Golonex

Security Operations

EDR · MDR · XDR Email Security SOC Monitoring & SIEM Continuous VAPT Security Awareness Training

IT & Governance

Configuration Management Backup & DR / BCP IT & Security Governance IS Audit Readiness Compliance Readiness

Advisory & AI

Fractional Leadership AI Automation Solutions Lab Staff Augmentation Hire with us Our Work Industries About Contact Blog Golonex Press ↗ Golonex Tools ↗ ◆ Golonex Ready Book a Call →
IS Audit Readiness

Pass your RBI Information Systems Audit.

Golonex runs a three-phase IS Audit Readiness Program — gap assessment six weeks before the audit, a complete auditor-ready evidence pack, and post-audit remediation tracking. Banks that prepare with Golonex go into their IS Audit knowing exactly where they stand.

Important clarification

Golonex does not conduct the statutory IS Audit — only a CERT-In empanelled auditor can perform the mandatory annual IS Audit. Golonex provides pre-audit readiness, evidence preparation, and post-audit remediation — the work that determines how well your institution performs in the audit.

The Program

Three phases. Before, during, and after.

Most banks fail IS Audits not because they lack controls, but because they cannot produce the evidence. Our three-phase program fixes that — systematically.

Phase 1 · 6–8 weeks before audit

Pre-Audit Gap Assessment

Review existing IT policies, ITSC/ISC charters, and risk register against RBI IS Audit checklist
Assess BCSF control implementation status — all 11 controls scored
Review log management coverage and 180-day retention status
Verify BCP documentation, DR drill records, and RTO/RPO targets
Check VAPT report recency, scope, and remediation status
Assess vendor risk documentation and IT outsourcing policy
Identify documentation gaps that will attract IS auditor findings
Deliver a prioritised gap report with remediation timeline
Phase 2 · Weeks 4–8

Evidence Pack Compilation

Compile all policy documents, Board minutes, ITSC minutes into an auditor-ready folder
Pull 180-day log samples from each log source and format for auditor review
Prepare VAPT report with remediation evidence (screenshots, retest results)
Compile BCP document, DR drill report, and MD/CEO sign-off
Gather patch compliance reports for the review period
Prepare access control evidence — user access reviews, MFA records
Assemble email security and EDR/MDR summary reports
Index the complete evidence pack against the IS Audit checklist
Phase 3 · Post-audit — 3 months

Remediation Tracking

Review IS auditor findings report and classify by severity and root cause
Build a remediation action plan with owners, timelines, and evidence requirements
Track remediation progress weekly and escalate delayed items
Verify each remediation with documentary evidence before closing
Prepare management response to IS auditor for Board submission
Update governance documents to address root causes of audit findings
What IS Auditors Check

Eight audit areas. Every one covered.

RBI IS Audits are structured around defined domains. Golonex maps every gap assessment and evidence pack item to the specific audit area it satisfies.

Audit Area What IS Auditors Check
IT Governance IT Policy, Board ITSC, ISC structure, IT Risk register, Board reporting
Information Security (BCSF) All 11 BCSF controls — patch management, hardening, network security, email security, EDR, audit trail, access control
Business Continuity & DR Written BCP, secondary DR site documentation, RTO/RPO targets, annual DR drill report, MD/CEO sign-off
VAPT Annual VAPT report scope, critical/high findings, remediation evidence, retest confirmation
Access Control & IAM Least privilege, access review records, MFA status, privileged access controls, CBS user access
Vendor & Outsourcing IT Outsourcing Policy, CBS vendor risk assessment, contract clause compliance, annual vendor review
Incident Management Incident register, response procedures, escalation records, post-incident reviews
Change Management Change log records, approval evidence, post-change validation, rollback documentation
FAQ

Frequently asked questions

What's the difference between IS Audit readiness and the actual IS Audit? +

The IS Audit is conducted by a CERT-In empanelled auditor appointed by your bank's Board — Golonex does not conduct the statutory audit. IS Audit readiness is the work done before the auditor arrives: identifying gaps, producing evidence, and ensuring your documentation, controls, and processes will hold up to scrutiny. Think of it as preparing the brief before the advocate argues the case.

How far in advance should we engage before the audit? +

Ideally 10–12 weeks before the audit date. Phase 1 (gap assessment) runs 6–8 weeks out — long enough to identify material gaps and close the most significant ones before the auditor arrives. Engaging 4 weeks out is workable but limits what can be remediated. Engaging the week before limits you to evidence packaging only — gaps cannot be closed that quickly.

What does the evidence pack contain? +

A structured document set organised by the 8 audit areas RBI typically covers: IT governance, information security, change management, BCP/DR, access control, network security, application security, and data management. Each section includes the relevant policy, a control walkthrough, and supporting evidence — logs, screenshots, test reports, board minutes — mapped to what an IS auditor expects to see.

Is this service relevant for urban co-operative banks? +

Yes — specifically. RBI requires urban co-operative banks (UCBs) to conduct an annual IS Audit by a CERT-In empanelled firm. Many UCBs engage Golonex because they lack in-house staff who understand the audit scope and what evidence is needed. We specialise in making the UCB IS Audit process predictable: you know what the auditor will ask, and the evidence exists before they ask it.

Do you remediate the gaps you find, or only report them? +

We remediate. Gap identification without remediation is a gap assessment — useful but incomplete. Our programme covers finding gaps, prioritising them by audit risk, implementing fixes (policy updates, configuration changes, documentation), and producing the remediated evidence. We do not hand you a list of problems and disappear.

Start Early

Six weeks is the minimum. Start sooner.

Tell us your scheduled audit date and current governance status. We will tell you what is missing and how long it will take to fix. Most institutions need at least 8–10 weeks to be properly prepared.