Mumbai Bandra-Kurla Complex financial district skyline at dusk — MAST India GRC and cybersecurity consulting.

Mumbai · India

India GRC, cybersecurity & compliance, delivered locally.

GRC, cybersecurity and audit services aligned to RBI, SEBI, IRDAI, CERT-In and DPDP Act.

Book a India scoping call Explore services

240+: India engagements delivered
3: Delivery centres
DPDP: Programme-ready

MAST in India

Local delivery, global standards.

MAST helps Indian banks, NBFCs, insurers, capital-market participants, fintechs and healthcare providers meet RBI, SEBI, IRDAI, CERT-In and DPDP Act 2023 obligations — alongside global standards such as ISO 27001, PCI DSS and SOC 2.

Regulators we cover

The India regulatory landscape we work in daily.

RBI

Reserve Bank of India — Cyber Security Framework for banks, NBFCs and PSOs.

SEBI CSCRF

SEBI Cybersecurity & Cyber Resilience Framework for regulated entities.

IRDAI

Information & Cyber Security guidelines for insurers.

CERT-In

Directions on incident reporting, log retention and SBOM.

DPDP Act 2023

Digital Personal Data Protection Act compliance programmes.

MeitY

Ministry of Electronics and IT advisories and intermediary rules.

NPCI

UPI, IMPS and RuPay security circulars for ecosystem participants.

Services

What we deliver in India.

Each engagement is led by a senior consultant with sector experience in your jurisdiction.

ISO 27001 (India)

ISMS programmes for banks, NBFCs, GICs and IT services exporters.

Learn more

SOC 2 (India)

Readiness and Type II observation for Indian SaaS and IT services firms.

Learn more

PCI DSS v4.0 (India)

RBI-tokenisation and UPI-aware PCI programmes.

Learn more

Managed Compliance

Continuous compliance against RBI, SEBI, IRDAI and DPDP.

Learn more

IT Internal Audit

Co-sourced IT internal audit aligned to IIA standards.

Learn more

VAPT (India)

CERT-In empanelled-equivalent testing methodology with attestation.

Learn more

India case studies

Recent India engagements — outcomes you can audit.

Anonymised snapshots of MAST delivery in your jurisdiction. Every engagement is sponsored by a named Lead Auditor.

BankingRBI CSF · ISO 27001

Indian private bank — RBI CSF gap closure across 11 control domains.

Closed 96 RBI CSF gaps, refreshed the cyber-crisis playbook and integrated SOC alerts into board reporting.

RBI gaps closed: 96
Tabletop exercises: 4
RBI inspection rating: Improved

Lead Auditor attribution

MAST India BFSI

Lead — RBI / ISO 27001

ISO 27001 LA · CISA · CISM

Delivered2024 · Mumbai

Capital MarketsSEBI CSCRF

Indian broker — SEBI CSCRF readiness for the 'Qualified RE' category.

Mapped 230+ CSCRF controls, deployed a continuous-monitoring dashboard and submitted CSCRF compliance evidence.

CSCRF controls evidenced: 234
Cyber audit cycles: Quarterly
Submission: On-time

Lead Auditor attribution

MAST Capital Markets

Lead — SEBI CSCRF

CISA · CRISC · CEH

DeliveredQ1 2025 · Mumbai

InsuranceIRDAI · ISO 27001

Life insurer — IRDAI ICS audit with zero major observations.

Refreshed the ISMS, third-party risk programme and incident response procedures aligned to IRDAI ICS guidelines.

Major observations: 0
Third parties assessed: 180+
IR MTTR: −42%

Lead Auditor attribution

MAST Insurance Practice

Lead — IRDAI

ISO 27001 LA · CISA · ITIL

DeliveredH2 2024 · Mumbai

PrivacyDPDP Act 2023

Indian unicorn — DPDP Act readiness across 40M users.

Delivered notice & consent re-design, DPO function, data principal rights workflow and cross-border transfer assessments.

Users in scope: 40M+
Consent re-collection: Live
DPIA coverage: 100%

Lead Auditor attribution

MAST Privacy Practice

Lead — DPDP

CIPM · CIPP/E · DCPP

Delivered2025 · Bengaluru

SaaSSOC 2 Type II

Indian SaaS scale-up — SOC 2 Type II clean opinion in first cycle.

Built control inventory and evidence automation across AWS, Okta and GitHub for a 6-month observation window.

Observation window: 6 months
Auditor exceptions: 0
Evidence automation: 82%

Lead Auditor attribution

MAST SaaS Practice

Lead — SOC 2

CISA · CCSK · ISO 27001 LA

Delivered2024–2025 · Bengaluru

Telecom / CERT-InCERT-In Directions

Indian telco — CERT-In compliance for logging, SBOM and incident reporting.

Implemented 6-hour incident reporting, 180-day log retention and SBOM workflows across product and IT estate.

Log retention: 180+ days
Incident reporting SLA: < 6 hrs
SBOM coverage: Critical apps

Lead Auditor attribution

MAST Telecom Practice

Lead — CERT-In

CISA · CEH · ISO 27001 LA

Delivered2024 · Pune

FAQ

India delivery — common questions.

Do you cover RBI's Cyber Security Framework for banks and NBFCs?

Yes. We deliver RBI-aligned programmes for SCBs, SFBs, NBFCs, PSOs, payment aggregators and account aggregators.

Can you help with DPDP Act 2023 readiness?

Yes. Our DPDP programmes cover notice and consent, data principal rights, DPO appointment, cross-border transfers and breach response.

Do you support CERT-In directions on logging and incident reporting?

Yes — including 6-hour incident reporting, 180-day log retention, SBOM and ICT product compliance.

Speak with our India team

Local consultants. Lead Auditors. Fixed-fee proposals.

Tell us about your India programme — a senior consultant from MAST responds within one business day.