BFSI

The RBI ITGRC readiness checklist

RBI's IT Governance, Risk and Compliance (ITGRC) expectations apply to banks, NBFCs and regulated fintech entities. The direction is clear: IT is a board responsibility, risk must be managed continuously, and you must be able to demonstrate all of it. Use this as a working readiness checklist across the seven areas that matter most.

1. IT governance & board oversight

Board-approved IT strategy & policies, reviewed on a defined cadence.
A functioning IT Strategy Committee and clear roles for IT risk.

2. IT & information security risk management

A maintained IT and cyber risk register with owners and treatment plans.
Defined risk appetite and periodic risk assessment.

3. Information & cyber security controls

Access control, encryption, logging and monitoring across critical systems.
Vulnerability management, patching and periodic security testing.

4. Third-party & outsourcing governance

A vendor register with due diligence, contracts and right-to-audit clauses.
Ongoing monitoring of cloud and critical service providers.

5. Business continuity & resilience

BCP/DR plans that are documented and, crucially, tested.

6. Incident management & reporting

An incident-response playbook aligned to RBI and CERT-In reporting windows.

7. Audit, assurance & evidence

Independent IT audit, tracked findings, and an evidence trail ready on demand.

RBI ITGRC shares many controls with DPDP, ISO 27001 and CERT-In. In Niyam these are cross-mapped, so a single implementation counts across all of them. See the BFSI solution →

This checklist is an orientation aid, not regulatory or legal advice. Confirm scope for your entity with a qualified advisor - or talk to our team.

Measure your RBI ITGRC readiness.

Start a free gap analysis across RBI ITGRC, DPDP and CERT-In.