RBI Master Direction on IT Governance: The CISO's Definitive Compliance Implementation Guide for Banks and NBFCs background
Back to Journal
Regulatory Compliance

RBI Master Direction on IT Governance: The CISO's Definitive Compliance Implementation Guide for Banks and NBFCs

Adayptus Consulting
Mar 09, 2026
12 min read

The RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (RBI/2023-24/101) is now a live regulatory obligation for every CISO at a Scheduled Commercial Bank, NBFC, or All India Financial Institution. Here are the 10 mission-critical mandates — and why most regulated entities are still failing supervisory review.

The RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (RBI/2023-24/101) came into force on April 1, 2024 — and it remains the most operationally demanding cybersecurity mandate the Reserve Bank of India has ever issued to regulated entities. It consolidates and supersedes five earlier RBI IT and cybersecurity circulars, establishing a unified, board-governed framework that goes far beyond policy documentation and demands demonstrable, auditable implementation across every critical technology domain.

Two years on, the direction is not a past obligation — it is an active, continuously assessed regulatory standard. The RBI's supervisory examinations now routinely probe IT governance controls, SOC effectiveness, VAPT remediation records, and board reporting cadence. Institutions that achieved initial compliance in FY 2024–25 must now demonstrate sustained compliance through updated policies, renewed audits, tested incident response plans, and refreshed vendor risk assessments. New entrants into the upper NBFC layer under Scale-Based Regulation face the same full framework from day one. This guide is for every CISO who needs to ensure their institution is not merely compliant on paper — but defensible under supervisory scrutiny.

Why This Master Direction Remains Critical in 2026

01
Ongoing Supervisory AuditsRBI DISA and IS audits are now actively checking SOC coverage, SIEM use case maturity, and VAPT remediation closure — not just policy existence.
02
Annual Renewal ObligationsBoard-approved policies, the Cyber Risk Appetite Statement, IS audits, and BCP/DR tests must all be renewed each financial year — compliance is not a one-time event.
03
Expanding NBFC ApplicabilityNBFCs reclassified to the upper layer under RBI's Scale-Based Regulation must achieve full framework compliance immediately upon classification — regardless of when the direction was originally issued.

Regulatory Status: The RBI Master Direction on IT Governance (RBI/2023-24/101, notified November 7, 2023) is in full force from April 1, 2024 for Scheduled Commercial Banks, Small Finance Banks, Payment Banks, Upper Layer NBFCs, and All India Financial Institutions. Regulatory non-compliance is not theoretical — the RBI has escalated enforcement actions and directed remediation plans following supervisory reviews where IT governance gaps were identified.

1 CISO Appointment, Authority & Board Reporting Line

What the Master Direction requires: The direction mandates that every regulated entity appoint a designated Chief Information Security Officer (CISO) — a dedicated role, not a dual-hat function held by the CTO or Head of IT. The CISO must have a direct reporting line to the Board or its designated committee (typically the IT Strategy Committee or Risk Management Committee), and must not report through the IT function to avoid conflicts of interest.

RequirementWhat the RBI ExpectsCommon Gap
CISO DesignationFull-time CISO with documented appointment letter and role charterCISO role shared with IT head, no formal charter
Reporting LineDirect access to the Board/Risk Committee — not routed via IT/CTOCISO reports to CTO who reports to Board
Board ReportingQuarterly cybersecurity status reports to the Board with defined contentAnnual or ad hoc reporting, no defined format
CISO CredentialsRBI expects relevant certifications (CISSP, CISM) and banking security experienceNo certification requirement enforced internally

Implementation action: Issue a formal Board resolution appointing the CISO, documenting their authority, reporting line, and chartered responsibilities. This document must be produced on demand during RBI supervisory reviews.

2 Information Security Policy — Board Approved & Annually Reviewed

What the Master Direction requires: A comprehensive Information Security Policy (ISP) approved by the Board — not the IT committee alone. The policy must cover access controls, cryptography, physical security, network security, application security, vendor/third-party security, and incident management. It must be reviewed and reapproved by the Board at least annually, and any material changes must trigger an interim review.

  • Policy scope: Must cover all 12 security domains including physical and environmental security, access management, cryptographic controls, network and endpoint security, cloud security, and supplier/third-party security
  • Board approval evidence: Board resolution with date of approval — not just CISO or IT Committee sign-off — must be produced during supervisory review
  • Employee awareness: Policy must be communicated to all staff, with documented acknowledgement — the RBI expects evidence that employees have read and accepted the policy
  • Cyber risk appetite: The ISP must include or reference a Board-approved Cyber Risk Appetite Statement — defining acceptable thresholds for cyber risk exposure across the institution's operations

3 Security Operations Center (SOC) — 24/7 Monitoring Mandate

What the Master Direction requires: Regulated entities must establish or contract a Security Operations Center operating 24 hours a day, 7 days a week, 365 days a year. The SOC must be capable of real-time event monitoring, threat detection, alert triage, incident escalation, and correlated analysis across all critical IT systems. The direction requires documented SOC operating procedures and defined SLAs for alert response and escalation.

Minimum SOC Capabilities (RBI Compliant)

  • • 24/7 staffed monitoring — no unmanned periods
  • • SIEM with centralized log aggregation
  • • Documented use cases mapped to threat scenarios
  • • Defined alert escalation matrix and contact tree
  • • Mean Time to Detect (MTTD) SLA ≤ 15 minutes for critical alerts
  • • Documented SOC runbooks and incident playbooks

What Will Fail Supervisory Review

  • • Business-hours-only monitoring (9 AM – 6 PM)
  • • SIEM deployed but no active detection use cases
  • • No documented escalation procedures
  • • Alert response measured in days, not minutes
  • • Outsourced SOC with no governance oversight or SLA
  • • Core banking systems not connected to SIEM

4 Cyber Incident Response Plan & RBI Reporting Timelines

What the Master Direction requires: A Board-approved Cyber Incident Response Plan (CIRP) must be documented, tested, and ready to execute. The plan must cover detection, containment, eradication, recovery, and post-incident review phases. Critically, the direction establishes mandatory reporting timelines that CISOs must operationalize:

Incident TypeReport ToTimelineWhat to Report
Major cyber incident (banking ops)RBI (CSITE)2–6 hoursNature of incident, systems impacted, containment status
All cyber incidentsCERT-In6 hoursPer CERT-In Directions (Apr 2022) — mandatory for all regulated entities
Customer data breachRBI + MEITY6 hours (DPDP alignment)Data categories exposed, estimated individuals impacted, remediation steps
Payment system disruptionRBI + NPCIImmediateTransaction systems affected, outage duration, customer impact
Board notificationBoard/Risk Committee24 hoursExecutive summary of material incidents + board-level risk assessment

"Most Indian banks have a documented CIRP — but fewer than 40% have tested it with a tabletop exercise in the past 12 months. The RBI's supervisory review process now specifically asks for evidence of CIRP testing dates and lessons-learned documentation."

5 Vulnerability Assessment & Penetration Testing (VAPT) — Ongoing, Not Periodic

What the Master Direction requires: The direction mandates continuous VAPT across all critical and internet-facing systems — not a once-a-year compliance exercise. Key requirements that most CISOs underestimate:

  • Internet-facing systems: Must undergo VAPT before every major release and at minimum quarterly. This includes internet banking, mobile banking apps, payment APIs, and all customer-facing portals.
  • Internal networks and core banking: Annual comprehensive VAPT of internal infrastructure — including CBS (Core Banking System), data centre networks, and privileged access systems.
  • CERT-In empanelment mandatory: Third-party VAPT providers must be empanelled with CERT-In. Using a non-empanelled vendor for regulatory VAPT will not satisfy the RBI's supervisory requirements. Check the CERT-In empanelled list here.
  • Remediation closure evidence: The direction expects documented remediation of all critical and high findings within defined SLAs (typically 30 days for critical, 90 days for high). Open findings from prior assessments are a red flag during supervisory review.

6 Third-Party & Vendor Risk Management

What the Master Direction requires: All material IT outsourcing arrangements must be governed by a Board-approved Outsourcing Policy. This is particularly relevant for financial institutions that have outsourced SOC operations, cloud infrastructure, core banking hosting, or payment processing. The direction creates specific obligations that many CISOs treat as a procurement issue — it is not. It is a cybersecurity governance requirement.

Pre-Contracting
  • • Due diligence on vendor's security posture
  • • Security requirements in contract (SLA, audit rights, data controls)
  • • Board/senior management approval for material arrangements
  • • RBI approval for offshore outsourcing of sensitive data
Ongoing Monitoring
  • • Annual vendor security assessment
  • • Review of vendor SOC 2 / ISO 27001 certification
  • • Incident notification obligations (vendor to bank)
  • • Concentration risk monitoring (single vendor dependency)
Exit Strategy
  • • Documented exit/transition plan for all material vendors
  • • Data recovery and deletion obligations on contract exit
  • • Business continuity plan for vendor failure scenarios
  • • Annual testing of exit plan feasibility

7 Data Classification, Protection & Customer Data Security

What the Master Direction requires: Financial institutions must implement a formal Data Classification Policy with at minimum three tiers: Public, Internal, and Confidential/Sensitive. Customer financial data, Aadhaar-linked data, PAN data, and payment instrument data must be classified at the highest level and protected accordingly. Key technical requirements:

Encryption Requirements

  • Data at rest: AES-256 encryption for all sensitive customer data
  • Data in transit: TLS 1.2 minimum (TLS 1.3 recommended) for all inter-system communication
  • Database encryption: Transparent Data Encryption (TDE) for core banking and customer databases
  • Key management: Hardware Security Module (HSM) for cryptographic key storage

Access Control Requirements

  • Privileged Access Management (PAM): All privileged accounts must use PAM solutions with session recording
  • Least privilege: Role-Based Access Control (RBAC) with quarterly access reviews
  • Multi-Factor Authentication: MFA mandatory for all privileged access and remote access
  • Separation of duties: Production and non-production environment access must be separated

8 IT Risk Management & Cyber Risk Appetite Framework

What the Master Direction requires: The direction requires a structured IT Risk Management Framework integrated with the institution's Enterprise Risk Management (ERM) framework. Cyber risk must be quantified, reported to the Board, and managed against a defined Cyber Risk Appetite Statement (CRAS). This is one of the least implemented requirements across mid-size banks and NBFCs.

What a Compliant Cyber Risk Appetite Statement Must Include:

01.Maximum acceptable annual financial loss from cyber incidents (in ₹ crore)
02.Maximum tolerable downtime for internet banking / payment systems (in hours)
03.Maximum acceptable number of uncontained cyber incidents per quarter
04.Data breach threshold — maximum records exposed before triggering escalation
05.Third-party risk exposure limits — maximum % of critical operations with single-vendor dependency
06.Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical systems
07.Acceptable residual risk level — quantified after controls are applied
08.Escalation thresholds — when cyber risk exposure requires Board notification

9 Business Continuity & IT Disaster Recovery

What the Master Direction requires: A tested IT Business Continuity Plan (BCP) and Disaster Recovery (DR) arrangement for all critical systems. The direction goes significantly beyond older RBI BC/DR guidance — it requires DR site capability to be tested in actual failover mode (not just documentation review) and the RTO/RPO to be validated annually.

System CategoryRequired RTORequired RPODR Test Frequency
Core Banking System (CBS)≤ 4 hours≤ 30 minutesBi-annual full failover test
Internet Banking / Mobile Banking≤ 2 hours≤ 15 minutesQuarterly testing
Payment Gateways / UPI≤ 30 minutesNear-zero (real-time replication)Monthly DR drill
SIEM / SOC Infrastructure≤ 4 hours≤ 24 hours of logsAnnual full failover test

10 IT Audit, Assurance & Independent Review

What the Master Direction requires: The direction mandates an independent IT audit function — reporting to the Audit Committee of the Board — that conducts annual comprehensive IT audits covering all domains of the Master Direction. The audit cannot be conducted by the same team responsible for IT operations or information security. Additionally, the direction requires independent assurance through:

  • Annual IT Audit: Comprehensive review covering IT governance, access controls, change management, SDLC, network security, data protection, incident management, and BCP/DR. Report must be presented to the Audit Committee of the Board.
  • IS Audit (Information Systems Audit): Dedicated cybersecurity audit covering SIEM effectiveness, access control governance, VAPT remediation status, and security policy compliance. Must be conducted by CISA-certified auditors or equivalent qualified professionals.
  • Cyber Risk Self-Assessment: Annual self-assessment against the RBI's Cybersecurity Framework — submitted to the RBI as part of the supervisory reporting cycle. The format is prescribed by the RBI and must be submitted through the DAKSH supervisory portal.

The CISO's Master Direction Implementation Checklist

RBI Master Direction Compliance Self-Assessment — FY 2025

Rate your institution's implementation status for each control domain

CISO Appointment
Dedicated CISO appointed with Board resolution and direct Board reporting line
Information Security Policy
Board-approved ISP covering all 12 domains, reviewed in FY2025, employee sign-off documented
SOC – 24/7 Monitoring
SOC operational 24/7/365 with documented use cases and MTTD SLAs
SIEM Deployment
SIEM ingesting logs from CBS, internet banking, payment gateways, and endpoint estate
Cyber Incident Response Plan
Board-approved CIRP with tested escalation paths; tabletop exercise conducted in FY2025
RBI Reporting Capability
Workflow exists to notify RBI within 2–6 hours of major incident; CERT-In 6-hour reporting operationalized
VAPT – Internet Facing
Quarterly VAPT by CERT-In empanelled vendor; all critical/high findings closed within SLA
VAPT – Internal/CBS
Annual infrastructure VAPT completed; remediation tracked and reported to Board
Third-Party Risk Management
Board-approved outsourcing policy; all material vendors assessed; exit plans documented
Data Classification
Data classification policy implemented; sensitive data encrypted at-rest and in-transit
Privileged Access Management
PAM deployed; all privileged accounts under PAM with session recording; quarterly access reviews
Cyber Risk Appetite Statement
Board-approved CRAS with quantified thresholds; reviewed annually
IT BCP/DR
Tested BCP/DR with validated RTO/RPO; bi-annual CBS failover test documented
IT Audit – Annual
Annual IT audit by independent function; report presented to Audit Committee of Board
IS Audit
Dedicated IS audit by CISA-certified auditors; findings tracked to closure
RBI Cyber Risk Self-Assessment
Annual self-assessment submitted via DAKSH portal; no unresolved critical findings

Adayptus Consulting

RBI Master Direction Gap Assessment for CISOs

Adayptus conducts structured gap assessments against the RBI Master Direction on IT Governance for banks and NBFCs. We assess your current posture against all 10 control domains, produce a Board-ready gap report, and deliver a prioritized remediation roadmap to achieve compliance before your next RBI supervisory review.

  • RBI Master Direction compliance gap report
  • Board-ready executive summary
  • Prioritized 90-day remediation roadmap
  • CISO policy templates and documentation support
  • CERT-In empanelled VAPT services
  • Managed SOC aligned to RBI monitoring requirements

Share this Insight
CybersecurityRegulatory ComplianceAdayptus Intelligence
A

Adayptus Consulting

Strategic Intelligence Division

Adayptus Consulting is a premier provider of enterprise cybersecurity solutions, specializing in Managed SOC, Penetration Testing, and GRC strategy. Our intelligence division regularly publishes research to help CISOs navigate the evolving threat landscape.

Executive Intelligence Briefing

Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.

Zero Spam. Unsubscribe Anytime.