Skip to main contentChat with us

ISO 27001 · RBI

ISO 27001 for Banks & NBFCs:
The RBI Mapping

RBI never says 'get ISO 27001' — it says build board-owned cyber governance, monitor continuously, test relentlessly, and report incidents within hours. That list is an ISMS wearing a supervisory badge. Here is the control-by-control mapping, and the four places RBI asks for more than the standard.

Instruments covered: the Cyber Security Framework for Banks (2016), the Master Direction on IT Governance, Risk, Controls and Assurance Practices (Nov 2023, effective 1 April 2024 — banks and NBFCs), and the outsourcing directions, mapped to ISO/IEC 27001:2022.

2–6 hrsbank incident reporting to RBI
1 Apr 2024Master Direction in effect
8requirement areas mapped below

Maps RBI instruments to ISO 27001:2022 · Auditor-led · Last reviewed July 2026

ISO 27001 certification is not mandated by RBI — but nearly every structural expectation in RBI's cyber instruments maps onto the ISMS, which is why supervised entities use the certificate as their evidence backbone and layer RBI's specifics on top. The Cyber Security Framework for Banks demands a board-approved cyber policy distinct from IT policy, continuous surveillance, and rapid incident reporting; the Master Direction on IT Governance extends governance, risk, and assurance duties to banks and NBFCs. The table below maps each recurring requirement area to the Annex A controls that evidence it — and the FAQs cover what RBI asks that no ISMS generates by itself.

The Crosswalk

RBI Requirement Areas → ISO 27001:2022 Controls

RBI expectationISO 27001:2022 home
Board-approved cyber security policy, distinct from IT policy (CSF for Banks)Clause 5.2 (policy) + A.5.1 — with the distinctness RBI expects made explicit
IT governance: board oversight, IT Strategy Committee, defined roles (Master Direction on IT Governance, effective 1 April 2024)Clauses 5 (leadership) & 9.3 (management review) + A.5.2–A.5.4 (roles, duties)
Cyber Security Operations Centre / continuous surveillanceA.8.15 (logging), A.8.16 (monitoring), A.5.7 (threat intelligence)
Network & infrastructure controls, access managementA.8.20–A.8.23 (network security), A.5.15–A.5.18 + A.8.2–A.8.5 (access)
VAPT and remediation cadenceA.8.8 (technical vulnerability management) + A.8.29 (testing)
Vendor / outsourcing risk (incl. IT outsourcing directions)A.5.19–A.5.23 (suppliers, ICT supply chain, cloud)
Incident response & rapid reporting to RBI (within 2–6 hours of detection for banks)A.5.24–A.5.26 + A.6.8 — with runbooks drilled to the RBI clock
BCP/DR, drills, and cyber-crisis management planA.5.29–A.5.30 (ICT readiness for business continuity) + clause 8

Indicative mapping for planning. RBI compliance is assessed against the instruments themselves; consult the circulars and your supervisory correspondence for binding positions.

RBI × ISO 27001 — Common Questions

Mandate vs evidence, the deltas, and the vendor angle.

Does RBI require ISO 27001 certification?

No RBI instrument makes ISO 27001 certification mandatory across the board. RBI's Cyber Security Framework for Banks (2016), the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (November 2023, effective 1 April 2024, covering banks and NBFCs), and the NBFC IT framework prescribe their own requirements. In practice, RBI-supervised entities and their auditors treat ISO 27001 certification as strong structural evidence — and many RBI expectations (policy, governance, monitoring, VAPT, vendor risk, BCP) map directly onto the ISMS. Evidence, not substitute.

What does RBI require that ISO 27001 does not give us?

Four things recur. Regulatory reporting flows: banks must report cyber incidents to RBI within 2–6 hours of detection, and unusual incidents via the prescribed formats — an ISMS has incident management, but the RBI clock and formats must be drilled in. Board-level governance specifics: the IT Strategy Committee composition and reporting cadence in the Master Direction are prescriptive beyond clause 5. India-specific audit cadences: cyber audits and VAPT frequencies set by circular, plus CERT-In obligations that apply in parallel. And sector instruments — SWIFT-related controls, digital-payment security controls — that have no Annex A twin. Our engagements map all of these alongside the ISMS.

We are an NBFC — which RBI instrument applies to us?

Since 1 April 2024, the Master Direction on IT Governance, Risk, Controls and Assurance Practices covers NBFCs (layered applicability per RBI's scale-based framework), replacing the 2017 NBFC IT Framework's relevant provisions. It expects IT and information-security governance, an ISMS-shaped control set, periodic VAPT, and IS audits. An ISO 27001-certified ISMS gives an NBFC most of the machinery plus a certificate lenders and partners recognize — with the Master Direction's specifics layered on top.

How should a bank's vendor use ISO 27001 with RBI expectations?

RBI's outsourcing directions make the regulated entity accountable for vendor risk — so banks push security diligence down to vendors. A vendor holding ISO 27001 with a scope statement covering the outsourced service shortens that diligence materially (the same logic IRDAI made explicit for insurers in its 2026 guidelines). Write the scope around the service delivered, keep surveillance audits current, and expect banks to verify the certificate rather than just collect it.

Where do CERT-In's directions fit for RBI-regulated entities?

They apply in parallel: the 2022 CERT-In directions (6-hour incident reporting, 180-day log retention, NTP synchronization) bind RBI-supervised entities like any other Indian organization, alongside RBI's own reporting requirements. The practical consequence is a dual-notification runbook — CERT-In and RBI — with logging architecture that satisfies both. See our dedicated CERT-In mapping for the control-level detail.

Related: the India regulatory map, SEBI CSCRF, CERT-In directions, the RBI CSF overview, and the ISO 27001 hub.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations