Is a Data Protection Officer (or equivalent role) formally appointed?

Is there a documented personal data governance policy?

Is DPDP compliance reviewed at board / executive level?

Is a personal data inventory (systems & data types) maintained centrally?

Are responsibilities for access governance formally assigned?

Is risk-based identity governance adopted (policy + risk ownership)?

Are employees trained on privacy / data handling at least annually?

Is RBAC implemented across critical systems handling personal data?

Are access requests formally approved through workflow?

Is periodic User Access Review (UAR) conducted for key applications?

Is access certification automated and tracked to completion?

Are privileged users separately governed with stricter controls?

Are Segregation of Duties (SoD) rules defined and enforced?

Are temporary access grants time-bound with automatic expiry?

Is access granted based on least privilege by default?

Is joiner-mover-leaver automation implemented (core apps)?

Is deprovisioning automated upon exit/termination?

Is deprovisioning SLA monitored and reported?

Are dormant accounts automatically detected (incl. admins)?

Are orphan accounts identified and remediated?

Are non-human identities (service accounts, bots, API keys) governed?

Are periodic cleanup campaigns executed for unused entitlements?

Are identity-linked access logs retained centrally for critical systems?

Is privileged activity monitored with alerts for high-risk actions?

Can audit evidence be generated within 24 hours for regulator requests?

Are certification logs preserved with approvals and timestamps?

Is SIEM integrated with identity/access context (user, role, entitlement)?

Is identity risk scoring implemented (privilege + behavior + anomalies)?

Are logs protected against tampering (immutability / WORM / controls)?

Can the organization map an individual across all systems processing their personal data?

Is identity-to-application traceability available (who has access where)?

Can access history be generated per individual (who/what/when)?

Is there a process to revoke access upon data erasure requests?

Are third-party/outsourced systems included in traceability mapping?

Is there a defined SLA and workflow for handling data principal requests?

Is access review conducted at least quarterly for critical systems?

Is privileged access reviewed more frequently (monthly/bi-weekly) for Tier-0 systems?

Are vendor identities tagged, controlled, and monitored separately?

Is outsourced access governed centrally with approvals and logging?

Is risk-based authentication adopted for sensitive access paths?

Are audit logs retained per RBI expectations and readily retrievable?

Are third-party user accounts centrally tracked and owned?

Is third-party access time-bound and automatically revoked?

Are vendor accounts included in periodic certifications?

Is third-party activity monitored and reviewed?

Are security clauses / NDAs tied to provisioning and access recertification?

Is least privilege enforced for vendor support access (break-glass where needed)?

Are anomalous access patterns detected (impossible travel, unusual time, unknown device)?

Are privilege escalations flagged and reviewed quickly?

Is geo-velocity or risky location monitoring implemented for key apps?

Is breach containment linked to rapid identity revocation (kill switch)?

Are privileged access reviews performed post-incident?

Is there a documented incident response playbook that includes identity controls?