Jun 29 Hard Deadline
IRDAI requires the IS Audit report — including board attestation — to be submitted within 90 days of financial year end (March 31). The deadline is June 29 for FY2025-26. Late submission is a regulatory finding.
ICF Self-Assessment
The Information and Cyber Security Framework (ICF) self-assessment is the foundation of the board attestation. All ICF domains must be assessed and scored before the evidence package can be compiled.
| ICF Domain | Key Controls | Assessment Required |
|---|---|---|
| Governance | Cyber policy, board oversight, CISO role | Policy currency, board minutes |
| Risk Management | CRQ, risk register, appetite statement | Risk register update, CRQ output |
| Asset Management | Asset inventory, classification, ownership | Inventory completeness check |
| Access Control | IAM, privileged access, MFA | PAM review, MFA coverage |
| Threat Management | SOC, threat intel, VAPT, pen-test | VAPT report, SOC metrics |
| Incident Response | IR plan, CERT-In reporting, drills | IR plan test date, drill records |
| Third-Party Risk | Vendor assessments, DPA contracts | Vendor register, DPA status |
| Resilience | BCP, DRP, RTO/RPO, DR tests | DR test results, RTO evidence |
ICF self-assessment template obtained from latest IRDAI circular (confirm version is current FY)
All ICF domains assessed by domain owners — not by CISO alone — with supporting evidence references
ICF scores validated by internal audit or an independent reviewer before submission
Domains rated Partial or Non-Compliant have gap remediation plans with target completion dates
Year-over-year ICF score comparison prepared: demonstrating improvement trajectory to IRDAI
ICF self-assessment document signed off by CISO and approved by MD/CEO before board presentation
Evidence Package Assembly
The evidence package must substantiate every ICF score claim. Unsupported scores are treated as non-compliant during IRDAI inspection. Evidence must be contemporaneous — dated within the assessment period.
Governance: Current board-approved cyber security policy (version-controlled, dated), CISO appointment letter, board cyber oversight charter
VAPT: Full VAPT report from CERT-In empanelled firm, re-test confirmation for Critical/High findings, remediation tracker with closure evidence
IS Audit: Complete IS Audit report covering all ICF domains, auditor credentials and engagement letter
Incident Response: IR plan with version date, tabletop exercise or drill records from the past 12 months, any actual incident reports and CERT-In notification records
Access Control: IAM policy, privileged access review evidence (screenshots or export), MFA coverage report
Resilience: DR test results with achieved RTO/RPO vs. target, BCP review sign-off, backup verification records
Third-Party Risk: Vendor risk assessment register, DPA contract status for all critical vendors, any third-party audit reports
Training: Cyber awareness training completion records (% of staff trained, date of last training)
Evidence index document created: maps each ICF domain and control to specific evidence documents with page references
All evidence documents version-controlled, dated, and accessible in a secure evidence repository
Evidence Completeness Warning
IRDAI inspectors routinely request spot evidence for specific ICF controls. If your evidence package is incomplete at submission time, you will not be able to retroactively produce it. Assemble and lock the package at least 2 weeks before the June 29 deadline.
Board Resolution Requirements
IRDAI requires a formal board resolution acknowledging the IS Audit report and the ICF self-assessment. This resolution is the attestation mechanism — it cannot be substituted by an MD/CEO sign-off alone.
Board meeting scheduled before June 29 with IS Audit report and ICF attestation as agenda items (with adequate notice period per Articles of Association)
Board presentation prepared: executive summary of VAPT findings, ICF self-assessment scores, gap remediation plan, and any open regulatory observations
Board resolution drafted for legal review: must explicitly state that the board has reviewed and acknowledged the IS Audit report for FY [year]
Board resolution records the names and DIN numbers of all directors present and voting
Board resolution signed by the Chairperson of the meeting and countersigned by the Company Secretary
Board minutes extract prepared separately from full minutes: used for IRDAI submission
Quorum requirements confirmed and documented: minimum number of independent directors present as required by IRDAI corporate governance norms
Board resolution certified as a true copy by the Company Secretary and seal affixed where required
CISO Attestation
In addition to the board resolution, IRDAI requires a CISO-level attestation confirming the accuracy of the ICF self-assessment and the completeness of the evidence package.
CISO attestation letter drafted on company letterhead: confirms that the ICF self-assessment is accurate to the best of CISO's knowledge
Attestation explicitly references the IS Audit report version, VAPT report reference number, and assessment period
CISO attestation includes a declaration that all material cyber incidents during the assessment period have been disclosed in the IS Audit report
CISO details confirmed: full name, designation, date of appointment, and IRDAI registration/approval reference (if applicable)
CISO attestation signed in wet ink or with a digital signature that meets IRDAI requirements
MD/CEO counter-signature obtained on CISO attestation (required by most IRDAI entities)
CISO attestation reviewed by legal counsel before finalisation to confirm wording meets regulatory expectations
Jun 29 Submission Deadline
The June 29 deadline is a hard regulatory cut-off. Missing it — even by one day — constitutes a compliance failure that must be disclosed in the next regulatory return.
| Activity | Recommended Completion | Owner |
|---|---|---|
| VAPT assessment completed | By Feb 28 | CISO / IT Head |
| VAPT Critical/High remediation | By Mar 31 | IT / Engineering |
| IS Audit report drafted | By Apr 30 | IS Auditor / CISO |
| ICF self-assessment completed | By May 15 | CISO + domain owners |
| Evidence package assembled | By May 31 | CISO / Compliance |
| CISO attestation drafted & reviewed | By Jun 7 | CISO + Legal |
| Board meeting and resolution | By Jun 21 | Company Secretary |
| Submission package finalised | By Jun 26 | Compliance / CISO |
| IRDAI submission deadline | Jun 29 | Compliance |
Submission package compiled: IS Audit report + ICF self-assessment + VAPT report + board resolution extract + CISO attestation + evidence index
Submission package reviewed by legal counsel for completeness and regulatory compliance
IRDAI submission portal access confirmed: login credentials tested, submission category identified
Submission made via IRDAI portal (or physical submission as per current IRDAI instructions) on or before June 29
Submission acknowledgement / receipt obtained and stored as proof of timely submission
Post-submission: submission reference number logged in compliance register with date and submission method
Post-submission: board informed of successful submission at next board meeting or via circular resolution
RiskSage AI Capability
RiskSage AI by CreativeCyber provides structured ICF self-assessment workflows, evidence management, board report generation, and Jun 29 deadline tracking — purpose-built for IRDAI compliance practitioners.
Open RiskSage AI →
Open RiskSage AI →