ChecklistUpdated 2026-02-15For: Banks, NBFCs (base, middle, upper, top), Payment Aggregators (PA), Payment Gateways (PG), HFCs and digital-lending platforms

RBI Cybersecurity Framework Evidence Checklist

RBI inspections fail entities on missing evidence far more often than on missing controls. This checklist documents the exact evidence inspectors look for under the RBI Cyber Security Framework for banks, the Master Direction on IT Governance for NBFCs, and the RBI Digital Lending Guidelines (DLG) — including what an upper-layer NBFC needs versus a base/middle-layer entity.

Talk to an expert All resources

The Checklist

Governance evidence

IT Strategy Committee charter, minutes for last 4 meetings, attendance signed
CISO appointment letter, reporting line documented, KPIs
Risk Management Committee minutes including cyber-risk discussions
Board-approved Information Security Policy with last review date < 12 months
Cyber-crisis management plan signed by board

IT general controls (ITGC)

Change management — ticket sample, approval evidence, segregation of dev/test/prod
Access management — joiners-movers-leavers process, quarterly access reviews, privileged-access logs
Backup-restore evidence (last quarter)
Patch management — scanner reports + remediation tickets, SLA adherence
Logging: centralised logging with min 6-month retention for critical systems

Application & data security

VAPT report from CERT-In Empanelled auditor, dated < 12 months, with closure evidence
Secure code review evidence for major releases
Encryption inventory + key management evidence
Data classification policy + sample classification labels in production
Customer data localisation evidence (PA/PG and DPSS-listed entities)

Network & infrastructure

Network architecture diagram with security zones marked, dated
Firewall rule-base review (quarterly) with sample approvals
DDoS protection — vendor, capacity, last test report
Wireless security policy + segregation from production
Endpoint protection rollout report (>98% coverage typically expected)

Incident management

Incident register with classification, timeline, root cause and remediation per incident
CERT-In incident reporting evidence (6-hour clock) — at least sample logged events
SIEM / SOC arrangement (in-house, MSSP, hybrid) with named contacts and runbooks
Phishing simulation evidence (at least quarterly)
Tabletop exercise report (at least bi-annual)

Digital Lending Guidelines (DLG) — for digital lenders

LSP (Lending Service Provider) onboarding due-diligence report per partner
Key Fact Statement (KFS) sample, with all DLG-mandated fields
Cooling-off period evidence
Customer-data flow diagram showing where data goes outside the regulated entity
Grievance redressal SLA evidence + monthly reports
Recovery / collection process audit — privacy, working hours, recording, escalation

Upper-layer NBFC additional

Independent Compliance Function report
ICAAP (Internal Capital Adequacy Assessment) cyber-risk component
Quarterly cyber-risk dashboard to board
Independent IS Audit report (separate from internal audit)

Frequently asked questions

What's the difference between the RBI IT Framework and the Cyber Security Framework for banks?

The IT Framework (Master Direction, 2023) applies to NBFCs, ARCs and credit institutions. The Cyber Security Framework (2016) applies to scheduled commercial banks. They overlap significantly but the bank framework has additional requirements around critical-IT vendor management, SOC capability and red-teaming.

How does the RBI Digital Lending Guidelines (DLG) framework fit in?

DLG layers on top of the IT Framework. If you're a digital-lending NBFC or your bank operates through an LSP, you must evidence DLG-specific items (LSP due diligence, KFS, cooling-off, grievance, recovery audit) on top of the standard cybersecurity controls.

Does the audit cover Account Aggregator (AA) integrations?

Yes. AA-connected lenders, FIPs and FIUs are reviewed for consent-management evidence, data-flow integrity, retention/erasure compliance and integration security.

Do you cover RBI Payment Aggregator audits separately?

Yes — RBI's Payment Aggregator / Payment Gateway audit has a distinct scope. Our `/services/cert-in-audit/rbi-pa-pg` and SAR audit pages cover that scope.

How long should we keep this evidence?

Minimum 6 years for audit evidence, longer for customer transaction records (15 years under PMLA for relevant cases). Always check the latest RBI circular for your category.

Related services

More resources

Need help executing this?

Talk to Digital Defense — India's CERT-In Empanelled cybersecurity team.

Book a consultation

Digital Defense

Online | Typically replies instantly

Hi there! 👋 Welcome to Digital Defense. I'm here to help you with your cybersecurity needs. How can I assist you today?