Compliance··7 min read
RBI Cyber Resilience Framework: a practical SOC compliance checklist
The RBI Cyber Resilience Framework reads like a wish-list when you first open it. The useful question is not “are we compliant?” but “which line items does a managed SOC actually satisfy, and which do I still own?” Here is the honest mapping.
What a managed SOC covers outright
These controls are exactly what a Security Operations Center exists to deliver. If your SOC is doing its job, you can mark them as in-scope with evidence:
- Continuous surveillance (24×7). A detection engine plus an on-call rotation watching every stream, not a dashboard someone checks in the morning.
- Real-time threat defence. Pre-built rules for brute-force, mass-deny bursts, exposed admin surfaces and threat-intel hits, firing as events arrive.
- Logging and monitoring. Firewall, server, web and SNMP logs ingested with defined retention — the audit substrate the rest of the framework assumes.
- Incident response and reporting. Alerts rolled into incidents with an audit timeline, plus weekly and signed monthly reports.
- CERT-In information sharing. Incident notifications in the CERT-In format, with a threat-intel feed kept current.
- Network security visibility. Per-device health, so a firewall that silently stops shipping logs raises an alert instead of a blind spot.
What a SOC only partly covers
These need a complementary control from your team. A SOC surfaces the signal; enforcement lives elsewhere:
- Vulnerability management. A SOC sees exposure (admin-exposed services, scanner hits) but does not run authenticated VA scans — pair it with a VA partner.
- Access controls. It detects brute-force and impossible-travel sign-ins; enforcing MFA and AD policy stays in your IAM.
- Data protection. Isolation, encryption and retention are covered; DLP and key management remain on your side.
What sits outside the SOC entirely
- Endpoint security. EDR agents (CrowdStrike, SentinelOne, Sophos) are a separate control.
- Awareness and training. Phishing simulation and staff training belong with a security-awareness vendor.
The trap in RBI audits is claiming full coverage where you only have partial. Mark partial and out-of-scope items honestly — auditors trust a clear boundary far more than a wall of green ticks.
Hello SOC ships a line-by-line RBI mapping for exactly this reason. If you have a specific checklist item to validate, send it to us and we’ll tell you what we ship and what we don’t.
Frequently asked
- Does a managed SOC make a bank fully RBI compliant?
- No. A managed SOC covers the surveillance, logging, detection and incident-reporting requirements of the RBI Cyber Resilience Framework, but controls such as MFA enforcement, endpoint security (EDR), vulnerability scanning and staff awareness training sit with the bank or adjacent vendors. Compliance is the sum of all of these.
- Which RBI framework controls does a SOC directly satisfy?
- Continuous 24×7 surveillance, real-time threat defence, logging and monitoring, incident response and reporting, CERT-In information sharing, and network security visibility are all directly satisfied by a managed SOC like Hello SOC.