Internal vs external cloud audits, the concept of continuous auditing, and a practitioner guide to SEBI CSCRF 2024, CERT-In 2022, DPDP Act 2023, and RBI IT Framework — the four Indian regulations that shape every cloud deployment in the financial sector.
Sign in to mark this article as read and track your progress.
Traditional auditing involves auditors visiting data centres, reviewing physical access logs, and inspecting hardware. Cloud auditing is fundamentally different: auditors work through APIs, dashboards, and logs. Physical access to provider infrastructure is impossible by design.
| Dimension | Internal Audit | External Audit |
|---|---|---|
| Conducted by | In-house security team or GRC team | Third-party auditor (Big 4, specialist firm) |
| Frequency | Continuous or quarterly | Annual or as required by regulation |
| Scope | Determined by internal risk assessment | Determined by regulatory requirement or contract |
| Output | Internal report and remediation tracking | Formal audit opinion or certification |
| Cloud tools | AWS Security Hub, Azure Secure Score, Prowler | Provider compliance reports (SOC 2, ISO 27001) + customer environment review |
Traditional annual audits leave gaps of 364 days. Continuous auditing uses automated tools to assess compliance posture in real time:
Four Indian frameworks directly impact cloud security architecture for financial and regulated sector organisations.
The Indian Computer Emergency Response Team issued binding directions in April 2022:
| Requirement | Implementation |
|---|---|
| 6-hour breach reporting | Detect and report any cyber incident within 6 hours of awareness. Requires mature monitoring — GuardDuty findings must route to on-call within minutes. |
| 5-year log retention | All ICT system logs retained for 180 days immediately accessible + remaining 5 years in secure storage. S3 Lifecycle + Object Lock is the standard implementation. |
| NTP synchronisation | All ICT systems synchronised to NTP servers in India (NIC, NPL). EC2 instances use AWS Time Sync Service by default; verify it points to Indian NTP servers. |
| VPN/cloud service provider data | Cloud service providers must retain subscriber information and usage logs for 5 years. |
The Securities and Exchange Board of India Cybersecurity and Cyber Resilience Framework (SEBI CSCRF), effective January 2025, applies to all SEBI-regulated entities:
| Domain | Key Requirement |
|---|---|
| Governance | Board-approved cybersecurity policy; CISO appointment mandatory |
| Identify | Asset inventory including cloud resources; risk assessment annually |
| Protect | MFA for privileged access; encryption of sensitive data in transit and at rest |
| Detect | 24x7 Security Operations Centre for Category I and II entities; SIEM deployment |
| Respond | Incident response plan; 6-hour reporting to SEBI for critical incidents |
| Recover | RTO: 4 hours (Category I); RPO: 30 minutes for critical systems |
| Third-party risk | Due diligence for cloud service providers; contractual security obligations |
The Digital Personal Data Protection Act 2023 is India regulatory framework for personal data:
| Provision | Cloud Security Implication |
|---|---|
| Lawful processing | Data processed only with consent or legitimate use; document legal basis in DPA |
| Data minimisation | Collect only what is necessary; design cloud storage with field-level necessity checks |
| Purpose limitation | Data used only for declared purpose; enforce through IAM and data lake access controls |
| Right to erasure | Data deleted upon request; cryptographic erasure is the cloud-compatible implementation |
| Breach notification | Report data breaches to Data Protection Board; 72 hours (timeline under finalisation) |
| Data Fiduciary obligations | Organisations handling personal data are Data Fiduciaries; accountability for cloud storage configuration |
| Cross-border transfer | Government may restrict transfer to certain countries; monitor approved/blacklisted country list |
The Reserve Bank of India IT Framework requires:
| Framework | Minimum Retention | Accessibility Requirement |
|---|---|---|
| CERT-In 2022 | 5 years | 180 days immediately accessible |
| SEBI CSCRF | 5 years | Online for 1 year |
| PCI-DSS v4 | 12 months | 3 months immediately available |
| ISO 27001 | Defined by organisation | As per internal policy |
| GDPR (where applicable) | No longer than necessary | N/A |
Indian regulatory frameworks are converging on consistent requirements: 6-hour incident reporting, 5-year log retention, mandatory encryption, and continuous monitoring. Cloud architectures built with these requirements in mind from day one are significantly cheaper to maintain than those that retrofit compliance after deployment.