Volume 03 · Compliance

How e91 ISP maps to India's regulatory frameworks

A practical reference mapping e91 ISP's capabilities to the specific identity-related clauses in DPDP, RBI CSCRF, SEBI, IRDAI, CERT-In Directions, and international standards. Built for CISOs, compliance officers, and auditors who need to produce evidence quickly.

Frameworks covered
8 frameworks
Control mappings
60+ clauses
Last reviewed
April 2026
Document type
Reference library

How to read this document

This library maps identity-related controls from each framework to specific e91 ISP capabilities. It is a reference tool, not a legal opinion. Regulatory language evolves — clause numbers and exact wording should be verified against the latest official circular before use in audit evidence or contractual commitments.

Coverage ratings reflect the product's direct contribution: Direct (e91 ISP substantively satisfies the clause), Supports (e91 ISP provides a meaningful component; other controls may be needed), Contextual (clause is partly identity-adjacent; e91 ISP provides useful evidence).

Frameworks in this library
Data Protection
DPDP

India's Digital Personal Data Protection Act 2023. Consent, residency, access controls, erasure.

All organisations processing personal data
 Banking
RBI CSF

Reserve Bank's Cyber Security Framework for banks, NBFCs, and payment-system operators.

Banks · NBFCs · PAs · PPIs
 Capital Markets
SEBI CSCRF

Cybersecurity and Cyber Resilience Framework for regulated capital-market entities.

Stock brokers · AMCs · MIIs · RTAs
 Insurance
IRDAI

Information & Cybersecurity Guidelines for insurers, reinsurers, and intermediaries.

Insurers · Brokers · Agents
 National
CERT-In

April 2022 Directions on incident reporting, log retention, and cyber-hygiene baselines.

All Indian entities
 Critical Infra
NCIIPC

Guidelines for Critical Information Infrastructure — power, telecom, banking, transport.

Designated CII operators
 International
NIST 800-63B

Digital Identity Guidelines — authenticator types, assurance levels, lifecycle.

Reference / global alignment
 International
ISO 27001

Information security management system controls (Annex A, 2022 revision).

Enterprise procurement
FRAMEWORK 01

Digital Personal Data Protection Act

The Digital Personal Data Protection Act, 2023 · Government of India

India's foundational data-protection law. Applies to any entity (Data Fiduciary) processing personal data within India or of Indian citizens. While DPDP is framework-agnostic on how controls are implemented, identity security sits at the heart of three obligations: preventing unauthorised access, maintaining accountability records, and enabling secure erasure.

AuthorityMeitY · DPB
Applies toAll Data Fiduciaries
Identity-relevant sections§8, §9, §13
Penalty ceiling₹250 Cr per breach
Reasonable security safeguards & access control
§8(5)
Data Fiduciary shall protect personal data by taking reasonable security safeguards to prevent personal data breach.
Direct
What this means
Entities must demonstrate that unauthorised access to personal data is actively prevented, not just policy-stated. Identity-based access control is the foundational technical safeguard regulators look for.
How e91 ISP helps
Multi-factor authentication across all systems handling personal data. Tamper-evident audit logs (SHA-256 chain-hashed) document every authentication attempt. Role-based access control enforces least-privilege at the identity layer.
Evidence produced
Auth logs exportable to regulator-acceptable formats. Coverage reports showing % of systems under MFA. Access-history reports per user.
§8(6)
Notify affected Data Principals and the Data Protection Board of personal data breaches.
Supports
What this means
On a breach, entities must establish scope, affected users, and timelines quickly. Identity access logs are the primary evidence trail for investigations.
How e91 ISP helps
Integrity-verified audit logs survive forensic scrutiny. Per-user access history reconstructs who accessed what and when. Logs align with CERT-In 180-day retention plus DPDP documentation needs.
Evidence produced
Forensic-grade access trails for breach notifications. Chain-of-custody-ready exports with hash verification.
§8(7)
Erase personal data when retention is no longer required — including erasure by Data Processors.
Contextual
What this means
Right-to-erasure and retention-limit enforcement. Identity systems themselves retain user records and credentials — which must be erased when relationships end.
How e91 ISP helps
Cryptographic key erasure for deprovisioned users. Lifecycle workflows tie deactivation to HR events. Configurable log-retention aligned to policy (7-year default, tunable).
Evidence produced
Deletion logs, key-destruction confirmations, retention-policy configuration exports.
Data residency & transfer
§16
Central Government may restrict transfer of personal data outside India to specified countries.
Direct
What this means
Sector regulators (particularly RBI, IRDAI) already enforce strict data localisation. DPDP adds a dynamic restriction list that entities must be able to adapt to quickly.
How e91 ISP helps
100% India-resident deployment as an on-premises, air-gapped, or Indian-cloud option. No default data egress. All cryptographic material, audit logs, and user records stay on customer-controlled infrastructure.
Evidence produced
Deployment architecture document confirming in-country data flow. Data-flow diagram for auditor review.
Accountability & records
§10
Significant Data Fiduciaries must publish processing records, appoint a Data Protection Officer, and conduct Data Protection Impact Assessments.
Supports
What this means
Larger organisations face heightened documentation obligations. Identity platforms are one of the processing systems that must be documented in the DPIA.
How e91 ISP helps
Published data-flow documentation showing exactly what identity-adjacent data e91 ISP stores, for how long, and under what access. Ready-made DPIA input for the identity component of a customer's processing landscape.
Evidence produced
Vendor data-processing attestation. DPIA template contributions for identity flows.
FRAMEWORK 02

RBI Cyber Security Framework

Cyber Security Framework in Banks (2016, with ongoing amendments) · Master Directions on Cyber Resilience and Digital Payment Security Controls (2024) · Relevant extensions to NBFCs, CICs and payment-system operators

RBI's layered cybersecurity regime — the most prescriptive of India's sectoral frameworks. Identity controls (authentication, privileged access, logging, audit) appear throughout the baseline requirements, C-SOC operating model, and incident-reporting expectations. For BFSI customers this is the audit every deal is written against.

AuthorityReserve Bank of India
Applies toBanks · NBFCs · PAs · PPIs
Identity-relevant areasAccess mgmt · C-SOC · Incident reporting
Audit cycleTypically annual
Access management & authentication
Annex 1 · Access Mgmt
Implement multi-factor authentication for all privileged users and critical applications.
Direct
What this means
Privileged accounts accessing core banking, payment switches, treasury, and admin consoles must have MFA. Weak authentication is the most commonly cited deficiency in RBI inspection reports.
How e91 ISP helps
Eight authenticator types (TOTP, HOTP, Push, SMS, Email, FIDO2, RADIUS delegation, hardware tokens) cover every RBI-compliant second factor. RADIUS delegation specifically extends MFA to legacy banking systems that don't speak SAML/OIDC.
Evidence produced
Coverage dashboards showing MFA status per system, per user-class. Per-system authentication-strength reports.
Annex 1 · User Access Control
Implement least-privilege access, role-based controls, and periodic access reviews.
Supports
What this means
Users should have the minimum access needed for their role. Access-rights reviews should run quarterly or semi-annually with documented sign-off.
How e91 ISP helps
RBAC roles (Admin / Operator / Auditor / Service). Access review exports by user, role, and system. Integration with existing IdP (Azure AD, LDAP) respects existing group structures — no role duplication.
Evidence produced
Quarterly access-review reports. Role-assignment history. Dormant-account identification.
Annex 1 · Audit Logs
Maintain tamper-evident logs of user activity, privileged access, and security events.
Direct
What this means
Audit logs are the first thing RBI inspectors ask for. They must be tamper-evident, comprehensive, and retrievable within audit timeframes.
How e91 ISP helps
SHA-256 chain-hashed audit log — each entry's hash depends on the previous entry's hash, making tampering computationally detectable. 7-year retention default with automatic archival. Logs stream to SIEM for correlation.
Evidence produced
Integrity-verified log exports. Log-chain verification reports. SIEM forwarding attestation.
Cryptography & key management
Annex 1 · Cryptography
Use strong encryption for data at rest and in transit; manage cryptographic keys securely.
Direct
What this means
Cryptographic material (user secrets, session keys, certificates) must be protected in a dedicated key-management system, not stored plainly in application databases.
How e91 ISP helps
Four supported KMS backends: AWS KMS, Azure Key Vault, HashiCorp Vault, local HSM. Automatic key rotation. Post-quantum readiness (ML-KEM, ML-DSA) for forward-looking mandates.
Evidence produced
Key-rotation attestation. KMS integration documentation. FIPS-aligned crypto module usage report.
Incident reporting & C-SOC integration
Annex 2 · C-SOC
Establish a Cyber Security Operations Centre; feed identity-related events for real-time monitoring.
Supports
What this means
The C-SOC needs continuous telemetry including authentication events, privileged-access events, and anomalous login patterns.
How e91 ISP helps
Standard CEF/LEEF/JSON log formats. Direct integrations with Splunk, QRadar, Sentinel, Elastic. Real-time event streaming via syslog/TLS or Kafka. Pre-built detection rules for impossible travel and credential-stuffing patterns.
Evidence produced
SIEM integration runbook. Detection-rule catalogue. Event-volume and coverage reports.
Incident Reporting (CSITE)
Report cybersecurity incidents to RBI within 2–6 hours of discovery; provide root-cause analysis and remediation evidence.
Contextual
What this means
Incident reports require chronology, scope, affected parties, and evidence. Identity-layer forensics is often the fastest route to scope determination.
How e91 ISP helps
Rapid forensic export of authentication trails for the affected period. Anomaly detection alerts often surface incidents faster than downstream systems. Integrity-verified logs support the RCA narrative.
FRAMEWORK 03

SEBI Cybersecurity & Cyber Resilience Framework

Cybersecurity and Cyber Resilience Framework (CSCRF) · Securities and Exchange Board of India

SEBI's CSCRF applies to regulated entities in capital markets — stock brokers, AMCs, Market Infrastructure Institutions (exchanges, clearing corps, depositories), RTAs, and portfolio managers. SEBI has clarified that RBI-equivalent compliance is accepted for entities already regulated by RBI, avoiding duplicate effort. Size categorization (Small/Mid/Large) drives the applicable control intensity.

AuthoritySEBI
Applies toBrokers · AMCs · MIIs · RTAs · PMs
TieringSmall · Mid · Large REs
Key principleZero Trust encouraged
Identify & protect (NIST CSF aligned)
Protect · Access Control
Implement strong authentication and access controls across critical systems, client-facing applications, and back-office operations.
Direct
What this means
CSCRF defines "critical systems" broadly — order-management, risk-management, member portals, custody systems. All need authentication appropriate to risk level.
How e91 ISP helps
Risk-based authentication policies tier auth strength by system criticality. FIDO2 passkeys for high-risk workflows. Zero-trust ready — aligned with SEBI's encouraged posture.
Evidence produced
Authentication-policy documentation per system class. Step-up authentication logs for high-risk actions.
Protect · Data Security
Encrypt data in transit and at rest; protect cryptographic keys; maintain data localisation for regulated activities.
Direct
What this means
SEBI's data-residency expectations align with RBI and DPDP — regulated data processing should happen within India unless specifically permitted.
How e91 ISP helps
Full on-premises or Indian-cloud deployment. All cryptographic keys stay in customer-controlled KMS. TLS 1.3 everywhere; PQC-ready hybrid handshakes available.
Detect & respond
Detect · Continuous Monitoring
Continuously monitor critical systems for anomalous activity, including identity and access anomalies.
Supports
How e91 ISP helps
Real-time event stream to SIEM. Built-in detection for impossible travel, credential stuffing, suspicious elevation. Policy-triggered notifications for SOC analysts.
Respond · Incident Evidence
Maintain incident evidence suitable for regulatory review; preserve log integrity during investigations.
Direct
How e91 ISP helps
Chain-hashed logs are auditor-defensible. Export utilities produce forensically intact evidence bundles.
FRAMEWORK 04

IRDAI Information & Cybersecurity Guidelines

Information and Cybersecurity Guidelines · Insurance Regulatory and Development Authority of India

IRDAI's guidelines cover insurers, reinsurers, intermediaries, and insurance web aggregators. The identity-relevant controls sit primarily in the Access Management, Logging & Monitoring, and Third-Party Risk sections. Insurance policyholder data is considered Sensitive Personal Information under DPDP — so IRDAI controls often overlap with DPDP obligations.

AuthorityIRDAI
Applies toInsurers · Intermediaries
Identity-relevant areasAccess mgmt · Logging · Vendor risk
Reporting cadenceQuarterly
Logical access controls
Access Management
Multi-factor authentication for all administrative access to systems processing policyholder data.
Direct
How e91 ISP helps
Full MFA across all eight authenticator types. Specifically supports step-up authentication for claim settlements, policy modifications, and other high-risk workflows.
Privileged Access
Restrict, monitor, and audit privileged access to policy administration systems and underwriting platforms.
Supports
How e91 ISP helps
Today: MFA gate and RBAC for privileged access paths. Roadmap: full PAM module with session recording (targeted 12 months).
Logging, monitoring & retention
Logging
Maintain logs of user access, privileged operations, and security events for the prescribed retention period.
Direct
How e91 ISP helps
Configurable retention with 7-year default. Integrity-verified exports suitable for IRDAI inspection.
FRAMEWORK 05

CERT-In Directions, April 2022

Directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents · CERT-In (Ministry of Electronics & IT)

CERT-In's 2022 Directions apply horizontally across all Indian service providers, intermediaries, data centres, body corporates, and government organisations. The identity-relevant obligations are incident reporting (6-hour window) and log retention (180-day minimum). These are the clauses most auditors will open with.

AuthorityCERT-In
Applies toAll Indian entities
Reporting window6 hours
Log retention180 days minimum
Incident reporting
Direction 1
Report specified cyber incidents to CERT-In within 6 hours of notice or being brought to notice.
Supports
What this means
20 reportable incident types including unauthorised access, identity theft, data breach. The 6-hour clock starts from detection — so detection speed matters as much as reporting speed.
How e91 ISP helps
Pre-configured CERT-In incident categories map to e91 ISP event types. Template-driven incident reports reduce report-prep time. Identity events are often the earliest indicator of the incidents CERT-In expects to hear about.
Log retention & synchronisation
Direction 4
Enable logs of ICT systems and maintain them securely for a rolling period of 180 days within Indian jurisdiction.
Direct
How e91 ISP helps
Logs stored on customer-controlled infrastructure in India by default. Configurable retention well beyond the 180-day floor. Tamper-evident chain preserves evidentiary value.
Direction 3
Synchronise all ICT system clocks to NIC's or NPL's Network Time Protocol server.
Contextual
How e91 ISP helps
NTP configuration documented in the deployment guide. Time-based tokens (TOTP) depend on accurate time sync — so e91 ISP's own operational integrity drives this forward.
FRAMEWORK 06

NCIIPC / Critical Information Infrastructure

National Critical Information Infrastructure Protection Centre · Guidelines for Protection of CII

NCIIPC oversees designated Critical Information Infrastructure in sectors including power, banking, telecom, transport, government, and strategic public enterprises. CII operators face heightened obligations around air-gap deployment, indigenous technology preference, and strict incident reporting. This is the framework that makes air-gap deployment a hard requirement rather than a nice-to-have.

AuthorityNCIIPC (under NTRO)
Applies toDesignated CII operators
Deployment modeOften air-gapped
Indigenous preferenceStrong
Air-gap & isolation
Network Isolation
Ensure critical systems operate in isolated/air-gapped networks with no direct internet connectivity.
Direct
What this means
CII operators often run classified networks with zero internet exposure. Most global identity vendors simply cannot deploy in these environments because their products assume cloud callbacks or online verification.
How e91 ISP helps
Full air-gap deployment mode with on-premises notification channels (Ntfy, Gotify, SMSEagle), local KMS, and no outbound connectivity requirements. One of very few modern identity platforms architecturally designed for this.
Evidence produced
Air-gap deployment architecture document. Network-flow audit confirming zero external egress.
Indigenous technology & supply chain
Supply Chain Security
Preference for indigenously developed solutions; evaluate supply-chain risk for foreign-origin software.
Direct
How e91 ISP helps
Made-in-India — designed, built, and supported from India. Source-code escrow available. Standards-based architecture avoids proprietary lock-in.
Evidence produced
Company-origin attestation. Escrow arrangement documentation on request.
FRAMEWORK 07

NIST SP 800-63B · Digital Identity

NIST Special Publication 800-63B · Authentication & Lifecycle Management · National Institute of Standards and Technology

The international reference for digital identity assurance. While not directly mandated by Indian regulators, NIST 800-63B is widely cited as best practice and frequently appears in RFP requirements from sophisticated buyers. Compliance here signals engineering maturity. The framework defines Authenticator Assurance Levels (AAL1, AAL2, AAL3) that scale with risk.

AuthorityNIST (US)
Applies toReference standard
Assurance levelsAAL1 · AAL2 · AAL3
RelevanceRFPs · global alignment
Authenticator assurance levels
AAL2
Require multi-factor authentication using approved cryptographic techniques.
Direct
How e91 ISP helps
All eight authenticator types meet or exceed AAL2. TOTP, push, and hardware tokens provide the approved combinations.
AAL3
Require proof of possession of a hardware-based authenticator and an authenticator providing verifier impersonation resistance.
Direct
How e91 ISP helps
FIDO2 / WebAuthn Level 2 passkeys satisfy AAL3 requirements — hardware-bound, phishing-resistant, verifier-impersonation-resistant. Hardware-token (HOTP) support complements FIDO2 for environments that require dedicated tokens.
Lifecycle management
§5.1 · Enrolment
Bind authenticators to identities through a process proportionate to the assurance level.
Supports
How e91 ISP helps
Self-service enrolment flow with administrator approval workflows. Binding receipts maintain an audit chain from identity proofing to authenticator issuance.
FRAMEWORK 08

ISO/IEC 27001:2022

Information Security Management Systems · Annex A Controls (2022 revision)

ISO 27001 is the dominant enterprise security certification globally. While Indian sectoral regulators don't mandate it, large enterprise buyers routinely include it in RFP requirements and vendor-risk questionnaires. The 2022 revision consolidated Annex A into four themes: Organizational, People, Physical, and Technological controls. Identity sits mainly in the Technological controls (A.8).

AuthorityISO/IEC
Applies toEnterprise procurement
Revision2022
Identity-relevant clausesA.5.15 · A.5.17 · A.8.2 · A.8.5
Access control (A.5 · organizational)
A.5.15
Access Control: Rules to control physical and logical access to information.
Direct
How e91 ISP helps
Centralised policy engine for access control. Rule-based authentication flows, conditional policies.
A.5.17
Authentication Information: Management of authentication information.
Direct
How e91 ISP helps
Credentials and cryptographic material managed in dedicated KMS. Rotation, recovery, and revocation workflows documented.
Identity & access (A.8 · technological)
A.8.2
Privileged Access Rights: Allocation and use of privileged access rights shall be restricted and managed.
Supports
How e91 ISP helps
Step-up MFA for privileged actions. RBAC at the authentication layer. Full PAM capabilities on the product roadmap.
A.8.5
Secure Authentication: Secure authentication technologies and procedures shall be implemented based on access restrictions and access control topic-specific policy.
Direct
How e91 ISP helps
This is the clause e91 ISP was built for. All eight authenticator types. Policy-driven selection per application. Phishing-resistant FIDO2 available for highest-risk flows.
A.8.15
Logging: Logs recording activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
Direct
How e91 ISP helps
Tamper-evident audit logs with configurable retention. SIEM integration for analysis. Access-restricted log storage.
At a glance

The capability-to-framework matrix

The same e91 ISP capabilities satisfy controls across multiple frameworks. That's the compounding value — one implementation, many compliance wins.

e91 ISP capability Primary frameworks satisfied
Multi-factor authentication (8 types) DPDP §8(5) · RBI Access Mgmt · SEBI Protect · IRDAI Access Mgmt · NIST AAL2/AAL3 · ISO A.8.5
Tamper-evident audit log (SHA-256 chain) DPDP §8(6) · RBI Audit Logs · CERT-In Direction 4 · IRDAI Logging · ISO A.8.15
RBAC & access reviews DPDP §8(5) · RBI User Access Control · ISO A.5.15 · A.8.2
India-resident deployment / air-gap DPDP §16 · CERT-In Direction 4 · NCIIPC Network Isolation · SEBI Data Security
KMS integration + PQC readiness RBI Cryptography · SEBI Data Security · ISO A.5.17
FIDO2 / phishing-resistant auth NIST AAL3 · SEBI Protect · RBI Access Mgmt (high-risk)
SIEM streaming & detection rules RBI C-SOC · SEBI Detect · CERT-In Direction 1 · ISO A.8.16
Made-in-India + source escrow NCIIPC Supply Chain · GeM procurement · MeitY empanelment path
For your CISO conversation

How to use this library

In discovery. Open with: "Which regulatory frameworks are you reporting against this year?" Point them to the relevant section. That one move differentiates you from vendors who open with feature lists.

In RFPs. Copy the mapping tables directly into RFP responses. Every regulated buyer has a compliance annex — this library gives you pre-filled answers.

In customer conversations with auditors. After a customer deploys, forward this library to their audit team. It positions e91 ISP as a mature vendor and removes a common audit friction point.

As a marketing lead magnet. Gated download on the marketing site. CISOs search for these checklists actively; every download is a warm, self-qualified lead.