
RBI Master Direction on IT Governance: The CISO's Definitive Compliance Implementation Guide for Banks and NBFCs
The RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (RBI/2023-24/101) is now a live regulatory obligation for every CISO at a Scheduled Commercial Bank, NBFC, or All India Financial Institution. Here are the 10 mission-critical mandates — and why most regulated entities are still failing supervisory review.
The RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (RBI/2023-24/101) came into force on April 1, 2024 — and it remains the most operationally demanding cybersecurity mandate the Reserve Bank of India has ever issued to regulated entities. It consolidates and supersedes five earlier RBI IT and cybersecurity circulars, establishing a unified, board-governed framework that goes far beyond policy documentation and demands demonstrable, auditable implementation across every critical technology domain.
Two years on, the direction is not a past obligation — it is an active, continuously assessed regulatory standard. The RBI's supervisory examinations now routinely probe IT governance controls, SOC effectiveness, VAPT remediation records, and board reporting cadence. Institutions that achieved initial compliance in FY 2024–25 must now demonstrate sustained compliance through updated policies, renewed audits, tested incident response plans, and refreshed vendor risk assessments. New entrants into the upper NBFC layer under Scale-Based Regulation face the same full framework from day one. This guide is for every CISO who needs to ensure their institution is not merely compliant on paper — but defensible under supervisory scrutiny.
Why This Master Direction Remains Critical in 2026
Regulatory Status: The RBI Master Direction on IT Governance (RBI/2023-24/101, notified November 7, 2023) is in full force from April 1, 2024 for Scheduled Commercial Banks, Small Finance Banks, Payment Banks, Upper Layer NBFCs, and All India Financial Institutions. Regulatory non-compliance is not theoretical — the RBI has escalated enforcement actions and directed remediation plans following supervisory reviews where IT governance gaps were identified.
1 CISO Appointment, Authority & Board Reporting Line
What the Master Direction requires: The direction mandates that every regulated entity appoint a designated Chief Information Security Officer (CISO) — a dedicated role, not a dual-hat function held by the CTO or Head of IT. The CISO must have a direct reporting line to the Board or its designated committee (typically the IT Strategy Committee or Risk Management Committee), and must not report through the IT function to avoid conflicts of interest.
| Requirement | What the RBI Expects | Common Gap |
|---|---|---|
| CISO Designation | Full-time CISO with documented appointment letter and role charter | CISO role shared with IT head, no formal charter |
| Reporting Line | Direct access to the Board/Risk Committee — not routed via IT/CTO | CISO reports to CTO who reports to Board |
| Board Reporting | Quarterly cybersecurity status reports to the Board with defined content | Annual or ad hoc reporting, no defined format |
| CISO Credentials | RBI expects relevant certifications (CISSP, CISM) and banking security experience | No certification requirement enforced internally |
Implementation action: Issue a formal Board resolution appointing the CISO, documenting their authority, reporting line, and chartered responsibilities. This document must be produced on demand during RBI supervisory reviews.
2 Information Security Policy — Board Approved & Annually Reviewed
What the Master Direction requires: A comprehensive Information Security Policy (ISP) approved by the Board — not the IT committee alone. The policy must cover access controls, cryptography, physical security, network security, application security, vendor/third-party security, and incident management. It must be reviewed and reapproved by the Board at least annually, and any material changes must trigger an interim review.
- Policy scope: Must cover all 12 security domains including physical and environmental security, access management, cryptographic controls, network and endpoint security, cloud security, and supplier/third-party security
- Board approval evidence: Board resolution with date of approval — not just CISO or IT Committee sign-off — must be produced during supervisory review
- Employee awareness: Policy must be communicated to all staff, with documented acknowledgement — the RBI expects evidence that employees have read and accepted the policy
- Cyber risk appetite: The ISP must include or reference a Board-approved Cyber Risk Appetite Statement — defining acceptable thresholds for cyber risk exposure across the institution's operations
3 Security Operations Center (SOC) — 24/7 Monitoring Mandate
What the Master Direction requires: Regulated entities must establish or contract a Security Operations Center operating 24 hours a day, 7 days a week, 365 days a year. The SOC must be capable of real-time event monitoring, threat detection, alert triage, incident escalation, and correlated analysis across all critical IT systems. The direction requires documented SOC operating procedures and defined SLAs for alert response and escalation.
✓Minimum SOC Capabilities (RBI Compliant)
- • 24/7 staffed monitoring — no unmanned periods
- • SIEM with centralized log aggregation
- • Documented use cases mapped to threat scenarios
- • Defined alert escalation matrix and contact tree
- • Mean Time to Detect (MTTD) SLA ≤ 15 minutes for critical alerts
- • Documented SOC runbooks and incident playbooks
✗What Will Fail Supervisory Review
- • Business-hours-only monitoring (9 AM – 6 PM)
- • SIEM deployed but no active detection use cases
- • No documented escalation procedures
- • Alert response measured in days, not minutes
- • Outsourced SOC with no governance oversight or SLA
- • Core banking systems not connected to SIEM
4 Cyber Incident Response Plan & RBI Reporting Timelines
What the Master Direction requires: A Board-approved Cyber Incident Response Plan (CIRP) must be documented, tested, and ready to execute. The plan must cover detection, containment, eradication, recovery, and post-incident review phases. Critically, the direction establishes mandatory reporting timelines that CISOs must operationalize:
| Incident Type | Report To | Timeline | What to Report |
|---|---|---|---|
| Major cyber incident (banking ops) | RBI (CSITE) | 2–6 hours | Nature of incident, systems impacted, containment status |
| All cyber incidents | CERT-In | 6 hours | Per CERT-In Directions (Apr 2022) — mandatory for all regulated entities |
| Customer data breach | RBI + MEITY | 6 hours (DPDP alignment) | Data categories exposed, estimated individuals impacted, remediation steps |
| Payment system disruption | RBI + NPCI | Immediate | Transaction systems affected, outage duration, customer impact |
| Board notification | Board/Risk Committee | 24 hours | Executive summary of material incidents + board-level risk assessment |
"Most Indian banks have a documented CIRP — but fewer than 40% have tested it with a tabletop exercise in the past 12 months. The RBI's supervisory review process now specifically asks for evidence of CIRP testing dates and lessons-learned documentation."
5 Vulnerability Assessment & Penetration Testing (VAPT) — Ongoing, Not Periodic
What the Master Direction requires: The direction mandates continuous VAPT across all critical and internet-facing systems — not a once-a-year compliance exercise. Key requirements that most CISOs underestimate:
- Internet-facing systems: Must undergo VAPT before every major release and at minimum quarterly. This includes internet banking, mobile banking apps, payment APIs, and all customer-facing portals.
- Internal networks and core banking: Annual comprehensive VAPT of internal infrastructure — including CBS (Core Banking System), data centre networks, and privileged access systems.
- CERT-In empanelment mandatory: Third-party VAPT providers must be empanelled with CERT-In. Using a non-empanelled vendor for regulatory VAPT will not satisfy the RBI's supervisory requirements. Check the CERT-In empanelled list here.
- Remediation closure evidence: The direction expects documented remediation of all critical and high findings within defined SLAs (typically 30 days for critical, 90 days for high). Open findings from prior assessments are a red flag during supervisory review.
6 Third-Party & Vendor Risk Management
What the Master Direction requires: All material IT outsourcing arrangements must be governed by a Board-approved Outsourcing Policy. This is particularly relevant for financial institutions that have outsourced SOC operations, cloud infrastructure, core banking hosting, or payment processing. The direction creates specific obligations that many CISOs treat as a procurement issue — it is not. It is a cybersecurity governance requirement.
- • Due diligence on vendor's security posture
- • Security requirements in contract (SLA, audit rights, data controls)
- • Board/senior management approval for material arrangements
- • RBI approval for offshore outsourcing of sensitive data
- • Annual vendor security assessment
- • Review of vendor SOC 2 / ISO 27001 certification
- • Incident notification obligations (vendor to bank)
- • Concentration risk monitoring (single vendor dependency)
- • Documented exit/transition plan for all material vendors
- • Data recovery and deletion obligations on contract exit
- • Business continuity plan for vendor failure scenarios
- • Annual testing of exit plan feasibility
7 Data Classification, Protection & Customer Data Security
What the Master Direction requires: Financial institutions must implement a formal Data Classification Policy with at minimum three tiers: Public, Internal, and Confidential/Sensitive. Customer financial data, Aadhaar-linked data, PAN data, and payment instrument data must be classified at the highest level and protected accordingly. Key technical requirements:
Encryption Requirements
- • Data at rest: AES-256 encryption for all sensitive customer data
- • Data in transit: TLS 1.2 minimum (TLS 1.3 recommended) for all inter-system communication
- • Database encryption: Transparent Data Encryption (TDE) for core banking and customer databases
- • Key management: Hardware Security Module (HSM) for cryptographic key storage
Access Control Requirements
- • Privileged Access Management (PAM): All privileged accounts must use PAM solutions with session recording
- • Least privilege: Role-Based Access Control (RBAC) with quarterly access reviews
- • Multi-Factor Authentication: MFA mandatory for all privileged access and remote access
- • Separation of duties: Production and non-production environment access must be separated
8 IT Risk Management & Cyber Risk Appetite Framework
What the Master Direction requires: The direction requires a structured IT Risk Management Framework integrated with the institution's Enterprise Risk Management (ERM) framework. Cyber risk must be quantified, reported to the Board, and managed against a defined Cyber Risk Appetite Statement (CRAS). This is one of the least implemented requirements across mid-size banks and NBFCs.
What a Compliant Cyber Risk Appetite Statement Must Include:
9 Business Continuity & IT Disaster Recovery
What the Master Direction requires: A tested IT Business Continuity Plan (BCP) and Disaster Recovery (DR) arrangement for all critical systems. The direction goes significantly beyond older RBI BC/DR guidance — it requires DR site capability to be tested in actual failover mode (not just documentation review) and the RTO/RPO to be validated annually.
| System Category | Required RTO | Required RPO | DR Test Frequency |
|---|---|---|---|
| Core Banking System (CBS) | ≤ 4 hours | ≤ 30 minutes | Bi-annual full failover test |
| Internet Banking / Mobile Banking | ≤ 2 hours | ≤ 15 minutes | Quarterly testing |
| Payment Gateways / UPI | ≤ 30 minutes | Near-zero (real-time replication) | Monthly DR drill |
| SIEM / SOC Infrastructure | ≤ 4 hours | ≤ 24 hours of logs | Annual full failover test |
10 IT Audit, Assurance & Independent Review
What the Master Direction requires: The direction mandates an independent IT audit function — reporting to the Audit Committee of the Board — that conducts annual comprehensive IT audits covering all domains of the Master Direction. The audit cannot be conducted by the same team responsible for IT operations or information security. Additionally, the direction requires independent assurance through:
- Annual IT Audit: Comprehensive review covering IT governance, access controls, change management, SDLC, network security, data protection, incident management, and BCP/DR. Report must be presented to the Audit Committee of the Board.
- IS Audit (Information Systems Audit): Dedicated cybersecurity audit covering SIEM effectiveness, access control governance, VAPT remediation status, and security policy compliance. Must be conducted by CISA-certified auditors or equivalent qualified professionals.
- Cyber Risk Self-Assessment: Annual self-assessment against the RBI's Cybersecurity Framework — submitted to the RBI as part of the supervisory reporting cycle. The format is prescribed by the RBI and must be submitted through the DAKSH supervisory portal.
The CISO's Master Direction Implementation Checklist
RBI Master Direction Compliance Self-Assessment — FY 2025
Rate your institution's implementation status for each control domain
Adayptus Consulting
RBI Master Direction Gap Assessment for CISOs
Adayptus conducts structured gap assessments against the RBI Master Direction on IT Governance for banks and NBFCs. We assess your current posture against all 10 control domains, produce a Board-ready gap report, and deliver a prioritized remediation roadmap to achieve compliance before your next RBI supervisory review.
- RBI Master Direction compliance gap report
- Board-ready executive summary
- Prioritized 90-day remediation roadmap
- CISO policy templates and documentation support
- CERT-In empanelled VAPT services
- Managed SOC aligned to RBI monitoring requirements
Official References & Source Documents
RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 7, 2023)
RBI/2023-24/101 | Effective April 1, 2024 | rbi.org.in
RBI Guidelines on Outsourcing of IT Services — Applicable Provisions for Banks and NBFCs
FIDC India | RBI IT Outsourcing Framework | April 2023 | fidcindia.org.in
Adayptus Consulting
Strategic Intelligence Division
Adayptus Consulting is a premier provider of enterprise cybersecurity solutions, specializing in Managed SOC, Penetration Testing, and GRC strategy. Our intelligence division regularly publishes research to help CISOs navigate the evolving threat landscape.
Executive Intelligence Briefing
Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.


