Introduction
The Reserve Bank of India (RBI) Cyber Security Framework for Banks, issued through the circular DBS.CO/CSITE/BC.11/33.01.001/2015-16 dated 2 June 2016, is the foundational supervisory instrument governing cyber resilience across India's scheduled commercial banks. Prompted by the rising frequency, sophistication and systemic impact of cyber attacks on the financial sector, the RBI mandated that every bank put in place a board-approved Cyber Security Policy that is distinct from the broader Information Technology or Information Security policy, and that the policy be commensurate with the bank's size, systems, technology, delivery channels and digital exposure.
The framework is unusual among Indian regulatory instruments in that it is prescriptive at the control level. It is accompanied by an Annex (commonly cited as Annex 1) enumerating baseline cyber security and resilience requirements, an Annex 2 setting out the format and timelines for reporting cyber incidents to the RBI, and Annex 3 which addresses the setting up and operation of a Cyber Security Operations Centre (C-SOC). Subsequent RBI communications have layered additional expectations on top of this core: the graded 'Cyber Security Framework - Coverage of ATM Switch and SWIFT related systems', the Master Direction on Digital Payment Security Controls (2021), and the guidance for Urban Cooperative Banks (UCBs) under a technology-risk-tiered approach. This guide focuses on the core 2016 framework and its Annex 1 baseline controls, which remain the reference standard for a bank's cyber security posture assessment.
This deep-dive is written for Chief Information Security Officers (CISOs), Heads of IT, internal auditors, the Board-level IT Strategy Committee and independent assessors who must plan, execute or defend a self-assessment or supervisory examination against the framework. It provides an auditor-grade decomposition of every control theme in Annex 1, a master assessment checklist, an evidence taxonomy, a phased implementation approach, and mappings to adjacent frameworks such as the NIST Cybersecurity Framework, ISO/IEC 27001 and the PCI DSS.
Copyright and source note
The RBI Cyber Security Framework for Banks and its Annexes are issued by the Reserve Bank of India and are Crown-equivalent regulatory material. This guide is an original interpretive summary prepared by CyberSigma for educational and readiness purposes. It paraphrases and does not reproduce the verbatim text of any RBI circular, Master Direction or Annex. Banks must always refer to the authoritative circulars published on rbi.org.in and to the specific version applicable to their institution. Nothing in this guide constitutes legal advice or a warranty of regulatory compliance.
What is the RBI Cyber Security Framework
The RBI Cyber Security Framework for Banks is a mandatory, board-driven cyber risk management and resilience regime. Its central premise is that cyber risk is a distinct and continuously evolving risk category that cannot be managed as a subset of general IT risk. Accordingly it requires banks to establish dedicated governance, a dedicated policy, dedicated monitoring capability (the C-SOC), and dedicated incident reporting to the regulator.
The framework rests on several structural pillars. First, governance: a board-approved Cyber Security Policy and clearly articulated accountability, typically vested in a CISO who reports independently of the CIO/Head of IT. Second, a baseline security posture: the Annex 1 controls, which every bank must implement irrespective of size. Third, arrangement for continuous surveillance through a C-SOC capable of detecting, containing and responding to incidents in near real time. Fourth, cyber crisis management: a documented Cyber Crisis Management Plan (CCMP) addressing detection, response, recovery and containment. Fifth, supervisory reporting: unusual cyber security incidents must be reported to the RBI within a defined window (typically two to six hours of detection depending on the communication in force), together with periodic self-assessments.
Crucially, the framework adopts a risk-based and proportionate philosophy. While the Annex 1 baseline is universal, the RBI expects larger and more digitally exposed banks to go materially beyond the baseline, adopting adaptive and pre-emptive controls proportionate to their threat surface. This proportionality later matured, for cooperative banks, into an explicit four-level graded framework where controls scale with the bank's digital footprint.
The framework is outcome-oriented: the RBI is less interested in the mere existence of a document and more in demonstrable capability - can the bank detect an intrusion, contain it, recover critical services within its Recovery Time Objectives, report to the regulator on time, and evidence that its controls operate effectively and continuously?
Who must comply
The core 2016 framework is addressed to all scheduled commercial banks (excluding Regional Rural Banks in the original circular, though RRBs and cooperative banks were subsequently brought under proportionate regimes). The obligation flows to the entire banking group and its outsourced and third-party technology arrangements. The table below summarises applicability.
| Entity type | Applicability and notes |
|---|
| Scheduled Commercial Banks (public, private, foreign) | Fully in scope for the 2016 framework and Annex 1 baseline; larger banks expected to exceed the baseline substantially. |
| Small Finance Banks and Payments Banks | In scope; controls applied proportionate to their licence conditions and digital delivery channels. |
| Urban Cooperative Banks (UCBs) | Covered under a subsequent graded (four-level) Cyber Security Framework issued in 2019/2020, scaling controls to the bank's digital footprint. |
| Regional Rural Banks (RRBs) | Brought under a proportionate cyber security framework through separate RBI guidance. |
| Third-party / outsourced service providers | Indirectly in scope - the bank remains accountable and must impose equivalent controls contractually and verify them. |
| Board and Board-level IT Strategy Committee | Directly accountable for approving the Cyber Security Policy and overseeing the programme. |
| CISO function | Accountable for implementation, monitoring, incident reporting and periodic self-assessment. |
| ATM Switch and SWIFT-connected environments | Subject to additional, specifically enumerated controls under the graded coverage guidance. |
- The bank's Board bears ultimate responsibility; the framework explicitly requires board approval of the Cyber Security Policy.
- Accountability cannot be outsourced - use of managed security services or cloud does not transfer regulatory responsibility away from the bank.
- Group entities, subsidiaries and interconnected systems (payment switches, SWIFT, internet/mobile banking) fall within the assessable perimeter.
- Vendors with access to bank data or systems must be held to equivalent control standards and are examinable through the bank's third-party risk process.
Structure of the RBI Cyber Security Framework
The framework is delivered as a short principal circular supported by three Annexes. The substantive control content sits in Annex 1, which enumerates baseline cyber security and resilience requirements grouped into control themes. Practitioners commonly decompose Annex 1 into the control families summarised below. The exact numbering in the circular is thematic rather than a formal control catalogue; this guide organises the requirements into 18 assessable domains to support structured assessment.
| Component | Purpose and content |
|---|
| Principal Circular (June 2016) | Establishes the mandate: board-approved Cyber Security Policy distinct from IT policy; proportionality; continuous surveillance; incident reporting; arrangement for a C-SOC and CCMP. |
| Annex 1 - Baseline Controls | Enumerates the mandatory baseline of technical and process controls across inventory, network, endpoint, access, application, data, patch, vulnerability, logging, malware, e-mail, incident response, vendor risk, awareness and more. |
| Annex 2 - Incident Reporting | Prescribes the template and timelines for reporting cyber incidents to the RBI (Cyber Security and IT Examination cell, DBS). |
| Annex 3 - Cyber SOC (C-SOC) | Guidance on setting up, staffing, tooling and operating a Cyber Security Operations Centre for continuous monitoring. |
| # | Assessable domain (Annex 1 theme) | Core objective |
|---|
| D1 | Inventory Management of Business IT Assets | Maintain an accurate, updated inventory of hardware, software, systems and information assets classified by criticality. |
| D2 | Preventing Execution of Unauthorised Software | Enforce application whitelisting and control on software installation and execution. |
| D3 | Environmental Controls | Protect physical and environmental security of data centres and critical facilities. |
| D4 | Network Management and Security | Segment, firewall, and secure the network; control ingress/egress and wireless. |
| D5 | Secure Configuration | Harden systems to secure baselines; remove default credentials and unnecessary services. |
| D6 | Application Security Life Cycle (ASLC) | Embed security across the SDLC including secure coding, testing and change control. |
| D7 | Patch / Vulnerability and Change Management | Timely identification, prioritisation and remediation of vulnerabilities and patches. |
| D8 | User Access Control / Management | Least privilege, role-based access, privileged access management and periodic reviews. |
| D9 | Authentication Framework for Customers | Strong, multi-factor and risk-based authentication for customer-facing channels. |
| D10 | Secure Mail and Messaging Systems | Protect e-mail and messaging against spoofing, phishing and data leakage. |
| D11 | Vendor / Outsourcing Risk Management | Due diligence, contractual controls and monitoring of third parties. |
| D12 | Removable Media Controls | Restrict and monitor use of USB and other removable media. |
| D13 | Advanced Real-time Threat Defence and Management | Anti-malware, anti-APT, DDoS mitigation and behaviour-based detection. |
| D14 | Anti-Phishing | Detect and take down phishing sites impersonating the bank. |
| D15 | Data Leak Prevention Strategy | Classify data and deploy DLP across endpoints, network and storage. |
| D16 | Audit Logs and Continuous Surveillance (SOC) | Centralised logging, SIEM correlation and 24x7 monitoring via the C-SOC. |
| D17 | Incident Response and Management | Detect, respond, report (to RBI) and recover from cyber incidents; CCMP. |
| D18 | Risk-based Transaction Monitoring, Metrics and Awareness | Fraud/transaction monitoring, forensics readiness, user/customer awareness and periodic testing. |
Master assessment checklist
This is the operative section of the guide. Each Annex 1 domain is decomposed into the specific items an assessor must verify and the typical evidence that substantiates each. No control theme has been omitted. Where the RBI expects a documented artefact, a demonstrable technical control and an operating record, all three should be examined - the mantra is document, implement, evidence.
D1 - Inventory Management of Business IT Assets
| What to verify | Typical evidence |
|---|
| A centralised, current inventory of all IT assets (hardware, software, network devices, virtual assets) exists. | Asset management system export; CMDB records; reconciliation reports. |
| Assets are classified by business criticality and information sensitivity. | Asset classification policy; criticality-tagged inventory; data classification matrix. |
| Ownership is assigned for each asset / information asset. | Asset owner register; RACI for asset stewardship. |
| Unauthorised or unknown devices on the network are detected. | Network access control (NAC) logs; rogue-device detection reports. |
| Inventory is reconciled periodically and on change. | Periodic reconciliation sign-offs; discovery scan results. |
| End-of-life and unsupported assets are identified and risk-managed. | EOL register; exception approvals; compensating-control notes. |
D2 - Preventing Execution of Unauthorised Software
| What to verify | Typical evidence |
|---|
| Application whitelisting is enforced on critical endpoints and servers. | Whitelisting policy configuration; agent deployment coverage report. |
| Users cannot install software without authorisation. | Endpoint privilege configuration; software request/approval workflow. |
| A defined list of authorised software is maintained and enforced. | Approved software catalogue; deviation exception log. |
| Unauthorised software execution attempts are logged and alerted. | Blocked-execution logs; SIEM alerts. |
| Regular scans detect unauthorised or unlicensed software. | Software discovery scan reports; licence compliance records. |
D3 - Environmental Controls
| What to verify | Typical evidence |
|---|
| Physical access to data centres and critical rooms is restricted and logged. | Access control (badge/biometric) logs; visitor register. |
| Environmental protections (fire, power, cooling, water) are in place and tested. | Maintenance records; fire suppression test certificates; UPS/genset logs. |
| CCTV surveillance covers critical areas with adequate retention. | CCTV coverage map; footage retention configuration. |
| Environmental monitoring and alerting is operational. | BMS alerts; temperature/humidity monitoring logs. |
D4 - Network Management and Security
| What to verify | Typical evidence |
|---|
| Network is segmented, with critical systems isolated from general/corporate networks. | Network architecture diagram; VLAN/segmentation configuration; firewall zones. |
| Firewall and perimeter rulesets follow least-privilege and are reviewed periodically. | Firewall rule base; periodic rule review reports; rule change tickets. |
| Ingress/egress traffic is controlled and monitored; unnecessary ports/services closed. | Egress filtering config; port scan baselines. |
| Wireless networks are secured, segregated and monitored. | Wireless security policy; WPA2/enterprise config; rogue AP detection. |
| Remote access (VPN) uses strong authentication and is restricted. | VPN configuration; MFA enforcement; access approval records. |
| Intrusion Prevention/Detection is deployed at network boundaries. | IPS/IDS deployment; signature update logs; alert samples. |
D5 - Secure Configuration
| What to verify | Typical evidence |
|---|
| Hardening baselines (e.g., CIS Benchmarks) are defined for OS, DB, network devices. | Configuration standards documents; baseline templates. |
| Default credentials and unnecessary services/accounts are removed. | Configuration audit results; account review reports. |
| Configuration compliance is scanned periodically and deviations remediated. | Configuration compliance scan reports; remediation tracker. |
| Golden images are used for standardised deployment. | Image build documentation; deployment records. |
D6 - Application Security Life Cycle (ASLC)
| What to verify | Typical evidence |
|---|
| Secure coding standards are adopted and developers trained. | Secure coding policy; training records. |
| Security requirements are captured at design; threat modelling performed for critical apps. | Requirement docs; threat model artefacts. |
| Static and dynamic application security testing (SAST/DAST) is performed before release. | SAST/DAST reports; defect remediation evidence. |
| Independent application security testing / VAPT precedes go-live for critical applications. | VAPT reports; sign-off before deployment. |
| Change and version control governs code promotion to production. | Change tickets; approval workflow; segregation of dev/test/prod. |
| Third-party and open-source components are inventoried and vulnerability-checked. | SBOM/component inventory; SCA scan results. |
D7 - Patch / Vulnerability and Change Management
| What to verify | Typical evidence |
|---|
| A documented patch management policy defines timelines by severity. | Patch management policy; SLA matrix. |
| Vulnerability assessment and penetration testing (VAPT) is performed at defined frequency. | VAPT scope and reports; retest evidence. |
| Vulnerabilities are prioritised by risk and remediated within SLA. | Vulnerability register; ageing/SLA reports. |
| Critical/security patches are applied promptly across the estate. | Patch deployment reports; coverage dashboards. |
| Changes follow a formal change management process with rollback plans. | Change advisory board minutes; change records. |
D8 - User Access Control / Management
| What to verify | Typical evidence |
|---|
| Access is granted on least-privilege and need-to-know, via role-based access control. | Access control policy; role definitions; provisioning records. |
| Privileged accounts are managed through a PAM solution with session recording. | PAM configuration; privileged session logs; vaulting evidence. |
| Multi-factor authentication protects privileged and remote access. | MFA policy and enforcement configuration. |
| User access is recertified periodically and on role change / exit. | Access recertification reports; joiner-mover-leaver records. |
| Segregation of duties prevents toxic access combinations. | SoD rule set; conflict analysis reports. |
| Dormant, orphan and shared accounts are eliminated or controlled. | Dormant account reports; shared-account justification. |
D9 - Authentication Framework for Customers
| What to verify | Typical evidence |
|---|
| Customer-facing channels use multi-factor / additional-factor authentication. | Authentication design docs; 2FA/OTP configuration. |
| Risk-based / adaptive authentication is applied to higher-risk transactions. | Adaptive auth rules; risk-scoring configuration. |
| Session management, timeout and re-authentication controls are enforced. | Session policy; application configuration. |
| Credentials are stored and transmitted securely (hashing, TLS). | Cryptographic standards; TLS configuration; secure storage evidence. |
| Customer authentication anomalies trigger alerts and controls. | Fraud/anomaly detection rules; alert samples. |
D10 - Secure Mail and Messaging Systems
| What to verify | Typical evidence |
|---|
| Anti-spoofing controls (SPF, DKIM, DMARC) are implemented for the bank's domains. | DNS records; DMARC policy and reports. |
| Inbound e-mail is filtered for spam, malware and phishing. | Mail gateway configuration; quarantine/detection reports. |
| Outbound e-mail is monitored for data leakage. | Outbound DLP rules; blocked-message logs. |
| Messaging systems enforce encryption and access control. | Encryption configuration; access logs. |
D11 - Vendor / Outsourcing Risk Management
| What to verify | Typical evidence |
|---|
| Third parties are risk-assessed before onboarding. | Vendor due-diligence reports; risk-tiering. |
| Contracts include security, audit, incident-notification and right-to-audit clauses. | Executed contracts / SLAs with security schedules. |
| Vendor access to bank systems and data is controlled and monitored. | Access provisioning records; monitoring logs. |
| Vendor security posture is periodically reviewed / audited. | Vendor audit reports; SOC 2 / ISO 27001 certificates. |
| Concentration and fourth-party risks are considered. | Outsourcing register; sub-contractor disclosures. |
D12 - Removable Media Controls
| What to verify | Typical evidence |
|---|
| Use of USB and removable media is disabled by default and allowed only by exception. | Endpoint device-control policy; exception approvals. |
| Data written to removable media is encrypted and logged. | Encryption enforcement config; media usage logs. |
| Media disposal follows secure sanitisation. | Media disposal / destruction certificates. |
D13 - Advanced Real-time Threat Defence and Management
| What to verify | Typical evidence |
|---|
| Anti-malware / EDR is deployed across endpoints and servers with current signatures. | EDR coverage report; signature/definition update logs. |
| Advanced threat (APT/sandboxing) defences protect key ingress points. | Sandbox/ATP configuration; detection reports. |
| DDoS mitigation protects internet-facing services. | DDoS protection service configuration; drill/test evidence. |
| Behaviour-based and threat-intelligence-driven detection is operational. | Threat-intel feed integration; behavioural alert samples. |
D14 - Anti-Phishing
| What to verify | Typical evidence |
|---|
| The bank subscribes to an anti-phishing / brand-monitoring service. | Anti-phishing service contract; monitoring dashboard. |
| Phishing sites impersonating the bank are detected and taken down. | Takedown request logs; resolution timelines. |
| Customers are educated to identify phishing and report it. | Awareness communications; reporting channel evidence. |
D15 - Data Leak Prevention Strategy
| What to verify | Typical evidence |
|---|
| Data is classified and a DLP strategy covers endpoint, network and storage. | Data classification policy; DLP deployment architecture. |
| DLP policies detect and block unauthorised exfiltration of sensitive data. | DLP rule set; incident/blocked-transfer reports. |
| Encryption protects data at rest and in transit. | Encryption standards; key management records. |
| Data retention and secure disposal are governed. | Retention schedule; disposal records. |
D16 - Audit Logs and Continuous Surveillance (C-SOC)
| What to verify | Typical evidence |
|---|
| A Cyber Security Operations Centre provides 24x7 monitoring (in-house or managed). | C-SOC charter; staffing roster; shift coverage. |
| Logs from critical systems are centrally collected in a SIEM. | Log source inventory; SIEM onboarding coverage. |
| Correlation rules and use cases generate actionable alerts. | Use-case library; alert triage records. |
| Log integrity, retention and time synchronisation are assured. | Log retention config; NTP configuration; tamper-protection controls. |
| Alerts are triaged and escalated per defined runbooks. | SOC runbooks; escalation matrix; ticket samples. |
| SOC effectiveness is measured and reviewed. | SOC metrics/MIS; management review minutes. |
D17 - Incident Response and Management
| What to verify | Typical evidence |
|---|
| A Cyber Crisis Management Plan (CCMP) is documented and board-aware. | CCMP document; board/committee approval. |
| Incident response roles, severity classification and workflows are defined. | IR plan; severity matrix; RACI. |
| Cyber incidents are reported to the RBI within the mandated window. | Incident reports to RBI (Annex 2 format); dispatch timestamps. |
| Incidents are contained, eradicated and recovered with post-incident review. | Incident tickets; RCA / lessons-learned reports. |
| Forensic readiness and evidence preservation capability exist. | Forensics procedures; chain-of-custody templates; retainer with forensic provider. |
| IR plan is tested through drills / tabletop exercises. | Drill reports; tabletop exercise records. |
D18 - Risk-based Transaction Monitoring, Metrics and Awareness
| What to verify | Typical evidence |
|---|
| Transactions are monitored on a risk basis for fraud and anomalies. | Transaction monitoring rules; fraud alert reports. |
| Security metrics / KRIs are reported to management and the board. | Security MIS; board dashboards; committee minutes. |
| Staff undergo periodic cyber security awareness training. | Training completion records; phishing simulation results. |
| Customer awareness programmes on cyber hygiene are run. | Customer advisories; campaign records. |
| Periodic self-assessment against the framework is performed. | Self-assessment reports submitted to RBI; gap trackers. |
Scoping
Scoping determines the boundary of systems, data, people, facilities and third parties subject to assessment. For the RBI framework, scope is inherently broad: the framework applies to the bank as a whole, so scope-reduction techniques familiar from card-data assessments do not apply in the same way. The objective of scoping here is to prioritise assessment depth by criticality, not to exclude systems from applicability.
- In-scope systems: core banking system (CBS), internet and mobile banking, payment switches (ATM/POS), SWIFT/RTGS/NEFT/UPI/IMPS interfaces, treasury, and all supporting infrastructure.
- In-scope data: customer PII, account and transaction data, authentication credentials, and any data whose compromise affects confidentiality, integrity or availability of banking services.
- In-scope facilities: primary and disaster-recovery data centres, network operations centres, the C-SOC, and branch infrastructure with system access.
- In-scope people: employees, contractors, privileged administrators, and vendor personnel with system or data access.
- In-scope third parties: managed service providers, cloud providers, ATM switch operators, and any outsourced technology function.
- Connected environments: ATM Switch and SWIFT-related systems attract additional, specifically enumerated controls under the graded coverage guidance and must be scoped explicitly.
- Interconnections and trust relationships between the bank and payment networks, aggregators and fintech partners must be mapped and assessed.
Scoping caution
Because accountability cannot be outsourced, cloud-hosted and vendor-operated systems remain fully in scope. A common examination finding is that a bank treats a managed C-SOC or cloud CBS as 'the vendor's responsibility'. The assessor must trace controls into the vendor environment through contracts, audit rights and independent assurance reports.
Implementation approach
A pragmatic implementation programme progresses through five phases. Each phase produces defined deliverables that also serve as assessment evidence. Larger banks may run phases in parallel across business units; smaller banks should sequence them to manage capacity.
Phase 1 - Governance and Baseline Establishment
- Activities: constitute cyber security governance (Board oversight, IT Strategy Committee, CISO office); draft the board-approved Cyber Security Policy distinct from the IT policy; define risk appetite and control ownership.
- Deliverables: approved Cyber Security Policy; CISO charter and reporting line; governance RACI; policy suite (access, network, incident, vendor, DLP).
Phase 2 - Gap Assessment and Remediation Planning
- Activities: perform a self-assessment against Annex 1; conduct discovery of assets and data flows; identify control gaps and quantify risk; prioritise remediation.
- Deliverables: current-state gap assessment; risk register; prioritised remediation roadmap with owners and timelines; board-reported gap summary.
Phase 3 - Control Implementation
- Activities: deploy technical controls (network segmentation, EDR, PAM, DLP, MFA, whitelisting, DMARC); harden configurations; establish patch/vulnerability cadence; embed ASLC into the SDLC.
- Deliverables: implemented control configurations; hardening baselines; VAPT remediation evidence; secure-SDLC gates operational.
Phase 4 - Detection, Response and C-SOC Operationalisation
- Activities: stand up or contract the C-SOC; onboard log sources to SIEM; author use cases and runbooks; finalise the CCMP and RBI incident-reporting procedure; conduct drills.
- Deliverables: operational C-SOC with 24x7 coverage; SIEM use-case library; approved CCMP; incident-reporting workflow tested; tabletop/drill reports.
Phase 5 - Continuous Assurance and Improvement
- Activities: institutionalise periodic self-assessment, VAPT, red-teaming, metrics reporting and management review; track threat intelligence; mature controls beyond baseline for higher-exposure areas.
- Deliverables: periodic self-assessment submissions to RBI; KPI/KRI dashboards; continuous improvement backlog; independent assurance reports.
Maturity / capability model
The core 2016 framework does not itself define numeric maturity levels, but the RBI's proportionality philosophy - later formalised for UCBs as a four-level graded framework - maps naturally onto a capability maturity model. Assessors should rate each domain against the levels below to produce a defensible maturity heat-map and to justify where a bank must exceed the baseline.
| Level | Descriptor | Characteristics |
|---|
| Level 1 | Initial / Baseline | Ad hoc or documentation-only controls; baseline partially met; reliance on reactive measures; minimal evidence of operation. |
| Level 2 | Managed | Baseline Annex 1 controls implemented and documented; controls operate but monitoring is inconsistent; self-assessment performed. |
| Level 3 | Defined | Controls standardised across the estate; C-SOC operational; incident reporting timely; metrics reported to management regularly. |
| Level 4 | Quantitatively Controlled | Controls measured and continuously monitored; risk-based and adaptive controls; threat intelligence integrated; drills and red-teaming routine. |
| Level 5 | Optimising / Adaptive | Pre-emptive and predictive defence; automation and orchestration; continuous improvement; posture materially exceeds baseline commensurate with exposure. |
Assessment and audit approach
- Confirm scope and applicability: identify the bank's tier, digital exposure, connected environments (ATM switch, SWIFT) and third-party landscape.
- Review governance: examine the board-approved Cyber Security Policy, CISO reporting line, committee minutes and risk appetite.
- Perform document review: obtain and assess the policy suite, CCMP, incident-reporting procedure and prior self-assessments against Annex 1.
- Conduct control walkthroughs: interview owners and observe control operation across each of the 18 domains.
- Perform technical validation: review configurations, run or review VAPT results, sample logs and alerts, and test detection use cases.
- Sample evidence for operating effectiveness: test a representative period for access recertification, patch SLAs, incident handling and log monitoring.
- Assess incident and crisis readiness: verify RBI reporting timeliness, review incident records and drill outcomes.
- Evaluate third-party assurance: examine contracts, audit reports and monitoring for outsourced and cloud services.
- Rate maturity per domain and identify gaps against the baseline and against the bank's required (exposure-adjusted) posture.
- Report findings with risk ratings, root causes and prioritised remediation; agree management action plans and retest dates.
Evidence request list
The following categorised evidence list expedites both self-assessment and supervisory examination. Assessors should request current versions and a sample of operating records for the review period.
- Governance: board-approved Cyber Security Policy; CISO charter and org chart; IT Strategy Committee minutes; risk appetite statement.
- Policies and standards: access control, network security, hardening baselines, patch/vulnerability, DLP, vendor risk, incident response, e-mail security policies.
- Asset and data: IT asset inventory/CMDB; data classification matrix; data-flow diagrams; network architecture diagrams.
- Access management: RBAC role definitions; PAM configuration and session logs; MFA enforcement; access recertification reports; JML records.
- Vulnerability and change: VAPT reports and retests; patch deployment reports; vulnerability register with ageing; change management records.
- Detection and monitoring: C-SOC charter and roster; SIEM log-source inventory; use-case library; alert/ticket samples; log retention and NTP configuration.
- Incident and crisis: CCMP; RBI incident reports (Annex 2) with timestamps; RCA reports; drill/tabletop records.
- Application security: secure coding standard; SAST/DAST/VAPT reports; SDLC change and environment segregation evidence; component/SBOM inventory.
- Third-party: vendor due-diligence and risk-tiering; executed contracts with security schedules; vendor audit/SOC 2/ISO 27001 reports.
- Awareness and testing: training completion records; phishing simulation results; customer awareness campaign evidence.
- Prior assurance: previous self-assessments submitted to RBI; internal/external audit reports; prior examination observations and closure evidence.
Roles and responsibilities
| Role | Key responsibilities |
|---|
| Board of Directors | Approve the Cyber Security Policy; ensure adequate resourcing; hold management accountable for cyber resilience. |
| IT Strategy / IT Sub-Committee of the Board | Oversee the cyber programme; review risk posture, incidents and self-assessments; challenge management. |
| Chief Information Security Officer (CISO) | Own and drive implementation; report independently of the CIO; manage incident reporting to RBI and periodic self-assessment. |
| Chief Information Officer / Head of IT | Deliver secure IT operations, patching, configuration and infrastructure controls. |
| C-SOC / Security Operations Team | Operate 24x7 monitoring, detection, triage and escalation; maintain SIEM use cases. |
| Incident Response Team | Execute the CCMP; contain, eradicate and recover; preserve forensic evidence; conduct post-incident reviews. |
| Risk Management / Compliance | Integrate cyber risk into enterprise risk; track regulatory obligations and reporting timelines. |
| Internal Audit | Provide independent assurance over control design and operating effectiveness; verify remediation. |
| Business / Application Owners | Own application security requirements, access recertification and data classification for their systems. |
| Third-Party / Vendor Managers | Conduct due diligence, embed security clauses, and monitor vendor control performance. |
| All Staff | Comply with policies, complete awareness training, and report suspected incidents promptly. |
KPIs to track
- Percentage of critical/security patches applied within SLA.
- Mean time to detect (MTTD) and mean time to respond (MTTR) for security incidents.
- Number and timeliness of cyber incidents reported to the RBI within the mandated window.
- Percentage of log sources onboarded to the SIEM versus in-scope critical systems.
- Open high/critical vulnerabilities and their ageing beyond SLA.
- Percentage of privileged accounts under PAM with session recording.
- Access recertification completion rate and orphan/dormant account count.
- Phishing simulation click and report rates; staff awareness training completion.
- VAPT findings closure rate and average time to remediate.
- C-SOC alert triage backlog and false-positive ratio.
- Third-party assessments completed versus due; high-risk vendors with expired assurance.
- Percentage of Annex 1 domains at or above target maturity level.
Readiness checklist
- Board-approved Cyber Security Policy exists and is distinct from the IT/IS policy.
- CISO is appointed with an independent reporting line and defined charter.
- A complete, classified IT asset inventory is maintained.
- Network segmentation isolates critical systems; firewall rules are reviewed periodically.
- Application whitelisting and endpoint privilege control are enforced.
- Hardening baselines are applied and configuration compliance is scanned.
- VAPT is performed at defined frequency and findings are remediated within SLA.
- Patch management operates to severity-based SLAs across the estate.
- RBAC, PAM and MFA govern access; recertification runs periodically.
- Customer channels use multi-factor / adaptive authentication.
- SPF, DKIM and DMARC protect the bank's e-mail domains.
- EDR, anti-APT and DDoS mitigation are deployed and current.
- An anti-phishing / brand-monitoring and takedown capability is in place.
- DLP covers endpoint, network and storage with data classification.
- A 24x7 C-SOC monitors a SIEM covering all critical log sources.
- A board-aware CCMP and tested incident-response workflow exist.
- Cyber incidents are reported to the RBI within the mandated window.
- Vendor risk is assessed, contracted and monitored with right-to-audit.
- Staff and customer awareness programmes run periodically.
- Periodic self-assessment against Annex 1 is completed and submitted.
Common gaps
- Cyber Security Policy not truly distinct from the IT policy, or not board-approved as required.
- CISO reporting into the CIO/Head of IT, compromising the independence the framework expects.
- Incomplete or stale asset inventory, undermining every downstream control.
- C-SOC that logs but does not effectively detect - immature use cases and high false-positive rates.
- Delayed RBI incident reporting due to unclear triggers, ownership or escalation thresholds.
- Application whitelisting and endpoint privilege control implemented in monitor-only mode, not enforced.
- Privileged access not vaulted or session-recorded; shared admin accounts persisting.
- VAPT performed but findings not closed within SLA; retests missing.
- DMARC published in monitor (p=none) mode indefinitely, offering no enforcement against spoofing.
- Vendor and cloud environments treated as out of scope, with no independent assurance obtained.
- DLP deployed without data classification, generating noise rather than protection.
- CCMP untested - no drills or tabletop exercises to validate response readiness.
- Self-assessment treated as a documentation exercise rather than evidence-based control testing.
- ATM switch and SWIFT-connected systems not subjected to the additional graded controls.
RBI Cyber Security Framework mapped to other frameworks
The RBI framework's Annex 1 domains align closely with international control catalogues, enabling banks with existing ISO 27001 or NIST programmes to reuse evidence. The mapping below is indicative and should be validated control-by-control.
| RBI Annex 1 domain | NIST CSF function/category | ISO/IEC 27001:2022 Annex A | PCI DSS v4.0 (indicative) |
|---|
| Inventory Management (D1) | Identify - Asset Management (ID.AM) | A.5.9 Inventory of information and assets | Req 12 (scope/inventory) |
| Unauthorised Software (D2) | Protect - PR.PS / DE.CM | A.8.19 Installation of software | Req 2, Req 5 |
| Environmental Controls (D3) | Protect - PR.AA / physical | A.7 Physical controls | Req 9 |
| Network Security (D4) | Protect - PR.IR; Detect - DE.CM | A.8.20-8.22 Network security | Req 1 |
| Secure Configuration (D5) | Protect - PR.PS | A.8.9 Configuration management | Req 2 |
| Application Security Life Cycle (D6) | Protect - PR.PS / DevSecOps | A.8.25-8.29 Secure development | Req 6 |
| Patch/Vulnerability Mgmt (D7) | Identify - ID.RA; Protect - PR.PS | A.8.8 Management of technical vulnerabilities | Req 6, Req 11 |
| User Access Control (D8) | Protect - PR.AA (Access Control) | A.5.15-5.18, A.8.2-8.5 Access control | Req 7, Req 8 |
| Customer Authentication (D9) | Protect - PR.AA | A.8.5 Secure authentication | Req 8 |
| Secure Mail/Messaging (D10) | Protect - PR.DS | A.8.20 / A.8.23 Web/e-mail filtering | Req 5, Req 6 |
| Vendor/Outsourcing Risk (D11) | Identify - Supply Chain (ID.SC/GV.SC) | A.5.19-5.23 Supplier relationships | Req 12.8 |
| Removable Media (D12) | Protect - PR.DS | A.7.10 Storage media | Req 9.4 |
| Advanced Threat Defence (D13) | Detect - DE.CM; Protect - PR.PS | A.8.7 Protection against malware | Req 5, Req 11 |
| Anti-Phishing (D14) | Detect - DE.CM; Respond | A.5.7 Threat intelligence | Req 12 (awareness) |
| Data Leak Prevention (D15) | Protect - PR.DS | A.8.10-8.12 Data leakage / masking | Req 3, Req 4 |
| Audit Logs / C-SOC (D16) | Detect - Continuous Monitoring (DE.CM) | A.8.15-8.16 Logging and monitoring | Req 10 |
| Incident Response (D17) | Respond & Recover (RS/RC) | A.5.24-5.28 Incident management | Req 12.10 |
| Transaction Monitoring/Awareness (D18) | Detect - DE.CM; Govern (GV) | A.5.7, A.6.3 Awareness | Req 10, Req 12.6 |
How CyberSigma helps
Partner with CyberSigma for RBI cyber resilience
CyberSigma brings CERT-In empanelled and QSA-grade expertise to every stage of your RBI Cyber Security Framework journey. We run evidence-based gap assessments against Annex 1, build board-ready Cyber Security Policies and CCMPs, design and operationalise your C-SOC and SIEM use cases, deliver VAPT and red-team exercises, and prepare you for RBI supervisory examination - including timely incident-reporting workflows aligned to Annex 2. Our maturity heat-maps, prioritised remediation roadmaps and continuous-assurance model help banks not merely meet the baseline but sustain resilience proportionate to their digital exposure. Talk to CyberSigma to move from documentation to demonstrable capability.