How is this different from the RBI CSF audit?

The CSF is a controls framework; the MD is the governance umbrella. CSF sits inside the MD as the information-security pillar. We run them together where the entity needs both, or just the MD where CSF is already in cycle.

Does the MD apply to small NBFCs and RRBs?

Applicability is graded — Top / Upper / Middle Layer NBFCs are in scope; Base Layer is largely out. RRBs and LABs have a separate applicability statement. We confirm scope in the first kickoff workshop.

What does a clean MD audit deliverable look like to RBI?

A clause-by-clause attestation register with evidence references, governance constitution pack, IT-audit charter, and a remediation roadmap — submission-ready for the IT examination.

Do you cover the IT Outsourcing Master Direction in the same engagement?

They are sister directions — most clients run them together. We offer a combined IT-Governance + IT-Outsourcing engagement at a blended fee.

RBI Master Direction · IT Governance, Risk, Controls & Assurance · 2023-24

RBI IT Governance Master Direction Audit

Board IT Strategy Committee to operator-level evidence — audited the way RBI inspectors read it.

Audit against the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (effective 01-Apr-2024). Covers IT governance, IT services management, IT operations, information security, business continuity and IT audit obligations for banks, NBFCs, AIFIs and credit information companies.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (RBI/2023-24/107 dated 07-Nov-2023)
RBI Cyber Security Framework for Banks (Jun 2016, updated)
RBI Master Direction on Outsourcing of IT Services (RBI/2023-24/102 dated 10-Apr-2023)
RBI IT Examination Framework + Annexures
COBIT 2019 (mapped) + ISO 27001:2022
ITIL 4 service-management practices
ISO 22301 (BCP) — mapped where in scope

Why this matters

Compliance is leverage, not paperwork.

RBI Master Direction RBI/2023-24/107 dated 07-Nov-2023 (effective 01-Apr-2024) replaced two decades of fragmented IT-governance guidance with a single, prescriptive direction. The board IT Strategy Committee, IT Steering Committee, CISO independence, IT-services management lifecycle and IT-audit independence are now individually examinable. RBI inspections in 2024-25 have already cited dozens of REs for non-constitution of the IT Strategy Committee or CISO reporting through the CIO. Macksofy's audit produces the governance evidence, control-to-clause map and inspector walk-through pack required for a clean IT examination.

Applicability

Scheduled Commercial Banks (excl. RRBs and LABs as per applicability matrix)
Top, Upper and Middle Layer NBFCs per Scale-Based Regulation
All-India Financial Institutions (NABARD, NHB, EXIM, SIDBI, NaBFID)
Credit Information Companies regulated under CICRA
Boards looking to pre-empt the FY25-26 IT examination cycle
Group entities consolidated under banking-group IT governance

Standards & frameworks

Aligned to the regulations that matter.

RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (RBI/2023-24/107 dated 07-Nov-2023)

RBI Cyber Security Framework for Banks (Jun 2016, updated)

RBI Master Direction on Outsourcing of IT Services (RBI/2023-24/102 dated 10-Apr-2023)

RBI IT Examination Framework + Annexures

COBIT 2019 (mapped) + ISO 27001:2022

ITIL 4 service-management practices

ISO 22301 (BCP) — mapped where in scope

Methodology

How we run a RBI IT Gov MD engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 6

1 · Governance baseline

4 activities

Board IT Strategy Committee constitution + charter audit
IT Steering Committee minutes + decision-trail walk
CIO / CISO / Head-IT-Assurance independence test
IT-strategy alignment with business-strategy evidence

01
1 · Governance baseline
- Board IT Strategy Committee constitution + charter audit
- IT Steering Committee minutes + decision-trail walk
- CIO / CISO / Head-IT-Assurance independence test
- IT-strategy alignment with business-strategy evidence
02
2 · IT services & operations
- IT-services management lifecycle review (intake to retire)
- Change, release, configuration, problem, incident management
- Capacity, performance & availability management evidence
- Cryptographic-control inventory + lifecycle
03
3 · Risk, controls & information security
- IT-risk register + risk-acceptance audit trail
- Information-security policy + control-baseline currency
- Vulnerability + patch lifecycle SLA evidence
- Logging + monitoring + SOC capability assessment
04
4 · Business continuity & DR
- BCP / DR policy + tested RTO / RPO evidence
- DR drill cadence + lessons-learned closure
- Cyber-incident scenario in BCP testing
- Critical-system recovery walk-through
05
5 · IT assurance & audit
- IT-audit charter + Head-IT-Assurance independence
- Risk-based IT-audit plan adequacy
- Audit-finding closure + board reporting
- External-audit coverage gap analysis
06
6 · Reporting & inspection pack
- Clause-by-clause compliance attestation
- RBI IT examination walk-through deck
- Remediation roadmap + 30-day retest

Deliverables

Everything you need to satisfy auditors.

Governance constitution pack — IT Strategy + Steering Committee charters
CISO / Head-IT-Assurance independence attestation
Clause-by-clause MD compliance register
IT-services management lifecycle gap report
BCP / DR drill evidence + cyber-scenario test report
IT-audit charter + risk-based plan
RBI IT-examination walk-through deck
Free retest within 30 days + closure letter

Recent engagements

Mid-tier private bank

Pre-IT-examination MD readiness audit

Outcome: IT Strategy Committee re-constituted with independent director; CISO moved out of CIO reporting line; clean RBI IT examination with no major findings

Upper-Layer NBFC (listed)

End-to-end MD audit + board reporting reset

Outcome: Risk-based IT-audit plan rolled out; quarterly IT-Strategy-Committee dashboard live; audit-finding closure cycle compressed from 180 to 60 days

At a glance

The shape of a RBI IT Gov MD engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Board & strategic governance3 pts
IT services management3 pts
IT operations & infrastructure3 pts
Information & cyber security3 pts
Business continuity3 pts
IT assurance & audit3 pts

Pillar 01

Board & strategic governance

IT Strategy Committee, IT Steering Committee and CISO independence — the three things RBI checks first.

IT Strategy Committee constitution + minute trail
IT Steering Committee composition + decisions
CISO reporting line independence from CIO

Pillar 02

IT services management

End-to-end lifecycle from demand intake through retirement — auditable, not anecdotal.

Change / release / configuration evidence
Capacity + performance management
Cryptographic-key lifecycle + HSM controls

Pillar 03

IT operations & infrastructure

The everyday running of the estate the rest of the MD assumes is in place.

Data-centre + DR site operations
Backup, restore, integrity-test cadence
Patch & vulnerability SLA evidence

Pillar 04

Information & cyber security

Cross-mapped to the RBI CSF — the MD pulls security squarely into governance.

ISMS alignment + control baseline
SOC + threat-monitoring capability evidence
Cyber-incident reporting (CSITE 6h / CERT-In)

Pillar 05

Business continuity

Tested RTO / RPO with cyber-incident scenarios in the drill plan.

BCP policy + scenario-based DR tests
Cyber-incident scenario in BCP testing
Critical-system recovery time evidence

Pillar 06

IT assurance & audit

An independent IT-audit function, risk-based plan, and closure traceable to the board.

Head-IT-Assurance charter + independence
Risk-based IT-audit plan + coverage
Audit-finding closure + board reporting trail

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a RBI IT Gov MD engagement. Click any station for detail in the methodology section above.

Week 1

Governance baseline

Week 2

IT services & operations

Week 3

Risk, controls & information security

Week 4

Business continuity & DR

Week 5

IT assurance & audit

Week 6

Reporting & inspection pack

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

01-Apr-2024. RBI inspections from FY25 onwards are testing against it directly — including the constitution of the IT Strategy Committee and CISO independence.

Other audit engagements

RBI IT Outsourcing Master Direction Audit

Vendor risk, cloud, offshoring and concentration — the IT-outsourcing audit RBI expects.

Learn more

RBI Cyber Security Framework Audit

End-to-end RBI CSF audit — control assessment, SAR drafting, inspector defence.

Learn more

SEBI CSCRF Audit

CSCRF audit for stock brokers, depository participants, AMCs.

Learn more

Field notes from RBI IT Gov MD engagements.

Compliance

RBI IT-Governance Master Direction — A 2026 Readiness Checklist for Banks & NBFCs

The RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices is in force from April 2024. Here is a practical, chapter-by-chapter readiness checklist — ITSC, CISO line, patch and change controls, BCP/DR and IS Audit — for the next supervisory cycle.

Read article

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements