Free Tool · 5-Minute Self-Assessment

RBI Cyber Framework Readiness Checklist

Twenty practitioner-grade questions to test whether your bank, NBFC, payment aggregator, or NBFC-AA is ready for an RBI inspection — or whether you will spend the next quarter writing remediation reports.

Questions
20
Time
5 min
Output
Score band
Email gate
None
Start the Checklist Read the Full Guide

20 questions · 5 minutes · Score band on completion

Your readiness
0 / 20
The Checklist

Answer Honestly. No One Is Watching.

Five sections, twenty yes/no questions. Click Yes only if you can produce the document or run the workflow today. Score reveals at the bottom when you complete all twenty.

01

Governance & Leadership

RBI examiners start at the top. CISO, board, committees — these prove cyber is taken seriously.

1
We have a CISO who is a senior officer reporting to a level immediately below MD/CEO, separate from the CIO with a documented appointment letter.
2
Our board has approved a Cyber Security Policy in the current financial year, with documented minutes and a formal review schedule.
3
An Information Security Committee chaired by the CISO meets at least quarterly with documented minutes covering risks, incidents, and audit findings.
4
Cyber posture is presented to the board (or a board sub-committee) at least twice a year with measurable indicators.
02

Strategy, Policy & Documentation

Examiners read the policy stack and trace it to operational evidence. Stale documents lose points fast.

5
Our Information Security Policy, Cyber Security Policy, and Cyber Crisis Management Plan are board-approved and refreshed within the last 12 months.
6
We have a documented BCP/DR plan with RTO and RPO defined per critical system, tested at least annually with documented results.
7
Standards underneath each policy (password, encryption, vulnerability SLAs, access review cadence) are operational and version-controlled.
8
Every information asset has an owner, classification level, and is on a current asset inventory accessible to internal audit.
03

Controls & Operations

Where most NBFCs and small banks lose ground in inspection. Day-to-day hygiene matters.

9
MFA is enforced on all privileged access, remote access, and administrative interfaces; quarterly access reviews are completed and signed off.
10
Patching meets defined SLAs (Critical 7 days, High 30 days) with a documented exception process and current exception register.
11
A 24x7 SOC (in-house or co-managed) covers critical systems with a documented use-case library and metrics on MTTD/MTTR.
12
All privileged sessions to production systems route through a PIM/PAM with session recording and approval workflow.
04

Testing & Assurance

Annual VAPT, internal audit, IS audit. Examiners want the reports, not certificates.

13
An annual VAPT was conducted by a CERT-In empanelled vendor, covering every internet-facing application, critical internal app, and external IP range.
14
High and critical findings have a re-test letter on file dated within 30 days of remediation.
15
Our last internal IT/cyber audit covered every baseline control in the framework with management-action-plans tracked to closure.
16
An external IS audit (or equivalent independent assurance) was completed in the current cycle and reported to the audit committee.
05

Third-party, Cloud & Incident Reporting

Outsourcing rules + multi-layered incident reporting are RBI's top inspection focus area.

17
Every material vendor has a current risk assessment, signed contract with RBI inspection rights and breach-notification clauses, and an annual review on file.
18
For cloud workloads we have board-approved material outsourcing, data localisation evidence (especially for payments), encryption keys held by us, and a tested exit plan.
19
We have a documented incident-reporting playbook covering RBI (2-6 hours), CERT-In (6 hours), and DPDP Board (72 hours) with templates pre-drafted.
20
Every cyber incident in the last 12 months has been logged, classified, root-caused, reported per regulator timelines, and closed with documented lessons-learnt actions.
What "Ready" Looks Like

Three Bands. Three Plays.

0–7
Critical exposure

An RBI inspection now produces multiple major findings and likely a Show Cause Notice. Spend the next 90 days on governance fixes (CISO, board, committees), policy refresh, asset inventory, and a CERT-In empanelled VAPT.

8–14
At risk

Foundations exist but evidence chains are thin. Close vendor due-diligence refresh, patching SLAs, access reviews, DR test, and incident-reporting playbooks in the next 60 days. Pre-inspection mock audit recommended.

15–20
Inspection-defensible

You can stand behind your posture under RBI scrutiny. Move to continuous improvement: SOC use-case maturity, threat-led testing, third-party concentration risk, board-level cyber MIS.

FAQ

Common Questions

Does the framework apply to small NBFCs? +

Yes, in graded form. Under Scale Based Regulation (Oct 2022), every NBFC sits in one of four layers (Base, Middle, Upper, Top). Even Base Layer NBFCs are subject to baseline cyber expectations, with stricter obligations as you move up.

How is "annual VAPT" interpreted? +

Annual minimum for the in-scope perimeter — typically every internet-facing app, every critical internal app, every external IP range, every mobile app, and every customer-facing API. Many banks now do six-monthly for critical apps. Major architectural changes trigger a delta VAPT before go-live.

Can the CISO also be the CIO? +

No. RBI is explicit on segregation of duties. The CISO must be independent of the CIO, reporting to a level immediately below MD/CEO. We have seen NBFCs cite a "CISO" who is actually the CIO — that is an automatic finding.

What does "data localisation" mean for payments? +

RBI's April 2018 directive (still in force) requires payments data to be stored only in India. Processing abroad is permitted, but the data must be returned to India and only stored here. This applies to all payment system providers and partners.

What is the difference between this checklist and the buyer's guide? +

The checklist diagnoses readiness in 5 minutes. The full RBI Cyber Security Framework guide explains every requirement — Master Direction, Cyber Framework, IT Outsourcing rules, payment security obligations — with practitioner translation, inspection traps, and a 90-day roadmap.

Need an inspection-ready roadmap?

Skip the Guesswork. Get a 90-Day Roadmap.

A 30-minute consultation. Walk away with a prioritised remediation list mapped to RBI Cyber Framework requirements and your sectoral regulator overlays.

Book Free Consultation Read the Full Guide

No sales pitch. Responds within 24 hours.