Guides (24)
Practitioner references — audit methodology per framework and thematic deep-dives across the regulatory landscape. Long-form, source-cited, current as of the publication date noted on each guide.
Audit methodology — by framework
CERT-In Directives + CISG-2025-02 — audit methodology guide
- **Applies to**: any service provider, intermediary, data centre, body corporate, and "any other person" operating in India or providing services to users in India. Includes VPN providers, cloud service providers, virtual asset service…
DPDP Act 2023 + DPDP Rules 2025 — audit methodology guide
India's Digital Personal Data Protection regime is now live in three phases:
EU Artificial Intelligence Act (Regulation (EU) 2024/1689) — audit methodology guide
The EU AI Act and ISO/IEC 42001:2023 are not competing frameworks — they are complementary, and the practitioner-cheap move is to build **one AI management system** that satisfies both. ISO 42001's Clauses 4–10 give you a certifiable…
IRDAI Information & Cyber Security Guidelines 2026 — audit methodology guide
- **Applies to**: all insurers including life, general, and health insurers; Foreign Reinsurance Branches (FRBs); and the broad set of insurance intermediaries — brokers, corporate agents, web aggregators, Third-Party Administrators…
ISO/IEC 27001:2022 + Amd 1:2024 — audit methodology guide
- **Applies to**: any organisation, any size, any sector, anywhere — voluntarily adopted as the global ISMS baseline. - **Mandatory or voluntary**: voluntary at the standard level. Certification is contractually mandatory in many supplier…
ISO/IEC 42001:2023 (AI Management System) — audit methodology guide
The EU AI Act and ISO/IEC 42001:2023 are not competing frameworks — they are complementary, and the practitioner-cheap move is to build **one AI management system** that satisfies both. ISO 42001's Clauses 4–10 give you a certifiable…
NCIIPC Critical Information Infrastructure Guidelines — audit methodology guide
- **Applies to**: any organisation whose computer resources have been **declared as "Protected Systems"** by gazette notification under Section 70A. As of 2026, declared Protected Systems include ICICI Bank, HDFC Bank, State Bank of…
NIST Cybersecurity Framework 2.0 — audit methodology guide
- **Applies to**: any organisation, any size, any sector, anywhere. The 2.0 update explicitly broadened scope beyond critical infrastructure. - **Mandatory or voluntary**: voluntary at the federal level in the US. Imposed contractually in…
RBI Cyber Security Framework — audit methodology guide
RBI's cyber security oversight has tightened materially over 2024–2026. Three regulatory instruments now define the audit landscape:
RBI Digital Lending + PA-PG Master Directions — audit methodology guide
- **Applies to**: for Digital Lending — all RBI Regulated Entities (banks, NBFCs, AIFIs) engaged in digital lending, and their Lending Service Providers (LSPs); for Payment Aggregators — all non-bank Payment Aggregators (PAs) and bank PAs…
RBI ITGRCA Master Direction 2023 — audit methodology guide
- **Applies to**: Scheduled Commercial Banks (excluding Regional Rural Banks); Small Finance Banks and Payments Banks; Foreign Banks operating in India through branch mode (on "comply or explain"); NBFCs in the Middle Layer, Upper Layer,…
RBI Master Direction on Outsourcing of IT Services 2023 — audit methodology guide
- **Applies to**: Scheduled Commercial Banks including Foreign Banks operating in India, excluding Regional Rural Banks; Local Area Banks; Small Finance Banks; Payments Banks; Primary (Urban) Co-operative Banks (excluding Tier 1 and Tier…
SEBI CSCRF — audit methodology guide
- **Applies to**: all entities regulated by the Securities and Exchange Board of India (SEBI) — Market Infrastructure Institutions, stock exchanges, depositories, clearing corporations, stock brokers and depository participants, mutual…
SEBI Cloud Services Framework — audit methodology guide
- **Applies to**: all SEBI Regulated Entities (REs) adopting **public, community, or hybrid** cloud services for any system or data within SEBI's regulatory scope. Includes stock exchanges, clearing corporations, depositories, depository…
SOC 2 Trust Services Criteria — audit methodology guide
- **Applies to**: service organisations whose customers entrust them with data — typically SaaS, cloud providers, managed-service providers, data processors, payroll bureaus, claims administrators, fintechs, healthtechs. - **Mandatory or…
Thematic guides
AI vendor risk for Indian regulated entities
- **The problem in one line**: every Indian regulated entity now has AI in its vendor estate — often **without knowing it** — and the existing TPRM, contract, and inspection frameworks were built for non-AI vendors. The 2026 global TPRM…
Co-lending and multi-lender arrangements — November 2025 provisions
- **The hard timing facts**: - **8 May 2025**: RBI (Digital Lending) Directions 2025 notified, consolidating earlier digital lending guidelines. - **15 June 2025**: DLA (Digital Lending App) reporting to CIMS becomes operational. -…
Cross-border data flows — DPDPA + sectoral overlays for India
- **The problem in one line**: India does not have a single cross-border data transfer regime. DPDPA's **negative-list** approach sits over a patchwork of **sectoral data-localisation rules** that are independently binding, often…
DPDPA Significant Data Fiduciary readiness
- **The hard fact**: the Indian Central Government has not yet designated any organisation as a Significant Data Fiduciary (SDF). Designations are anticipated **after the 13 May 2027 full enforcement date** of DPDPA. Organisations likely…
DPDPA children's data and Section 9 obligations
- **The hard fact**: India's DPDPA defines a "child" as **anyone under 18** — one of the most conservative definitions globally (compare GDPR's 16 with member-state discretion to 13, US COPPA's 13). For most Indian consumer-facing…
DPDPA consent — granularity, withdrawal, and the Consent Manager ecosystem
- **The hard timing facts**: - **13 November 2025**: DPBI operational; legacy-data assessment under-recognised pre-DPDPA standards already begin to count against compliance posture. - **13 November 2026**: Consent Manager registration…
SEBI CSCRF five-tier model and 2025 amendments
- **The problem in one line**: SEBI CSCRF imposes a **graded compliance model** across **five tiers** of Regulated Entities — Market Infrastructure Institutions (MIIs), Qualified REs, Mid-size REs, Small-size REs, and Self-Certification…
Third-party risk management for India
- **The problem in one line**: a typical Indian regulated entity now has 5–8 distinct third-party / vendor obligations layered on the same vendor portfolio — RBI ITO 2023, RBI Cyber Resilience for PSOs, SEBI Cloud Framework, SEBI CSCRF…
Unified incident reporting across CERT-In, RBI CIMS, SEBI, IRDAI, DPBI
- **The problem in one line**: a single cyber incident at an Indian regulated entity processing personal data can trigger **four to six parallel regulatory notifications** with different timelines, formats, and authorities — and missing…