFRDACRA, NPS Trust, pension funds, custodian, trustee bank, PoPs, retirement advisersInformation & cybersecurity audit; annual cyber-security certificate support; cloud audit; CRA/PoP technology audit; VAPT; BCP/DR; incident-response & data-security review
IFSCABanks, finance cos, funds, insurers, broker-dealers, clearing members, MIIs in GIFT IFSCCyber-resilience audit; MII cyber audit; cloud & third-party audit; VAPT; SOC; BCP/DR; incident management; application & infrastructure review
CERT-In / MeitYGovernment, PSU, critical-sector & private organisationsComprehensive cybersecurity audit; VAPT; configuration audit; network/web/mobile/API/thick-client/wireless; source-code review; cloud; incident-readiness & log-compliance review
Cross-industryBFSI, fintech, SaaS, government, enterprisesPCI DSS; PCI PIN readiness; SWIFT CSCF; ISO 27001 internal/readiness; SOC readiness; DPDP privacy audit; ITGC; TPRA; red teaming; architecture & configuration review

Core regulatory circular register

Restricted to instruments that directly create or influence cybersecurity, IS/system audit, data, outsourcing, resilience, VAPT or technology-control obligations. Every proposal attaches the applicable circular title, reference, date, amendment status, client applicability, required auditor qualification, audit frequency, submission authority and report format.

RBI, NBFC, HFC & payment systems

InstrumentDate / referenceAudit relevance
RBI IT Governance, Risk, Controls & Assurance Practices Directions, 20237 Nov 2023; eff. 1 Apr 2024Main IT governance, IS audit, cyber, VAPT, BCP/DR & assurance framework
RBI Outsourcing of IT Services Directions, 202310 Apr 2023IT outsourcing, cloud, audit rights, concentration & supply-chain risk
Cyber Security Framework in Banks2 Jun 2016Bank cybersecurity baseline, SOC & incident preparedness
Digital Payment Security Controls Directions, 202118 Feb 2021Internet, mobile, card & digital-payment security
Cyber Resilience & Digital Payment Security Controls for non-bank PSOs30 Jul 2024Non-bank PSO governance, detection, response, testing & resilience
Storage of Payment System Data6 Apr 2018India-only payment-data storage & localisation audit
Scope & Coverage of System Audit of Payment Systems10 Jan 2020SAR scope & coverage
Guidelines on Regulation of Payment Aggregators & Payment Gateways17 Mar 2020PA authorization, security, merchant, data & audit controls
Master Directions on Prepaid Payment Instruments27 Aug 2021 (amended)PPI technology, KYC, interoperability & system controls
RBI Digital Lending Directions2025DLA/LSP, consent, data, privacy, disbursement & customer protection
Master Direction — KYC2016; updated Aug 2025KYC, V-CIP, records & technology controls
Master Directions on Fraud Risk Management in REs15 Jul 2024Fraud governance, monitoring, classification & reporting
NBFC Scale-Based Regulation Directions2025NBFC category & layer applicability
RBI Housing Finance Companies Directions2025Current HFC regulatory & IS-audit baseline
Basic / Comprehensive Cyber Security Framework for UCBsCurrentBaseline & graded co-operative-bank cyber controls & VA/PT

UIDAI / Aadhaar

InstrumentDate / referenceAudit relevance
AUA/KUA Compliance Checklistv2.0, May 2025Current AUA/KUA compliance criteria
Sub-AUA/Sub-KUA Compliance Checklistv2.0, May 2025Current Sub-AUA/Sub-KUA audit criteria
ASA Audit Compliance Checklistv3.0, Nov 2022ASA infrastructure & network audit (CERT-In auditor required)
Circular 2 of 2025 — Sub-AUA/KUA app & undertakingFeb 2025Annual entity & app/SDK audit by CERT-In auditor
Circular 14 of 20254 Nov 2025GCC/ADV/cloud & annual SOC 2 Type II audit
Aadhaar Authentication & Offline Verification Regulations, 2021CurrentAuthentication, consent, e-KYC & data controls

SEBI

InstrumentDate / referenceAudit relevance
CSCRF for SEBI REsSEBI/HO/ITD-1/…/2024/113; 20 Aug 2024Principal CSCRF audit standard
CSCRF implementation extensions & clarifications2024–2025Timelines, categorisation, controls & audit clarifications
Framework for Adoption of Cloud Services by SEBI REs6 Mar 2023Cloud governance, contracts, audit & exit controls
Monitoring & Supervision of System Audit of Stock BrokersSEBI/…/2025/10; 31 Jan 2025Technology-based stock-broker system audit
System Audit of Professional Clearing Members20 Jun 2024PCM system-audit scope
Annual System Audit of MIIs7 Jan 2020Annual exchange, CC & depository audit

IRDAI

InstrumentDate / referenceAudit relevance
IRDAI Information & Cybersecurity Guidelines, 2026Apr 2026Primary insurance-sector cyber & information-security framework
Circular on Cyber Incident or Crisis Preparedness26 Mar 2025Incident & crisis exercises
Insurance e-commerce / ISNP requirementsCurrentAnnual security review of digital insurance platforms

PFRDA

InstrumentDate / referenceAudit relevance
Information & Cyber Security Policy Guidelines — 2024PFRDA/2024/14/ICS/01Main cyber framework
Policy on Adoption of Cloud ServicesPFRDA/2023/33/ICS/01; 23 Nov 2023Cloud governance, risk & audit
CERT-In Cyber Security Directions adoptionPFRDA/2022/14/I&CS/02Incident reporting, logs & time sync
PoP operational guidelines (NPS/APY/NPS-Lite)27 Feb 2026Annual cybersecurity certificate
Audit of PoPs (NPS/APY/NPS-Lite)PFRDA/2026/36-38/SUP-POP; 17 Jun 2026PoP operational audits

IFSCA

InstrumentDate / referenceAudit relevance
Guidelines on Cyber Security & Cyber Resilience for REs in IFSCs10 Mar 2025Principal IFSC cyber framework
Guidelines on Cyber Security & Cyber Resilience for MIIs in IFSCIFSCA-CSD/MSC/2/2026-DCS; 20 Apr 2026Prescriptive MII audit framework

CERT-In

InstrumentDate / referenceAudit relevance
CERT-In Directions under section 70B of the IT Act28 Apr 20226-hour incident reporting, logs, time sync & point of contact
Comprehensive Cyber Security Audit Policy Guidelinesv1.0; 25 Jul 2025Audit planning, execution, reporting, evidence & auditor conduct
Current CERT-In empanelled-auditor listCurrentAuditor eligibility validation

Audits we position with the correct qualification

Some engagements require a specific professional or accredited body to sign. CyberSigma performs the technical/cyber testing; the reserved sign-off is by the prescribed authority.

AuditCorrect positioning
RBI/NBFC/HFC statutory financial auditSeparate from cyber/IS audit — requires an eligible ICAI statutory auditor
SEBI compliance audits reserved for CA/CS/CMACyberSigma performs cyber & technology testing; regulated sign-off by the prescribed professional
PFRDA PoP operational auditVerify the 2026 circular’s prescribed auditor qualification before accepting the signing engagement
ISO 27001 certificationCyberSigma provides readiness, implementation & internal audit; the certificate is issued by an accredited certification body
SOC 1 / SOC 2 attestationCyberSigma provides readiness & technical testing; the formal AICPA report is issued by an eligible CPA firm
DPDP “certification”CyberSigma offers DPDP gap assessment, privacy audit & implementation — not a government DPDP certificate
NPCI certificationAudit against the current product circular; not an automatic NPCI approval
Live circular monitoring
CyberSigma monitors RBI, SEBI, UIDAI, NPCI, IRDAI, PFRDA and IFSCA and flags audit-relevant circular changes — so your audit criteria always reflect the current instruments as of the audit cut-off date.

Need a regulatory audit scoped to your entity?

Our CERT-In empanelled, PCI QSA senior auditors map the exact circulars, auditor qualification and report format to your registration category — then deliver.