RBI's IT Governance, Risk and Compliance (ITGRC) expectations apply to banks, NBFCs and regulated fintech entities. The direction is clear: IT is a board responsibility, risk must be managed continuously, and you must be able to demonstrate all of it. Use this as a working readiness checklist across the seven areas that matter most.
1. IT governance & board oversight
Board-approved IT strategy & policies, reviewed on a defined cadence.
A functioning IT Strategy Committee and clear roles for IT risk.
2. IT & information security risk management
A maintained IT and cyber risk register with owners and treatment plans.
Defined risk appetite and periodic risk assessment.
3. Information & cyber security controls
Access control, encryption, logging and monitoring across critical systems.
Vulnerability management, patching and periodic security testing.
4. Third-party & outsourcing governance
A vendor register with due diligence, contracts and right-to-audit clauses.
Ongoing monitoring of cloud and critical service providers.
5. Business continuity & resilience
BCP/DR plans that are documented and, crucially, tested.
6. Incident management & reporting
An incident-response playbook aligned to RBI and CERT-In reporting windows.
7. Audit, assurance & evidence
Independent IT audit, tracked findings, and an evidence trail ready on demand.
RBI ITGRC shares many controls with DPDP, ISO 27001 and CERT-In. In Niyam these are cross-mapped, so a single implementation counts across all of them. See the BFSI solution →
This checklist is an orientation aid, not regulatory or legal advice. Confirm scope for your entity with a qualified advisor - or talk to our team.