RBI's Cyber Security Framework circular sets a baseline that every bank, NBFC and co-operative bank must meet. This checklist converts the circular into ~50 binary questions an internal audit team can run in an afternoon — surfacing the gaps that will fail the next ITGC / RBI inspection.

1. Governance

Board-approved cybersecurity policy reviewed annually
CISO designated, reports outside CIO line, attends board cyber agenda
Cyber Crisis Management Plan (CCMP) signed-off and tabletop-tested annually
Information Security Committee meets at least quarterly with documented minutes

2. Identify

Inventory of all IT and OT assets, refreshed quarterly
Inventory of digital channels (mobile, internet banking, BBPS, UPI integrations)
Risk register classifies cyber risks with named owners
Critical-vendor register with cybersecurity terms in contracts

3. Protect

MFA enforced on all administrative + privileged accounts
Privileged Access Management (PAM) solution in production
End-user devices encrypted at rest
Network segmentation between corporate, branch, payments and DC environments
DLP deployed on email + endpoints + cloud SaaS
Patch SLAs documented per asset class — and met
Quarterly access-recertification on critical applications

4. Detect

24×7 SOC (in-house or managed) with documented use-case catalogue
SIEM ingest covers AD, email, EDR, firewall, payments and SWIFT logs
MITRE ATT&CK-mapped detection coverage measured at least quarterly
MTTD / MTTR measured and reported to CISO

5. Respond

Incident response runbook covers ransomware, BEC, fraud, payments incidents
DFIR retainer with named provider and 30-minute SLA
CERT-In incident-reporting template pre-filled and ready
RBI incident-reporting + customer-communication templates approved by Legal

6. Recover

RPO / RTO defined per critical application + tested annually
Backup architecture follows 3-2-1 with one immutable / offline copy
DR drill on tier-0 systems performed at least annually
Lessons-learned + remediation tracking after every incident

7. Pentest, VAPT and Assurance

Independent VAPT every 6 months on internet-facing applications
Manual penetration testing on payment systems annually
Mobile-app pentest each release
All findings retested with documented closure evidence
VAPT provider is CERT-In empanelled

Score it.

Award 1 point per checked item. Below 35 / 50 means a focused 90-day remediation programme is needed before the next inspection. 35–42 is recoverable with disciplined sprints. 43+ is audit-ready.

Engage Macksofy

Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Or talk to a senior consultant — fixed-price proposal in 48 hours.