The RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices has been in force since 1 April 2024, and the first full supervisory cycles under it are now landing. It consolidates a decade of scattered IT and cyber circulars into one Board-accountable framework — and the regulated population is wide: scheduled commercial banks (excluding RRBs), small finance and payments banks, top-, upper- and middle-layer NBFCs, credit information companies and the all-India financial institutions. If your last gap assessment predates the Direction, this checklist is where to re-baseline.
The Direction is organised around five themes: IT governance, IT infrastructure and services management, IT and information-security risk management, business continuity and disaster recovery, and information-systems (IS) audit. What changed in spirit is accountability — the Board and its committees now own IT and cyber risk explicitly, with named roles, defined quorum and meeting cadence, and an independent assurance loop. Below we walk each theme as a readiness checklist you can take into a steering-committee review. The clauses are RBI's; the operational framing is ours.
1. IT governance — the Board structures RBI now expects
This is where most gaps surface in supervisory review, because it is structural rather than technical. The Direction expects a Board-approved IT and information-security strategy, a Board-level IT Strategy Committee (ITSC), and an operational IT Steering Committee that reports into it.
- IT Strategy Committee (ITSC): at least three directors, chaired by an independent director with substantial IT expertise; meets at least once a quarter; reviews IT strategy, major IT investments, and alignment of IT with business.
- IT Steering Committee: operational, cross-functional, reports to the ITSC; oversees project prioritisation, budgets, and delivery of the IT strategy.
- A designated Head of IT (CTO or equivalent), sufficiently senior, with documented roles and responsibilities.
- Board-approved IT and IS policies, reviewed at least annually, with a clear policy-exception and review trail.
2. IT infrastructure & services management
This theme operationalises the controls that keep services available, changes safe and access accountable. RBI expects documented, tested processes — not ad-hoc practice — across the following.
| Control area | What 'in place' looks like | Evidence to keep ready |
|---|---|---|
| Change management | Board/steering-approved policy; segregation of dev/test/prod; rollback | Change tickets with approvals, test sign-off, post-implementation review |
| Patch management | Risk-based SLAs by severity and exposure; emergency-patch path | Patch register, KEV-tracking, exception log with compensating controls |
| Cryptographic controls | Key-management policy; approved algorithms; data-at-rest/in-transit | Crypto inventory, key-rotation records, TLS/cert posture |
| Audit logging | Centralised, tamper-evident logs; defined retention; review cadence | Log-retention policy, SIEM coverage map, review evidence |
| Capacity & availability | Capacity plan tied to business growth; monitoring & thresholds | Capacity reports, availability metrics against SLA |
IT services management — control areas and the evidence an IS auditor will ask for
3. IT & information-security risk management — the CISO line
The Direction reinforces a sufficiently senior CISO whose reporting line is independent of day-to-day IT operations — so that the person who builds the systems is not the sole person assuring their security. The CISO owns a Board-approved information-security policy and a cyber-crisis management plan, and runs the risk-assessment, vulnerability-management and security-operations functions.
- CISO seniority and an independent reporting line (not buried under the Head of IT) — documented in the org chart and policy.
- Board-approved Information Security policy and Cyber Crisis Management Plan (CCMP), reviewed at least annually.
- A risk-assessment methodology applied to assets, with a maintained risk register and treatment plans.
- Continuous vulnerability management — VAPT on internet-facing and critical internal systems, with remediation SLAs and re-test evidence.
- Security operations / monitoring with defined use-cases, KRIs and escalation; third-party and outsourcing risk assessed against the RBI outsourcing expectations.
4. Business continuity & disaster recovery
RBI expects a Board-approved BCP/DR framework with defined recovery-time and recovery-point objectives (RTO/RPO) for critical systems, a tested DR capability, and evidence that drills actually exercise failover — not just confirm the DR site powers on.
- Board-approved BCP and DR policy with business-impact analysis driving RTO/RPO per critical service.
- Periodic DR drills with documented results, gaps and remediation — including at least one realistic failover, not a tabletop alone.
- Near-site/far-site strategy appropriate to the criticality of services and the data-residency expectations.
5. Information Systems (IS) Audit — the assurance loop
The fifth theme closes the loop: an IS-audit function, overseen by the Board or its Audit Committee, that independently assures the other four. This is the chapter that supervisory teams use to test whether the rest of the framework is real.
- Board/Audit-Committee-approved IS Audit policy and an annual IS-audit plan with coverage mapped to the Master Direction.
- IS audits performed by appropriately skilled auditors (in-house or external), independent of the functions being audited.
- A tracked finding-to-closure process with management responses, target dates and follow-up verification.
Your next 30 / 60 / 90 days
- Re-baseline against the Direction's five themes — a control-by-control gap assessment is the fastest way to know where you stand before supervision does it for you.
- Fix the governance evidence first: ITSC composition, quorum, quarterly cadence and substantive minutes; CISO reporting line; current Board-approved IT/IS/CCMP policies.
- Close the operational-control gaps that auditors test hardest — risk-based patch SLAs, change-management segregation, centralised logging, and a continuous VAPT cadence tied to exposure tiers.
- Validate BCP/DR with a real failover drill and document RTO/RPO attainment per critical service.
- Stand up or refresh the IS-audit plan with explicit Master-Direction coverage, and run a pre-audit dry run on the two weakest themes.
- Map your CISO function and SOC coverage against the cyber-resilience expectations so the IT-governance and RBI Cyber Security Framework reviews tell one consistent story.
How Macksofy helps
As a CERT-In empanelled auditor working across Indian BFSI, Macksofy runs the readiness this Direction demands end to end: a control-by-control gap assessment against all five themes, governance-evidence remediation, continuous VAPT mapped to exposure tiers, SOC and CISO-function design, and IS-audit support. See our RBI IT-Governance audit for the dedicated engagement, the parallel RBI Cyber Security Framework review, continuous VAPT for the vulnerability-management cadence, managed SOC for continuous monitoring and the CISO-as-a-service option, the CERT-In empanelled audit for the empanelled-audit scope, and our BFSI practice for how we tailor all of this to banks and NBFCs.