Home · Synthesis · cl-supplier-policy

Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)

ISO 27001 RBI ITGRCA SEBI CSCRF SOC 2 CIS Controls v8.1 CSA CCM v4 IRDAI 2026 ISO 27017 ISO 27018 ISO 27701 MeitY CSP NCIIPC NIS2 NIST 800-53 NIST CSF 2.0 RBI CSF RBI DLG/PA RBI ITO 2023 SEBI Cloud

Primary statement

NOTE: Despite the legacy cluster name "supplier-policy", this cluster's controls primarily address the Board-approved policy framework and the derived operational controls that flow from it (authentication, access, backup, teleworking). The synthesised requirement: (1) two Board-approved policies per RBI ITGRCA GV.9 — IS Policy + Cyber Security Policy distinct; (2) Board IT/cyber governance role per RBI ITGRCA GV.8; (3) SEBI CSCRF GV.1 Board-approved Cybersecurity and Cyber Resilience Policy aligned with five resilience goals; (4) operational policies derived from the framework — authentication, access, backup, log retention; (5) annual review + communication + enforcement cycle. The cluster is the upstream policy foundation; downstream controls draw from it.

Audit-fatigue payoff

A coherent Board-approved policy framework — IS Policy + Cyber Policy + derived operational policies + annual Board review + communication and enforcement evidence — satisfies the policy-and-governance questions across the contributing frameworks for this cluster. NOTE FOR AUDIT: practitioners examining "supplier policy" content should also reference the cluster cl-third-party-due-diligence and cl-supplier-management where actual supplier-management controls reside.

Strictness matrix

Scope

Scope: two distinct Board-approved policies — Information Security Policy covering ALL information assets, Cyber Security Policy addressing cyber threats with explicit cyber risk appetite. Scope mapping ensures no gaps or duplication. Both reviewed annually by Board. Ceiling source: rbi_itgrca:ITGRCA.GV.9 Rationale: RBI ITGRCA GV.9 specifies the broadest scope — two distinct policies. This is the audit-defensible specification for Indian regulated entities and the maturity ceiling for others.

Threshold

Threshold: policy substance aligned with five cyber resilience goals — Anticipate, Withstand, Contain, Recover, Evolve. Each goal must have substantive policy coverage. Missing any of the five fails review. Ceiling source: sebi_cscrf:CSCRF.GV.1 Rationale: SEBI CSCRF GV.1 five-goal alignment is the strictest substantive threshold.

Method

Method: (1) Board approves IT strategy and policy, monitors IT/cyber risk against appetite, oversees IS Audit findings; (2) Board has IT expertise; (3) substantive Board discussion (not just receipt of reports); (4) derived operational policies — auth/access, backup, log retention, teleworking — flow from the framework; (5) annual review with Board sign-off; (6) communication + enforcement through awareness training and operational controls. Ceiling source: rbi_itgrca:ITGRCA.GV.8 Rationale: RBI ITGRCA GV.8 specifies the most prescriptive Board governance method, including the substantive-discussion test and IT expertise requirement.

Frequency

Annual Board review minimum + re-papering on material change. Operational policy updates through change management integration. Communication refresh: annual mandatory awareness training. Board IT/cyber discussion: at minimum annual; more frequent for critical entities. Ceiling source: rbi_itgrca:ITGRCA.GV.9 Rationale: Annual Board review by RBI ITGRCA GV.9 is the universal floor.

Evidence

Required evidence: (1) IS Policy document, Board-approved; (2) Cyber Security Policy document, separately Board-approved; (3) scope mapping; (4) Board minutes evidencing substantive discussion + approval + annual review; (5) derived operational policy library; (6) communication and enforcement evidence — awareness training, attestation, deviation tracking. Ceiling source: rbi_itgrca:ITGRCA.GV.9 Rationale: RBI ITGRCA GV.9 evidence list is comprehensive for the policy framework. The dual-policy specification is uniquely strict.

Auditor test pattern

Step 1: Verify two distinct Board-approved policies (IS + Cyber Security) per RBI ITGRCA GV.9. Step 2: Inspect Board minutes for substantive discussion (not just receipt of reports). Step 3: Inspect scope mapping between IS and Cyber policies. Step 4: Sample one derived operational policy (e.g., authentication) and trace its alignment with the umbrella framework. Step 5: Verify annual review and communication evidence.

Common findings

Common 2024–26 findings: (1) Single combined IT/Security policy rather than two distinct policies; (2) Annual review attendance is BAU committee, not Board substantive review; (3) Operational policies referenced but not kept current with the umbrella; (4) Communication evidence absent — workforce unaware of policies; (5) Cluster naming legacy issue — practitioners expecting supplier-management content should reference cl-third-party-due-diligence instead.