We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / IRDAI Cyber Security
IRDAI · India

IRDAI Information & Cyber Security

Information and cyber security guidelines for insurers and intermediaries.

Introduction: The IRDAI Information and Cyber Security Framework

The Insurance Regulatory and Development Authority of India (IRDAI) is the statutory body that regulates and supervises the insurance sector in India under the Insurance Regulatory and Development Authority Act, 1999. Recognising that insurers, reinsurers and insurance intermediaries hold vast repositories of highly sensitive personal, medical and financial data, IRDAI has, since 2017, mandated a formal information and cyber security regime across all regulated entities. This guide provides an auditor-grade, control-by-control walkthrough of the IRDAI Guidelines on Information and Cyber Security for Insurers, its assessment expectations and the practical steps required to achieve and sustain compliance.

The original 2017 Guidelines on Information and Cyber Security for Insurers were substantially strengthened by the 2023 Master framework (the revised Guidelines on Information and Cyber Security for Insurers dated 24 April 2023), which broadened scope, sharpened board accountability, mandated a maturity-based approach and tightened incident reporting timelines. This document reflects the consolidated, current-state expectations that a CERT-In empanelled auditor or an internal second-line reviewer would test against.

Copyright and source note
The IRDAI Guidelines on Information and Cyber Security for Insurers are issued by the Insurance Regulatory and Development Authority of India. The full official text, circulars and formats are available free of charge from the IRDAI website (irdai.gov.in). This guide is an original, independent interpretation prepared by CyberSigma for educational purposes; it paraphrases requirements and does not reproduce IRDAI's copyrighted text. Where a specific reference number, format or timeline is quoted, always verify against the latest IRDAI circular, as the Authority periodically revises the Guidelines and reporting formats.

What is IRDAI Information and Cyber Security

IRDAI Information and Cyber Security is a mandatory, regulator-driven governance and control framework that requires every insurance-sector regulated entity to establish, operate and continuously improve an information security management system (ISMS) tailored to the insurance business. It is not a voluntary standard; non-compliance can attract regulatory action, monetary penalties and adverse supervisory findings during on-site inspections.

Conceptually the framework fuses three lineages: (a) the ISO/IEC 27001 ISMS discipline, which underpins the control catalogue and the certification expectation; (b) the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions of Identify, Protect, Detect, Respond and Recover, which shape the cyber-resilience posture; and (c) India-specific statutory obligations, principally the requirement to align with CERT-In directions (including the 2022 CERT-In cyber incident reporting directions and the six-hour reporting window) and, increasingly, the Digital Personal Data Protection (DPDP) Act, 2023 for personal-data governance.

The Guidelines are explicit that information security is a board-level responsibility. Every insurer must appoint a Chief Information Security Officer (CISO), constitute an Information Security Committee, obtain and maintain ISO/IEC 27001 certification for critical systems, undertake periodic assurance (VAPT, information security audits, cyber-crisis drills), and report material incidents to IRDAI and CERT-In within defined timelines. The regime is expressed through control domains, a defined governance structure, an assurance calendar and a maturity expectation that entities must progressively meet.

Who must comply

The Guidelines apply to the full spectrum of IRDAI-regulated entities. Scope has been progressively widened; entities should treat themselves as in-scope unless IRDAI has explicitly carved them out. The following table sets out the principal categories of covered entity and the nuances of applicability.

Regulated entity categoryApplicability and notes
Life insurersFully in scope; typically hold large volumes of financial and beneficiary data plus long-duration policy records.
General (non-life) insurersFully in scope; motor, health and property lines carry significant claims and third-party data.
Standalone health insurersFully in scope; process sensitive health/medical data attracting heightened data-protection duties.
Reinsurers and branches of foreign reinsurers (FRBs)In scope; must align group policies with IRDAI local requirements and data-localisation expectations.
Insurance intermediaries (brokers, corporate agents, web aggregators, IMFs)In scope on a proportionate basis; larger intermediaries face near-full expectations, smaller ones a scaled-down set.
Third-Party Administrators (TPAs)In scope; process claims and health data on behalf of insurers and are subject to outsourcing/vendor governance.
Insurance Self-Networking Platforms and InsurTech partnersCovered indirectly via the insurer's outsourcing and third-party risk obligations.
Insurance RepositoriesIn scope; hold electronic insurance accounts (e-IA) and dematerialised policies.
Boards and senior management of the abovePersonally accountable for approving the information security policy and overseeing the programme.
Proportionality principle
IRDAI expects a risk-based, proportionate application. A large multi-line insurer and a small single-office intermediary are not held to identical implementation depth, but every entity must demonstrate governance, a documented policy, risk assessment, technical controls, assurance testing and incident readiness commensurate with its size, complexity and data sensitivity.

Structure of IRDAI Information and Cyber Security

The Guidelines are organised around a set of control domains derived from and mapped to the ISO/IEC 27001 Annex A control set, wrapped by governance, assurance and cyber-resilience requirements. The framework can be read as a control catalogue supported by mandatory governance structures and an assurance calendar. The table below summarises the principal domains an auditor will test.

Domain / familyFocus of the domain
1. Governance and organisation of information securityBoard oversight, CISO, IS Committee, policy framework, roles and accountability.
2. Information security policy and risk managementDocumented policies, periodic risk assessment, risk treatment and acceptance.
3. Human resource securityScreening, security awareness, acceptable use, disciplinary process, exit controls.
4. Asset management and classificationAsset inventory, ownership, information classification and handling, media disposal.
5. Access control and identity managementAccess provisioning, least privilege, privileged access, authentication, MFA, reviews.
6. Cryptography and key managementEncryption in transit and at rest, key lifecycle, data protection controls.
7. Physical and environmental securitySecure areas, data-centre controls, equipment protection, power and environment.
8. Operations securityChange/patch/configuration management, malware protection, capacity, logging.
9. Communications and network securityNetwork segmentation, perimeter, secure transfer, wireless, remote access.
10. System acquisition, development and maintenance (SDLC)Secure development, testing, source-code control, secure-by-design.
11. Supplier / outsourcing and third-party riskVendor due diligence, contracts, cloud governance, monitoring, right to audit.
12. Information security incident managementDetection, reporting to IRDAI/CERT-In, response, forensics, lessons learned.
13. Business continuity and cyber resilienceBCP/DR, RTO/RPO, cyber-crisis management, resilience testing.
14. Compliance, audit and assuranceLegal/regulatory compliance, VAPT, IS audit, ISO 27001 certification.
15. Data protection and privacyPersonal/sensitive data handling, data localisation, DPDP alignment, retention.
16. Cyber-resilience functions (NIST-aligned)Identify, Protect, Detect, Respond, Recover posture across the estate.

Master assessment checklist

This is the core of the audit. Each control group below is presented with what an assessor must verify and the typical evidence that demonstrates compliance. An auditor should test every group; a gap in any one weakens the overall assurance opinion. Tables use the columns What to verify and Typical evidence.

Group 1 — Governance and organisation of information security

What to verifyTypical evidence
Board has approved the Information and Cyber Security Policy and reviews it at least annually.Board minutes, signed policy with approval date, review calendar.
A qualified CISO is appointed with a defined reporting line independent of IT operations.Appointment letter, JD, org chart, CISO qualifications/certifications.
An Information Security Committee (or equivalent) is constituted and meets periodically.ISC charter, membership list, meeting minutes with attendance.
Board/Risk Committee receives periodic cyber-risk reporting (incidents, KRIs, audit status).Committee decks, KRI dashboards, exception logs.
Roles, responsibilities and accountability (RACI) for security are documented.RACI matrix, role descriptions, segregation-of-duties records.

Group 2 — Information security policy and risk management

What to verifyTypical evidence
A comprehensive, version-controlled policy suite covering all domains exists and is communicated.Policy documents, version history, communication/acknowledgement records.
A formal, periodic information security risk assessment methodology is defined and applied.Risk assessment methodology, risk register, risk treatment plan.
Risks are treated, accepted or transferred with documented owner and residual-risk sign-off.Risk treatment records, risk acceptance forms with senior sign-off.
Emerging threats and threat intelligence feed the risk process.Threat-intel reports, updated risk register entries, advisories actioned.
Policy exceptions are formally logged, time-bound and re-approved.Exception register with expiry dates and approver.

Group 3 — Human resource security

What to verifyTypical evidence
Background verification/screening is performed before granting access to sensitive systems.BGV reports, screening policy, HR onboarding checklist.
All staff and contractors complete security awareness training with periodic refreshers.Training records, completion rates, phishing-simulation results.
Acceptable-use and confidentiality obligations are signed by personnel.Signed AUP and NDA, HR files.
A disciplinary process for security violations is defined and enforced.Disciplinary policy, sample cases (anonymised).
Joiner-mover-leaver process revokes access promptly on exit or role change.JML tickets, access-revocation logs, exit checklists.

Group 4 — Asset management and classification

What to verifyTypical evidence
A complete, current inventory of information assets (hardware, software, data, cloud) exists with owners.CMDB/asset register, ownership mapping, reconciliation reports.
An information classification scheme is defined and applied (e.g., public/internal/confidential/restricted).Classification policy, labelled documents, data-flow diagrams.
Handling, labelling, storage and transmission rules match classification.Handling procedures, DLP configuration, sample labelled data.
Secure media disposal and data sanitisation procedures are followed.Disposal certificates, wiping logs, media-destruction records.
End-of-life and unsupported assets are identified and remediated.EOL inventory, remediation/upgrade tickets.

Group 5 — Access control and identity management

What to verifyTypical evidence
Access is granted on least-privilege and need-to-know via a formal request/approval workflow.Access-request tickets, approval records, role-based access matrix.
Multi-factor authentication is enforced for remote, privileged and administrative access.MFA configuration, VPN/PAM settings, authentication logs.
Privileged accounts are inventoried, vaulted and session-monitored.PAM inventory, session recordings, break-glass procedures.
Periodic user-access recertification/review is performed and gaps remediated.Access-review reports, recertification sign-offs, revocation evidence.
Password/credential policy meets minimum strength, rotation and lockout requirements.Password policy, IdP/AD configuration, lockout logs.

Group 6 — Cryptography and key management

What to verifyTypical evidence
Sensitive data is encrypted at rest and in transit using approved algorithms.Encryption standard, TLS/cipher configuration, database/disk encryption evidence.
A cryptographic key management lifecycle (generation, storage, rotation, revocation) is defined.Key management policy, KMS/HSM configuration, rotation logs.
Keys are protected from unauthorised access with dual control where appropriate.HSM access controls, dual-custody records.
Certificate lifecycle is managed to prevent expiry-driven outages.Certificate inventory, expiry-monitoring alerts, renewal records.

Group 7 — Physical and environmental security

What to verifyTypical evidence
Data centres and secure areas have layered physical access controls and monitoring.Access-control logs, CCTV coverage, visitor registers.
Environmental controls (fire suppression, cooling, power/UPS/DG) are in place and tested.Maintenance/test records, environmental-monitoring reports.
Equipment siting, cabling and clear-desk/clear-screen controls are enforced.Site inspection records, clear-desk audit, cabling diagrams.
Physical media leaving premises is authorised and tracked.Gate-pass records, media-movement register.

Group 8 — Operations security

What to verifyTypical evidence
A formal change management process controls production changes with approval and rollback.Change tickets, CAB minutes, rollback plans.
Patch and vulnerability management applies fixes within defined SLAs by severity.Patch policy, patch reports, vulnerability-remediation tracker.
Endpoint and server malware protection is deployed, updated and monitored.EDR/AV console, signature-update logs, alert handling.
Secure baseline/hardening configurations are applied and drift is detected.Hardening standards (CIS-aligned), configuration-scan reports.
Comprehensive logging is enabled and centralised for critical systems.Logging policy, SIEM ingestion, log-retention configuration.

Group 9 — Communications and network security

What to verifyTypical evidence
Network is segmented (e.g., DMZ, internal, PCI/sensitive zones) with enforced controls.Network diagrams, firewall rulesets, segmentation test results.
Perimeter defences (firewall, IPS, WAF, anti-DDoS) are deployed and tuned.Device configurations, rule-review records, WAF logs.
Secure remote access uses VPN with MFA and device posture checks.VPN configuration, NAC policy, access logs.
Wireless networks are secured, segregated and monitored.WLAN configuration, rogue-AP scan results.
Data transfers with external parties use secure, authenticated channels.SFTP/API security configuration, encryption-in-transit evidence.

Group 10 — System acquisition, development and maintenance (SDLC)

What to verifyTypical evidence
Security requirements are defined in the SDLC and secure-coding standards are followed.SDLC policy, secure-coding guidelines, requirements traceability.
Application security testing (SAST/DAST) is performed before production release.Scan reports, remediation evidence, release gates.
Source code and CI/CD pipelines are access-controlled and integrity-protected.Repository access controls, pipeline configuration, code-review records.
Non-production data is masked/anonymised and separated from production.Data-masking configuration, environment-separation evidence.
Third-party and open-source components are inventoried and monitored for vulnerabilities.SBOM/SCA reports, dependency-update records.

Group 11 — Supplier, outsourcing and third-party risk

What to verifyTypical evidence
Due diligence is performed on vendors, cloud providers and TPAs before onboarding.Vendor risk assessments, security questionnaires, certifications reviewed.
Contracts include security, confidentiality, audit-rights, breach-notification and data-localisation clauses.Signed contracts/SLAs, clause matrix, DPAs.
Ongoing monitoring of critical suppliers' security posture is performed.Periodic vendor reviews, SOC 2/ISO reports, monitoring records.
Cloud deployments meet data-localisation and shared-responsibility requirements.Cloud region configuration, responsibility matrix, config-audit reports.
Exit/transition and data-return/deletion arrangements are documented.Exit plans, data-deletion certificates.

Group 12 — Information security incident management

What to verifyTypical evidence
A documented incident response plan defines classification, roles and escalation.IR plan/playbooks, severity matrix, contact tree.
Cyber incidents are reported to CERT-In within the mandated timeline (six hours of detection).CERT-In reporting records, timestamps, submission acknowledgements.
Material incidents are reported to IRDAI in the prescribed format and timeline.IRDAI incident-report submissions, format compliance, acknowledgements.
Forensic readiness, evidence preservation and root-cause analysis are performed.Forensic reports, RCA documents, evidence chain-of-custody.
Lessons learned feed corrective actions and drills are conducted periodically.Post-incident reviews, corrective-action tracker, tabletop-exercise records.

Group 13 — Business continuity and cyber resilience

What to verifyTypical evidence
A BCP/DR programme with defined RTO/RPO for critical systems exists.BCP/DR plans, BIA, RTO/RPO register.
DR and failover testing is conducted at least annually with documented outcomes.DR test reports, failover logs, gap-remediation records.
A cyber-crisis management plan addresses ransomware and destructive attacks.Cyber-crisis playbook, ransomware runbook, isolation procedures.
Backups are performed, encrypted, tested for restoration and protected from tampering.Backup schedule, restoration-test logs, immutable/offline backup evidence.
Resilience is validated through scenario-based drills and tabletop exercises.Exercise scenarios, participation records, after-action reports.

Group 14 — Compliance, audit and assurance

What to verifyTypical evidence
ISO/IEC 27001 certification is held and maintained for critical systems/scope.ISO 27001 certificate, Statement of Applicability, surveillance-audit reports.
Periodic VAPT is performed on internet-facing and critical internal systems.VAPT reports, remediation tracker, retest evidence.
An independent information security audit is conducted at the mandated frequency.IS audit reports (CERT-In empanelled auditor), management responses.
Regulatory and legal compliance obligations are tracked and evidenced.Compliance register, IRDAI submission records, legal-obligation mapping.
Audit findings are tracked to closure with owners and target dates.Findings tracker, closure evidence, overdue-item escalations.

Group 15 — Data protection and privacy

What to verifyTypical evidence
Personal and sensitive personal data is identified, classified and inventoried.Data inventory, data-flow maps, PII/SPDI catalogue.
Data-localisation requirements for policyholder data are met.Storage-location evidence, cloud-region configuration, hosting records.
Data-retention and disposal schedules align with regulatory and DPDP requirements.Retention policy, deletion logs, archival records.
Consent, purpose-limitation and data-subject rights processes exist (DPDP alignment).Consent records, privacy notices, DSR-handling procedures.
Data loss prevention controls protect against unauthorised exfiltration.DLP policy and rules, alert-handling records.

Group 16 — Cyber-resilience functions (Identify, Protect, Detect, Respond, Recover)

What to verifyTypical evidence
IDENTIFY: asset, risk and threat visibility across the estate is maintained.Asset/risk registers, threat-intel feeds, attack-surface reports.
PROTECT: preventive controls (access, hardening, awareness, encryption) are operational.Control configurations, training records, hardening evidence.
DETECT: 24x7 monitoring/SOC, SIEM use cases and alerting are in place.SOC coverage, SIEM use-case library, alert MTTD metrics.
RESPOND: tested response playbooks and escalation to IRDAI/CERT-In function.IR playbooks, drill records, reporting evidence.
RECOVER: restoration, communication and post-incident improvement are demonstrated.Recovery plans, restoration tests, post-incident reports.

Scoping

Correct scoping is the foundation of a defensible IRDAI compliance programme. Scope must be documented in the ISMS Statement of Applicability and reflected in the risk assessment. Under-scoping is a common audit finding, particularly the exclusion of cloud, third-party and shadow-IT assets.

  • All systems that store, process or transmit policyholder, claims, health or financial data are in scope, whether on-premises, cloud or vendor-hosted.
  • Core insurance systems (policy administration, underwriting, claims, actuarial, agency/CRM, payments and settlement) are always in scope.
  • Customer-facing channels (portals, mobile apps, web aggregator integrations, chatbots) and their supporting APIs are in scope.
  • Outsourced functions and TPAs handling regulated data are in scope via the outsourcing/third-party domain.
  • Corporate IT that could be a lateral-movement path to core systems must be assessed even if it does not directly hold policy data.
  • Data-localisation scope: policyholder data required to be stored in India must be explicitly mapped and evidenced.
  • Boundary interfaces (integrations with banks, repositories, government IDs, payment gateways) must be scoped and their controls tested.
Scoping tip
Build a single authoritative data-flow diagram that traces policyholder data from capture to disposal across every system, integration and vendor. This artefact simultaneously supports scoping, the risk assessment, data-localisation evidence and DPDP alignment, and is one of the first things a CERT-In empanelled auditor will request.

Implementation approach

A phased implementation lets an insurer move from ad-hoc practices to a certified, maturity-rated programme without overwhelming the organisation. Each phase below lists indicative activities and deliverables.

Phase 1 — Governance and mobilisation (Weeks 0-8)

Activities: secure board sponsorship; appoint or confirm the CISO; constitute the Information Security Committee; define the programme charter, scope and target maturity; approve the Information and Cyber Security Policy.

Deliverables: board-approved policy, CISO appointment, ISC charter and RACI, programme plan, initial scope statement.

Phase 2 — Assessment and gap analysis (Weeks 6-16)

Activities: build the asset inventory and data-flow maps; perform a control gap assessment against all 16 domains; conduct an information security risk assessment; baseline maturity; identify quick wins.

Deliverables: asset register, data-flow diagrams, gap-analysis report, risk register, maturity baseline, prioritised remediation roadmap.

Phase 3 — Control design and remediation (Weeks 12-40)

Activities: implement/remediate technical and process controls (access, MFA, PAM, encryption, hardening, logging/SIEM, DLP, segmentation); deploy vendor-risk and outsourcing governance; establish incident response and BCP/DR.

Deliverables: hardened baselines, PAM/MFA rollout, SIEM/SOC onboarding, IR plan and playbooks, BCP/DR plans, vendor-risk framework, updated policies/procedures.

Phase 4 — Assurance and certification (Weeks 30-52)

Activities: conduct VAPT and remediate; run internal ISMS audit; undertake ISO/IEC 27001 certification (stage 1 and stage 2); perform cyber-crisis drill; validate CERT-In/IRDAI reporting readiness.

Deliverables: VAPT reports with closure, internal audit report, ISO 27001 certificate, drill after-action report, reporting-readiness evidence.

Phase 5 — Operate, monitor and improve (Ongoing)

Activities: run continuous monitoring and KRI reporting; execute the annual assurance calendar (VAPT, IS audit, DR test, drills, access reviews); manage incidents and lessons learned; drive maturity uplift.

Deliverables: KRI dashboards, assurance calendar completion, incident register, maturity re-assessment, board reporting.

Maturity and capability model

The revised Guidelines encourage a maturity-based journey rather than a binary pass/fail. Insurers should self-rate each domain and target progressive improvement. The following capability levels are a practical model an assessor can apply.

Maturity levelCharacteristics and expectation
Level 1 - Initial / Ad hocControls undocumented, reactive and person-dependent; no formal governance. Not acceptable for a regulated insurer.
Level 2 - RepeatableBasic policies exist and key controls operate but inconsistently; limited monitoring. Minimum entry point.
Level 3 - DefinedDocumented, standardised controls across domains; governance active; ISO 27001 in progress; assurance calendar defined. Regulatory baseline expectation.
Level 4 - Managed / MeasuredControls are measured with KRIs/KPIs; monitoring is continuous; assurance is evidence-driven; ISO 27001 certified. Target for established insurers.
Level 5 - OptimisingPredictive, threat-informed, automated controls; continuous improvement; resilience proven through drills. Leadership posture.

Assessment and audit approach

  1. Define and confirm scope, boundaries and the applicable regulatory version with the entity's compliance team.
  2. Collect and review documentation: policies, SoA, risk register, prior audit/VAPT reports, incident logs and board minutes.
  3. Perform interviews with the CISO, IT operations, HR, procurement/outsourcing and business owners to confirm operating effectiveness.
  4. Conduct control testing across all 16 domains, sampling configurations, tickets, logs and access records for design and operating effectiveness.
  5. Execute or review technical assurance: VAPT results, configuration/hardening scans and SIEM use-case coverage.
  6. Validate incident reporting readiness against CERT-In (six-hour) and IRDAI timelines using drill and past-incident evidence.
  7. Rate each domain against the maturity model and identify gaps with risk ratings.
  8. Produce findings with root cause, impact, recommendation, owner and target date; agree a remediation plan.
  9. Track remediation to closure and, where required, retest before issuing the final assurance opinion.
  10. Report outcomes to the Information Security Committee and board/risk committee, and prepare regulatory submissions.

Evidence request list

The following categorised list is what an assessor typically requests at kick-off. Providing these early accelerates the review.

  • Governance: board-approved policy, CISO appointment, ISC charter and minutes, RACI, board cyber-risk reports.
  • Policies and standards: full policy suite, hardening standards, SoA, exception register.
  • Risk: risk assessment methodology, risk register, risk treatment and acceptance records.
  • Asset and data: asset inventory/CMDB, data-flow diagrams, classification scheme, data-localisation evidence.
  • Access: access-request/approval records, access-review reports, PAM inventory, MFA configuration.
  • Technical: firewall/network diagrams, patch reports, EDR console, encryption/key-management evidence, SIEM configuration.
  • Assurance: latest VAPT reports, internal and external IS audit reports, ISO 27001 certificate and surveillance reports.
  • Incidents and resilience: IR plan/playbooks, incident register, CERT-In/IRDAI submissions, BCP/DR plans, DR test and drill reports.
  • Third party: vendor risk assessments, contracts/DPAs, SOC 2/ISO reports for critical suppliers, cloud config audits.
  • HR and training: BGV records, awareness-training completion, phishing-simulation results, signed AUP/NDA.
  • Privacy: personal-data inventory, retention and deletion records, consent and privacy-notice evidence, DLP configuration.

Roles and responsibilities

RoleKey responsibilities under the framework
Board of DirectorsApprove the policy, oversee cyber risk, ensure adequate resourcing and hold management accountable.
Risk Management / IS CommitteeReview risk posture, incidents and audit findings; approve risk treatment and exceptions.
Chief Information Security Officer (CISO)Own and run the ISMS, drive the assurance calendar, lead incident response, report to the board.
Chief Information / Technology OfficerDeliver secure infrastructure, implement technical controls and support remediation.
Data Protection Officer / Privacy leadEnsure data-protection, localisation and DPDP compliance; handle data-subject rights.
Internal AuditProvide independent assurance over the effectiveness of controls and follow up findings.
Business and process ownersOwn risks in their processes, approve access, and support classification and controls.
Procurement / Vendor managementEnforce third-party due diligence, security contract clauses and ongoing monitoring.
HRDeliver screening, awareness, acceptable-use and joiner-mover-leaver processes.
All employees and contractorsComply with policies, complete training and report suspected incidents promptly.

KPIs to track

  • Percentage of critical vulnerabilities remediated within SLA by severity.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents.
  • CERT-In and IRDAI incident-reporting timeliness (percentage within mandated windows).
  • Patch compliance rate across servers, endpoints and network devices.
  • Percentage of privileged accounts under PAM and MFA coverage.
  • User security-awareness completion rate and phishing-simulation failure rate.
  • Access-review completion and orphaned/dormant-account closure rate.
  • VAPT and IS audit findings closed on time versus overdue.
  • Backup restoration-test success rate and DR test RTO/RPO achievement.
  • Third-party/vendor risk assessments completed for critical suppliers.
  • ISO/IEC 27001 non-conformities and their closure status.
  • Maturity score by domain against the target maturity level.

Readiness checklist

  • Board-approved Information and Cyber Security Policy in place and reviewed within the last year.
  • CISO appointed and Information Security Committee active with documented minutes.
  • Complete asset inventory and policyholder data-flow diagrams maintained.
  • Information security risk assessment completed with a current risk treatment plan.
  • MFA enforced for remote, privileged and administrative access; PAM operational.
  • Encryption applied to sensitive data at rest and in transit with key management.
  • Centralised logging/SIEM and 24x7 monitoring (in-house or managed SOC) in place.
  • Patch and vulnerability management operating within defined SLAs.
  • VAPT completed on internet-facing and critical systems with findings remediated.
  • ISO/IEC 27001 certification held or credibly in progress for critical scope.
  • Incident response plan tested; CERT-In six-hour and IRDAI reporting readiness proven.
  • BCP/DR plans with tested RTO/RPO and immutable/offline backups.
  • Third-party and outsourcing governance with security and audit-rights clauses.
  • Data-localisation and DPDP-aligned privacy controls evidenced.
  • Annual assurance calendar (VAPT, IS audit, DR test, drills, access reviews) scheduled and tracked.

Common gaps

  • CISO appointed on paper but lacking authority, budget or independence from IT operations.
  • Policy suite exists but is not risk-driven, out of date, or not communicated and acknowledged.
  • Incomplete asset and data inventories, leaving cloud, shadow-IT and vendor-hosted assets unscoped.
  • MFA and privileged-access management gaps, especially for legacy core systems and service accounts.
  • Weak third-party governance: missing audit-rights, breach-notification and data-localisation clauses.
  • Incident reporting not meeting the CERT-In six-hour window due to unclear detection-to-report workflows.
  • BCP/DR plans untested, or backups not validated for restoration and not protected against ransomware.
  • VAPT and audit findings raised repeatedly but not remediated to closure (recurring findings).
  • Logging enabled but not centralised or monitored, so alerts are not actioned in real time.
  • Data-localisation and DPDP obligations partially addressed without evidence of storage location and retention.
  • Security awareness treated as a tick-box exercise with low phishing-resilience and stale content.
  • Maturity self-assessment absent, so the entity cannot demonstrate a credible improvement trajectory.

IRDAI Information and Cyber Security mapped to other frameworks

IRDAI's Guidelines draw heavily on established standards, which makes cross-mapping straightforward and lets insurers reuse existing certifications and controls. The table below aligns the IRDAI domains with common frameworks.

IRDAI domainISO/IEC 27001:2022NIST CSF functionRelated regulation/standard
Governance and organisationA.5 Organisational controlsGovern / IdentifyRBI/SEBI cyber governance norms
Risk managementA.5 / Clause 6IdentifyISO 31000, NIST RMF
Human resource securityA.6 People controlsProtectDPDP Act (personnel obligations)
Asset and data classificationA.5.9-A.5.13IdentifyDPDP Act, ISO 27002
Access control and identityA.5.15-A.5.18, A.8.2-A.8.5ProtectPCI DSS Req. 7-8
CryptographyA.8.24ProtectPCI DSS Req. 3-4, DPDP
Physical and environmentalA.7 Physical controlsProtectISO 27002 clause 7
Operations securityA.8 Technological controlsProtect / DetectCIS Controls, PCI DSS Req. 5-6
Network and communicationsA.8.20-A.8.23Protect / DetectPCI DSS Req. 1, CERT-In directions
Secure SDLCA.8.25-A.8.31ProtectOWASP ASVS, NIST SSDF
Third-party / outsourcingA.5.19-A.5.23Identify / ProtectIRDAI Outsourcing Regs, SOC 2
Incident managementA.5.24-A.5.28RespondCERT-In 2022 directions (6-hour)
Business continuity and resilienceA.5.29-A.5.30, A.8.13-A.8.14RecoverISO 22301, RBI resilience norms
Compliance and auditA.5.31-A.5.36GovernISO 27001 certification, VAPT
Data protection and privacyA.5.34Protect / GovernDPDP Act 2023, ISO 27701
How CyberSigma helps
CyberSigma is a CERT-In empanelled cybersecurity and compliance partner that takes insurers, reinsurers, intermediaries and TPAs from gap to certified, audit-ready IRDAI Information and Cyber Security compliance. We deliver end-to-end support: governance mobilisation and CISO-as-a-service, full 16-domain gap assessment and risk assessment, remediation of technical and process controls, VAPT and secure-configuration reviews, ISO/IEC 27001 implementation and certification support, incident-response and cyber-crisis drills, CERT-In and IRDAI reporting readiness, DPDP and data-localisation alignment, and continuous managed assurance through KRI/KPI dashboards. Our platform tracks every control, evidence artefact and finding to closure, giving your board and IRDAI a defensible, real-time view of your cyber-resilience posture. Talk to CyberSigma to build a phased, proportionate programme that meets the Guidelines and matures your security over time.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Does IRDAI require a cyber security audit?
Yes — insurers and intermediaries are expected to undergo periodic information/cyber security audits as part of the assurance requirements.

Need help with IRDAI Cyber Security?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.