Become a Certified GRC Professional (GRCP)

Core concepts: Governance, Risk, and Compliance

The strategic value of an integrated GRC model

Key international standards: ISO 27001/27005 and the NIST Cybersecurity Framework (CSF)

Mapping key regulators: RBI, SEBI, IRDAI, PFRDA, NABARD

Overview of national laws: Digital Personal Data Protection (DPDP) Act 2023, IT Act 2000

Nodal agencies: CERT-In, MHA I4C, DoT

Understanding the “Stacked Compliance” model

Origins: Justice K.S. Puttaswamy (Retd.) v. Union of India

Scope and key definitions: Data Principal, Data Fiduciary, Data Processor

Grounds for lawful processing: Consent vs. “Legitimate Uses”

Rights and duties of Data Principals

Key obligations: “Reasonable security safeguards,” purpose limitation

Privacy notice requirements (multilingual mandates)

Mandatory Personal Data Breach Notification to the Data Protection Board (DPB)

Overview of the IT Act, 2000 and IT Rules, 2021 (Intermediary Guidelines)

CERT-In Directives: 6-hour incident reporting

CERT-In Directives: 180-day log retention

New mandates: Mandatory annual third-party audits and Software Bill of Materials (SBOM)

RBI’s Cyber Security Framework

Consolidation of Master Directions: IT Governance, Outsourcing, and Digital Payments

Intensive focus on Third-Party Risk Management (TPRM) and vendor due diligence

Obligations for intermediaries: Code of Conduct, AML, Internal Compliance

Deep dive: SEBI Cloud Adoption Framework (2023)

Mandated controls: Data localization, MeitY-empanelled CSPs

Technical requirements: Hardware Security Modules (HSM), BYOK/BYOE (Bring-Your-Own-Key/Encryption)

IRDAI (Information and Cyber Security) Guidelines, 2023

The 24 Security Domains for insurance

Regulatory convergence: Mandated NIST framework implementation and dual 6-hour reporting (IRDAI & CERT-In)

PFRDA framework: Protecting subscriber interests and fraud prevention

Core philosophy: “Never Trust, Always Verify”

Key tenets: Assume Breach, least privilege access, micro-segmentation

ZTA as a GRC strategy for managing cloud, WFH, and vendor risk

Moving from traditional risk registers to threat-informed defense

Using MITRE ATT&CK (Adversarial Tactics, Techniques, and Procedures)

Practical application: Gap analysis, prioritizing security controls, and threat modeling

RBI’s ‘FREE-AI’ (Framework for Responsible and Ethical Enablement of AI)

The “7 Sutras” (Guiding Principles), including ‘Understandable by Design’ (Explainability)

New GRC domains: Auditing for model risk, data risk, and algorithmic bias

MHA I4C: Nodal point for coordinating with Law Enforcement Agencies (LEAs)

DoT Sanchaar Saathi portal: Citizen-centric fraud reporting

Using “Chakshu” reports as a public threat intelligence source for brand protection

The SOC as the central command for monitoring, detection, and response

Core technology: SIEM (Security Information and Event Management)

Using SIEM to generate evidence for CERT-In’s 180-day log retention mandate

Incident Response (IR) Playbooks as the core GRC document

Key technologies: DFIR (Digital Forensics) and SOAR (Security Orchestration, Automation, Response)

SOAR as the automation engine to meet the 6-hour CERT-In reporting deadline

Building a hybrid Risk Management Framework (RMF)

Synthesizing frameworks: Using NIST RMF as the “chassis”

Integrating DPDP data mapping, MITRE TTPs, and ZTA controls into a single unified risk register

Managing the new mandatory annual CERT-In cybersecurity audits

The GRC professional as a “translator” between technical, legal, and business units

Critical skill: Communicating risk to the Board and justifying budgets, as required by RBI, SEBI, and IRDAI