Home · Synthesis · cl-policy

Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies

ISO 27001 NIST CSF 2.0 RBI CSF RBI ITGRCA SEBI CSCRF CSA CCM v4 IRDAI 2026 ISO 27701 MeitY CSP NIS2 NIST 800-53 RBI ITO 2023 SEBI Cloud SOC 2

Primary statement

The security policy framework operates as a Board-governed structure: (1) two DISTINCT Board-approved policies per RBI ITGRCA GV.9 — an Information Security Policy covering all information assets, and a Cyber Security Policy specifically addressing cyber threats with cyber risk appetite; (2) SEBI CSCRF GV.1 alignment with five cyber resilience goals — Anticipate, Withstand, Contain, Recover, Evolve; (3) derived topic-specific operational policies — authentication and access policy (SEBI PR.1), backup policy, log retention policy (SEBI DE.3); (4) annual review by Board (NIST CSF GV.PO-02); (5) communication and enforcement throughout the organisation; (6) reflection in operational controls — the policy framework is the why; the controls are the how.

Audit-fatigue payoff

A single Board-governed policy framework — IS policy + Cyber Security Policy distinct, with derived operational policies, annual review, communication and enforcement evidence — satisfies the policy / governance questions across all 14 contributing frameworks. The auditor's typical set of "show me your policy" questions across SEBI / RBI / ISO / NIST / PCI / SOC 2 collapses to one Board minute trail + one policy library + one annual review cycle. The strictest specification — two distinct policies per RBI ITGRCA GV.9 — is the audit-defensible anchor.

Strictness matrix

Scope

Scope: two distinct Board-approved policies — Information Security Policy covering ALL information assets across the organisation, and Cyber Security Policy specifically addressing cyber threats with explicit cyber risk appetite. Scope of each is clearly delineated (no gaps or duplication). Both reviewed annually by Board. Ceiling source: rbi_itgrca:ITGRCA.GV.9 Rationale: RBI ITGRCA GV.9 specifies the broadest scope — TWO distinct policies, not one bundled. Other frameworks accept a single cybersecurity policy; ITGRCA explicitly requires the separation. This is the audit-defensible specification for Indian regulated entities and the maturity ceiling for others.

Threshold

Threshold for policy substance: alignment with the five cyber resilience goals — Anticipate, Withstand, Contain, Recover, Evolve. Each goal must have substantive policy coverage. For MIIs and Qualified REs: ISO 27001 alignment required. The threshold is binary: missing any of the five goals fails the policy review. Ceiling source: sebi_cscrf:CSCRF.GV.1 Rationale: SEBI CSCRF GV.1 with the five resilience goals sets the strictest substantive threshold — five-goal coverage is binary. Other frameworks require "appropriate" or "comprehensive" policy without the five-goal test.

Method

Method: (1) policy ESTABLISHED based on organisational context, cybersecurity strategy, and priorities (GV.PO-01); (2) policy REVIEWED at planned cadence (annually minimum); (3) policy UPDATED to reflect changes in requirements, threats, technology, and organisational mission; (4) policy COMMUNICATED to all stakeholders; (5) policy ENFORCED via operational controls and consequence management. Four verbs: establish, review, communicate, enforce. NIST CSF 2.0 GV.PO-02 articulates the full policy lifecycle. Ceiling source: nist_csf:GV.PO-02 Rationale: NIST CSF 2.0 GV.PO-02 is the most prescriptive method articulator for the policy lifecycle. The four-verb model (establish / review / communicate / enforce) is the audit-defensible specification.

Frequency

Policy review: annual minimum by Board (SEBI CSCRF GV.1 + RBI ITGRCA GV.9 + NIST GV.PO-02). Re-papering trigger: on material change (new threat landscape, new framework, new product / geography, post-incident learning). Communication refresh: annual mandatory awareness training including policy refresh. Operational policy updates: continuous through change management integration. Ceiling source: sebi_cscrf:CSCRF.GV.1 Rationale: Annual Board review is the universal floor. SEBI CSCRF GV.1 makes the cadence explicit and Board-bound; RBI ITGRCA GV.9 reinforces. The annual-by-Board cadence is the audit-defensible reference.

Evidence

Required evidence: (1) Information Security Policy document, Board-approved, with current version; (2) Cyber Security Policy document, separately Board-approved, distinct from IS Policy; (3) scope-mapping showing how the two policies complement (no gaps or duplication); (4) Board minutes evidencing policy approval and annual review; (5) policy version history with change rationale; (6) communication evidence — awareness training records, internal communications, policy attestation records; (7) derived operational policy library — auth/access, backup, log retention, vendor, incident response, etc.; (8) enforcement evidence — disciplinary records, exception management, deviation tracking. Ceiling source: rbi_itgrca:ITGRCA.GV.9 Rationale: RBI ITGRCA GV.9 evidence list is the most comprehensive for the policy framework. The dual-policy + scope-mapping requirement is uniquely strict — most organisations have one cybersecurity policy and have not separated.

Auditor test pattern

Step 1: Verify the existence of TWO distinct Board-approved policies (IS Policy + Cyber Security Policy per RBI ITGRCA GV.9). Step 2: Inspect scope mapping to verify no gaps or duplication. Step 3: Inspect Board minutes for evidence of substantive policy approval discussion (not just rubber-stamp). Step 4: Verify alignment with SEBI CSCRF five resilience goals (Anticipate, Withstand, Contain, Recover, Evolve). Step 5: Inspect annual review records. Step 6: Sample one operational area (e.g., access control) and trace from policy to operational policy to control execution. Step 7: Verify communication evidence — awareness training includes policy refresh.

Common findings

Common 2024–26 findings: (1) Cybersecurity Policy folded into IT Policy, not separate (fails ITGRCA GV.9); (2) Annual review attendance is BAU committee; no Board ratification trail; (3) Five resilience goals not explicitly addressed — policy structured by old domains rather than goals; (4) Derived operational policies referenced but not updated when umbrella policy changed; (5) Communication evidence absent — policy approved but workforce unaware; (6) Cybersecurity strategy referenced in policy but no strategy document exists; (7) Cyber risk appetite stated in policy but never quantified or used to drive operational decisions.