What is RBI ITGRC and Why It Matters
The Reserve Bank of India’s Information Technology Governance, Risk and Compliance (ITGRC) framework establishes the minimum governance and risk management standards that regulated entities — banks, NBFCs, cooperative banks, payment aggregators — must implement for their IT systems and data.
ITGRC is not a single circular. It is a composite framework drawing from:
- RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023)
- RBI Cybersecurity Framework for Banks (2016, updated 2021)
- RBI Digital Payment Security Controls (2021)
- RBI Guidelines on IT Outsourcing
- RBI Master Direction on Outsourcing of Financial Services
For BFSI compliance teams, ITGRC represents the foundational governance structure within which all other regulatory obligations — including DPDP — must operate.
The Four Pillars of RBI ITGRC
Pillar 1: IT Governance
Governance under ITGRC requires:
Board-level IT Committee: A dedicated IT Strategy Committee or IT Sub-Committee of the Board, with responsibility for reviewing IT strategy, approving IT risk appetite, and overseeing major IT initiatives.
IT Steering Committee: An executive-level committee chaired by the CEO or MD, responsible for operationalising the Board’s IT strategy, reviewing IT risk reports, and making resource allocation decisions.
Chief Information Officer: A designated CIO with clearly defined responsibilities, reporting lines, and authority over IT strategy and architecture.
IT Audit: The internal audit function must have IT audit capability — either a dedicated IT audit team or externally sourced capability — with direct access to the Audit Committee.
Pillar 2: IT Risk Management
Risk management under ITGRC requires a formal IT Risk Management Framework covering:
- Risk identification: Systematic identification of IT risks including cyber, operational, outsourcing, and data risks
- Risk assessment: Quantitative or qualitative risk assessment with defined risk appetite thresholds
- Risk treatment: Documented treatment plans for all identified risks above appetite
- Risk monitoring: Ongoing monitoring with Key Risk Indicators (KRIs) and reporting to governance committees
- Risk reporting: Regular risk reports to the IT Steering Committee and Board IT Committee
Pillar 3: IT Controls
Controls under ITGRC are organised across 12 control domains:
| Domain | Key Requirements |
|---|---|
| Access Management | Role-based access, privileged access management, annual access review |
| Change Management | Formal change request, testing, approval, and rollback procedures |
| Incident Management | Incident classification, response procedures, escalation matrix |
| Problem Management | Root cause analysis, known error database, trend analysis |
| Capacity Management | Resource monitoring, capacity planning, threshold alerts |
| Availability Management | Uptime targets, monitoring, reporting to business |
| IT Asset Management | Complete hardware/software inventory, lifecycle management |
| Configuration Management | CMDB, baseline configurations, drift monitoring |
| Business Continuity | BCP/DR documentation, testing, recovery time objectives |
| Vendor/Third Party | Due diligence, contracts, periodic review, exit planning |
| Data Management | Data classification, retention, disposal, quality management |
| Security Management | (Covered separately under Cybersecurity Framework) |
Pillar 4: IT Assurance
Assurance under ITGRC requires:
- Annual IT audit covering all material IT systems and controls
- IT General Controls (ITGC) assessment for all systems in scope for financial reporting
- Third-party assessments for critical systems — penetration testing, vulnerability assessment
- Regulatory submissions — IS Audit Report and IT Report to RBI as per prescribed formats
DPDP Intersection with ITGRC
The DPDP Act 2023 and ITGRC overlap significantly. Enterprises implementing both must ensure they are not running parallel, disconnected programmes:
| DPDP Obligation | ITGRC Control Domain | Integration Point |
|---|---|---|
| Security safeguards (§8) | Security Management | Shared control framework |
| Data breach notification | Incident Management | Incident classification to include privacy breaches |
| Storage limitation | Data Management | Retention schedule and deletion procedures |
| Vendor/processor obligations | Vendor Management | DPA requirements added to vendor contracts |
| DPIA for high-risk processing | IT Risk Management | Privacy risk embedded in IT risk framework |
| Access control for personal data | Access Management | Role-based access to PII systems |
The CreativeCyber DPDP Assurance Platform’s Gap Assessment module cross-maps DPDP Act obligations to RBI ITGRC control domains, allowing a single assessment to identify gaps against both frameworks simultaneously.
Assess your compliance against RBI ITGRC
The CreativeCyber DPDP Assurance Platform includes RBI ITGRC as a mapped control pack — run a gap assessment, generate evidence, and produce audit-ready reports.
Explore the Platform →