Most Indian enterprises operating at scale now live at the intersection of two distinct risk management universes. On one side sit the mandatory frameworks issued by India's sectoral regulators — the Reserve Bank of India, SEBI, IRDAI, and now the Digital Personal Data Protection Act. On the other side sit the globally recognised voluntary standards: ISO 27001, NIST CSF, SOC 2, and their derivatives. The practical challenge is that neither universe acknowledges the other particularly well, and compliance teams are left to build programmes that satisfy both simultaneously.
This article maps both landscapes, compares them directly, and provides a blueprint for building a unified VRM programme that meets India's mandatory regulatory floor while incorporating global best-practice rigour. For enterprises subject to RBI, SEBI, or DPDPA obligations, this is not an academic exercise — it is a compliance requirement with real enforcement consequences.
Crest is purpose-built for Indian regulatory requirements — RBI, SEBI, DPDPA, and IRDAI — with automated monitoring across 3,300+ data sources.
See How Crest WorksWhy the India vs Global Framework Gap Matters
The stakes of getting vendor risk management wrong have never been higher for Indian enterprises. Regulatory enforcement has intensified across every sector: RBI has issued penalty orders to banks and NBFCs for inadequate vendor oversight, SEBI has tightened its cybersecurity and third-party risk circulars, and the DPDPA 2023 creates personal data accountability that extends directly to your vendor ecosystem.
At the same time, multinational enterprises and export-oriented businesses increasingly face demands from global counterparties and auditors for ISO 27001 certification or SOC 2 reports — frameworks that their Indian regulatory obligations do not neatly substitute for. The result is a growing compliance gap that organisations either paper over or try to run as two parallel programmes, both of which are unsustainable.
The good news: India's regulatory frameworks and global standards are more convergent than they appear at surface level. Both are ultimately trying to answer the same questions — who are your vendors, what access do they have, what could go wrong, and how do you know when it does? The differences are in specificity, enforceability, and scope.
India's Vendor Risk Regulatory Landscape
India does not have a single unified third-party risk management law. Instead, VRM obligations emerge from sector-specific regulations, each with its own scope, definitions, and enforcement mechanisms. Understanding which frameworks apply to your organisation is the first step to building a compliant programme.
RBI Outsourcing Guidelines — The Most Prescriptive Framework
The Reserve Bank of India's outsourcing framework — spanning the Master Direction on Outsourcing of IT Services (2023), the earlier outsourcing guidelines for banks, and separate guidance for NBFCs and payment aggregators — is India's most comprehensive and operationally prescriptive vendor risk regime. It mandates documented due diligence before engagement of any material third party, ongoing monitoring throughout the relationship, defined escalation and exit plans, and board-level oversight for material outsourcing arrangements.
The RBI framework explicitly requires that regulated entities maintain a register of all outsourced activities, conduct periodic risk assessments, and ensure that their right to audit vendors is contractually secured. For IT service providers, data localisation requirements add another layer — vendor contracts must specify where data is stored and processed.
SEBI Third-Party Risk Requirements
SEBI-regulated entities — stock brokers, asset management companies, depositories, mutual fund houses, and market infrastructure institutions — face escalating third-party risk requirements driven by two overlapping regulatory tracks: SEBI's cybersecurity framework circulars and DPDPA-aligned data protection obligations. SEBI's 2023 cybersecurity circular requires regulated intermediaries to maintain a formal TPRM policy, conduct periodic vendor assessments, and document vendor access to critical systems.
DPDPA 2023 — The Cross-Sector Vendor Data Obligation
The Digital Personal Data Protection Act 2023 is the first Indian framework that applies across all sectors. Any organisation that processes personal data — and whose vendors also handle that data — is now a Data Fiduciary with accountability for its Data Processors. This means vendor contracts must include data processing clauses, purpose limitations, security obligations, and data deletion timelines. A vendor without an adequate data processing agreement is a DPDPA compliance gap, regardless of what sector you operate in.
The Ministry of Electronics and IT's DPDPA framework is still being operationalised through rules, but enterprises should be building DPDPA-compliant vendor contracts and assessment processes now — not waiting for enforcement to begin.
Global VRM Standards — ISO 27001, NIST, and SOC 2
Global vendor risk frameworks take a fundamentally different approach to Indian regulations. Where Indian frameworks are mandatory and sector-specific, global standards are voluntary, principle-based, and designed for broad applicability across industries and geographies. This makes them more flexible — and, frankly, more useful as operational frameworks — but it also means they carry no direct regulatory enforcement weight in India.
ISO 27001 — The International Benchmark
ISO 27001's Annex A includes a dedicated supplier relationships domain (A.15 in the 2013 version, integrated into A.5.19–5.22 in ISO 27001:2022) that covers supplier security policies, addressing security within agreements, supplier service delivery management, and managing changes to supplier services. Certification against ISO 27001 requires an organisation to demonstrate that it has systematically identified and managed vendor-related information security risks — which is why global counterparties and enterprise buyers increasingly demand it.
The ISO 27001:2022 standard maps closely to RBI's IT outsourcing requirements, though with less operational specificity. ISO 27001 asks whether you have a supplier security policy; RBI asks exactly what that policy must cover.
NIST CSF — The Operational Risk Framework
The US National Institute of Standards and Technology's Cybersecurity Framework provides a function-based model (Identify, Protect, Detect, Respond, Recover) that many large enterprises use as the backbone of their TPRM programmes. NIST CSF 2.0 added a dedicated Govern function that explicitly addresses supply chain risk management (GV.SC), including vendor identification, risk assessment, contract controls, and ongoing monitoring — aligning closely with what Indian regulators require in practice.
Crest's compliance mapping shows you exactly which RBI, SEBI, and DPDPA requirements your ISO 27001 controls satisfy — and where you need additional coverage.
India vs Global Frameworks — A Direct Comparison
The table below maps the key dimensions across which Indian regulatory frameworks and global standards diverge. Understanding these differences is essential for designing a programme that does not inadvertently satisfy one while creating gaps in the other.
| Dimension | India (RBI / SEBI / DPDPA) | Global (ISO 27001 / NIST CSF) |
|---|---|---|
| Enforceability | Mandatory — penalties, licence risk, regulatory action | Voluntary — market-driven adoption, no direct penalties |
| Scope | Sector-specific (banking, securities, insurance, data processing) | Cross-industry, geography-agnostic |
| Specificity | Highly prescriptive — timelines, documentation formats, board escalation thresholds | Principle-based — outcomes defined, methods left to the organisation |
| Due Diligence | Mandated pre-engagement and ongoing — scope defined by regulation | Recommended — scope and frequency at organisational discretion |
| Data Localisation | RBI and DPDPA include data residency requirements for certain categories | No inherent data localisation requirements |
| Audit Rights | Contractually mandated right-to-audit for material vendors under RBI | Best practice recommendation, not mandated |
| Monitoring | Ongoing monitoring required throughout the vendor lifecycle | Continuous monitoring recommended; implementation varies |
| Exit Planning | Material outsourcing arrangements require documented exit and contingency plans | Business continuity planning includes supplier dependencies |
The critical observation from this comparison: where Indian regulations are prescriptive, they set the floor. Where global standards are more expansive — broader risk categorisation, supply chain resilience — they raise the ceiling. A unified programme uses India's specificity as the compliance baseline and global best practices as the operational enhancement layer.
Building a Unified VRM Programme That Satisfies Both
The goal is a single VRM programme — one vendor register, one risk assessment methodology, one set of controls — that demonstrably satisfies India's regulatory requirements and meets global standards simultaneously. Here is the five-phase approach that works in practice.
Map Your Regulatory Obligations
Identify which Indian frameworks apply to your organisation (RBI, SEBI, IRDAI, DPDPA) and which global standards you are targeting (ISO 27001, NIST CSF, SOC 2). Build a unified control mapping that shows where requirements overlap and where gaps exist. This mapping becomes the foundation of your programme design.
Classify Vendors by Criticality and Regulatory Exposure
Not all vendors carry the same risk. Material outsourcing under RBI, critical IT vendors under SEBI, data processors under DPDPA, and strategically critical suppliers all require different treatment. Build a tiered classification model that triggers the appropriate due diligence depth, monitoring frequency, and contractual requirements for each tier.
Standardise Due Diligence Across Frameworks
Design a single due diligence questionnaire and assessment process that covers RBI's financial health, legal standing, and IT security requirements, DPDPA's data processing clauses, and ISO 27001 supplier security controls. One assessment that satisfies multiple frameworks is significantly more efficient than running parallel processes.
Build Contractual Controls That Satisfy Both Layers
Vendor contracts for regulated entities must include: RBI-compliant outsourcing clauses (right to audit, data localisation, sub-outsourcing controls), DPDPA-compliant data processing agreements (purpose limitation, deletion obligations, breach notification), and ISO 27001-aligned security annexures (incident reporting, access controls, BCP requirements). A single master service agreement template that covers all three is the practical solution.
Implement Continuous Monitoring With Regulatory Coverage
Both Indian regulations and global standards require ongoing vendor monitoring — but Indian frameworks are specific about what must be monitored. Implement automated monitoring for GST status, MCA filing compliance, financial health signals, litigation events, and regulatory action. Layer global threat intelligence and performance monitoring on top for a complete picture.
Continuous Monitoring — Where Most Indian VRM Programmes Fall Short
The most common gap in Indian enterprise VRM programmes is not at onboarding — it is in the lifecycle. Due diligence at vendor onboarding is now widely practised. What remains inadequate is the monitoring of vendor risk status throughout the relationship.
RBI's outsourcing guidelines explicitly require "periodic review" of all material outsourcing arrangements and immediate escalation when a vendor's risk profile changes materially. SEBI's cybersecurity framework requires ongoing monitoring of critical IT vendors. The DPDPA creates accountability for vendor data handling throughout the processing lifecycle — not just at the point of contract signing. ISO 27001 requires "regular monitoring, review and audit of supplier service delivery."
In practice, most organisations conduct vendor reviews annually — and only for a fraction of their vendor base. The NIST Cybersecurity Framework's supply chain guidance is explicit that periodic assessments are insufficient for high-criticality vendors: continuous monitoring is required. The operational question is how to do this at scale without proportionally scaling the compliance team.
Technology is the only scalable solution. Manual monitoring of even a few hundred vendors across all relevant data sources is operationally infeasible. Purpose-built TPRM platforms that aggregate Indian regulatory data sources (GST Portal, MCA21, SEBI enforcement database, eCourts) with global intelligence feeds now represent the practical standard for compliant organisations.
Key Takeaways
- India's frameworks are mandatory and enforceable. RBI, SEBI, and DPDPA obligations are not optional best practices — non-compliance has direct regulatory consequences. They set the floor for any VRM programme.
- Global standards raise the ceiling. ISO 27001 and NIST CSF provide operational depth that Indian regulations do not prescribe — risk categorisation, control frameworks, and supply chain resilience planning that complement the regulatory baseline.
- A unified programme is achievable. A single control taxonomy, assessment process, and vendor register can satisfy both Indian regulatory requirements and global standards. Running separate programmes is expensive and creates gaps.
- Continuous monitoring is a regulatory requirement. Both RBI and SEBI explicitly require ongoing monitoring of material vendors. Annual reviews are necessary but insufficient.
- The DPDPA changes the calculus for every sector. Data processing vendor risk is now a cross-sector obligation, not just a financial services concern. Every organisation that handles personal data must assess its vendor ecosystem through the DPDPA lens.
Frequently Asked Questions
India's primary vendor risk frameworks come from sector regulators. The Reserve Bank of India issues outsourcing guidelines for banks, NBFCs, and payment aggregators. SEBI mandates third-party risk controls for market intermediaries. IRDAI covers insurers. The Digital Personal Data Protection Act 2023 introduces data processor obligations across all sectors. Enterprises typically layer these mandatory requirements on top of voluntary global standards like ISO 27001 or NIST CSF.
ISO 27001 and NIST CSF are voluntary, principle-based standards adopted to demonstrate maturity. India's sectoral regulations are mandatory and enforceable — non-compliance can attract monetary penalties, regulatory action, or licence revocation. India's frameworks are more prescriptive, specifying timelines, documentation requirements, and escalation paths that global standards leave to organisational discretion. A robust Indian VRM programme must satisfy both: the mandatory floor and the best-practice ceiling.
Yes, significantly. The DPDPA 2023 treats organisations as Data Fiduciaries and any vendor processing personal data on their behalf as a Data Processor. Data Fiduciaries are responsible for ensuring Data Processors handle data only under a valid contract meeting the Act's provisions. Vendor contracts must now include data processing clauses, purpose limitations, and data deletion obligations — adding a new dimension to VRM programmes across all sectors.
Yes. Design your programme around the more prescriptive Indian regulatory requirements as the mandatory floor, then layer global best practices on top. A unified control taxonomy — mapping each Indian regulatory requirement to its ISO/NIST counterpart — is the most efficient approach. One vendor register, one assessment process, one set of contracts that cover all relevant obligations simultaneously.
Continuous monitoring is the operational backbone of any mature VRM framework. Both RBI and SEBI explicitly require ongoing monitoring of vendor risk status throughout the relationship — not just at onboarding. This means automated alerts for GST status changes, MCA filing defaults, new litigation, and financial health deterioration. ISO 27001 and NIST CSF similarly require ongoing supplier service delivery monitoring. Technology is the only scalable solution at any meaningful vendor base size.