Governance and Compliance Framework Charter

Organisation

Organisation name *

CIN or Registration No.

Entity type *

Financial year *

Charter effective date *

Governance bodies

Board meeting cadence *

Governance owner *

Board committeesFor example: Audit Committee; Risk Committee; Nomination and Remuneration Committee

ISO certifications

Status of each ISO management-system standard.

ISO/IEC 27001 (Information Security Management (ISMS))

ISO/IEC 27701 (Privacy Information Management (PIMS))

ISO/IEC 27017 (Cloud security controls)

ISO/IEC 27018 (Protection of PII in public clouds)

ISO/IEC 42001 (AI Management System (AIMS))

ISO 9001 (Quality Management)

ISO 22301 (Business Continuity Management)

ISO/IEC 20000-1 (IT Service Management)

ISO 14001 (Environmental Management)

ISO certificate detailsCertificate numbers, registrar or certification body, scope and expiry dates

SOC attestations and audit

SOC 1 (ICFR (financial reporting controls))

SOC 2 (Trust Services (security, availability, confidentiality, processing integrity, privacy))

SOC 3 (General-use trust services report)

CARO 2020 (Companies (Auditor's Report) Order)

Privacy and data protection

DPDP Act, 2023 (India — Digital Personal Data Protection)

Australia Privacy Act (Australia — Privacy Act 1988 + APPs + NDB scheme)

Singapore PDPA (Singapore — Personal Data Protection Act 2012)

Japan APPI (Japan — Act on Protection of Personal Information)

Canada PIPEDA (Canada — PIPEDA + Quebec Law 25)

EU GDPR (European Union — GDPR (Regulation (EU) 2016/679))

UK GDPR / DPA 2018 (United Kingdom — UK GDPR and Data Protection Act 2018)

CCPA / CPRA (United States — California consumer privacy)

Brazil LGPD (Brazil — Lei Geral de Proteção de Dados)

UAE PDPL (UAE — Federal Decree-Law 45/2021 + ADGM / DIFC)

Saudi PDPL (Saudi Arabia — SDAIA PDPL (amended 2023))

Qatar PDPPL (Qatar — Law No.13/2016 PDPPL)

Bahrain PDPL (Bahrain — Law No.30/2018)

Egypt PDPL (Egypt — Law No.151/2020)

Morocco Law 09-08 (Morocco — Law 09-08 (CNDP))

South Africa POPIA (South Africa — Protection of Personal Information Act 2013)

Kenya DPA 2019 (Kenya — Data Protection Act 2019 (ODPC))

Nigeria NDPA 2023 (Nigeria — NDPA 2023 (NDPC))

Ghana DPA 2012 (Ghana — Data Protection Act 2012 (Act 843))

Sector and other frameworks

PCI DSS 4.0 (Payment card data security (global))

HIPAA (US — Health information privacy and BAAs)

NIST CSF 2.0 (NIST Cybersecurity Framework (voluntary, widely referenced))

POSH Act, 2013 (India — Workplace safety, Internal Committee)

EU NIS2 (EU — NIS2 Directive (essential / important entities))

EU DORA (EU — Digital Operational Resilience Act (financial sector))

EU AI Act (EU — AI Act (GPAI Aug 2025; high-risk Dec 2027))

UK NIS Regs (UK — NIS Regulations 2018 (digital service providers))

FCA Operational Resilience (UK — FCA PS21/3 Operational Resilience)

Cyber Essentials (UK — NCSC Cyber Essentials / Cyber Essentials Plus)

GLBA / FTC Safeguards (US — GLBA and FTC Safeguards Rule (financial institutions))

CMMC 2.0 (US — Cybersecurity Maturity Model Certification (DoD))

FedRAMP (US — Federal Risk and Authorisation Management Program)

APRA CPS 234 (Australia — CPS 234 Information Security (APRA))

RBI / NPCI (India — RBI payment-data localisation and NPCI directions)

Other frameworksFor example: RBI or SEBI guidelines, ISO 45001, ISO/IEC 27005, sector regulator requirements

Risk and controls

Risk owner

Risk review cadence *

Compliance register maintained *

Incident or breach response plan *

Whistleblower or vigil mechanism *

Policy stack and approval

Policies adoptedFor example: Information Security Policy; Privacy Notice; Code of Conduct; Anti-Bribery Policy

Policy review cycle *

Approved by *

Approval date *

Next review date

Please fill all required fields to generate.

📋

Template verified May 2026 — checked against applicable central Acts and current state rules. Legal requirements can change; for property transactions above ₹5 lakh, employment disputes, or business agreements above ₹10 lakh, consider a lawyer's review before signing. Run Lekha Audit on any document you receive →

Attachments

Upload your company letterhead, logo, or supporting documents. These will be used in PDF generation and AI audit.

Click or drag files here

Letterhead (PNG/JPG), Logo, PDFs — max 5 MB each

Live preview

15 gaps remaining.

GOVERNANCE AND COMPLIANCE FRAMEWORK CHARTER

Financial Year
Effective Date
Governance Owner
Frameworks certified or compliant: 0 of 47

1. Organisation

Adopted by (CIN or Reg. No. ), a company, for FY , with effect from [date].

2. Governance bodies

The board meets on a [not stated] basis. Governance and compliance is owned by . Committees: .

3. Compliance frameworks register

The organisation's posture across applicable frameworks is recorded below. 0 of 47 are certified, attested or compliant.

3.1 ISO management-system certifications

Standard	Scope	Status
ISO/IEC 27001	Information Security Management (ISMS)	Not assessed
ISO/IEC 27701	Privacy Information Management (PIMS)	Not assessed
ISO/IEC 27017	Cloud security controls	Not assessed
ISO/IEC 27018	Protection of PII in public clouds	Not assessed
ISO/IEC 42001	AI Management System (AIMS)	Not assessed
ISO 9001	Quality Management	Not assessed
ISO 22301	Business Continuity Management	Not assessed
ISO/IEC 20000-1	IT Service Management	Not assessed
ISO 14001	Environmental Management	Not assessed

Certificate details:

3.2 SOC attestations and statutory audit

Report	Scope	Status
SOC 1	ICFR (financial reporting controls)	Not assessed
SOC 2	Trust Services (security, availability, confidentiality, processing integrity, privacy)	Not assessed
SOC 3	General-use trust services report	Not assessed
CARO 2020	Companies (Auditor's Report) Order	Not assessed

3.3 Privacy and data-protection regimes

Regime	Jurisdiction	Status
DPDP Act, 2023	India — Digital Personal Data Protection	Not assessed
Australia Privacy Act	Australia — Privacy Act 1988 + APPs + NDB scheme	Not assessed
Singapore PDPA	Singapore — Personal Data Protection Act 2012	Not assessed
Japan APPI	Japan — Act on Protection of Personal Information	Not assessed
Canada PIPEDA	Canada — PIPEDA + Quebec Law 25	Not assessed
EU GDPR	European Union — GDPR (Regulation (EU) 2016/679)	Not assessed
UK GDPR / DPA 2018	United Kingdom — UK GDPR and Data Protection Act 2018	Not assessed
CCPA / CPRA	United States — California consumer privacy	Not assessed
Brazil LGPD	Brazil — Lei Geral de Proteção de Dados	Not assessed
UAE PDPL	UAE — Federal Decree-Law 45/2021 + ADGM / DIFC	Not assessed
Saudi PDPL	Saudi Arabia — SDAIA PDPL (amended 2023)	Not assessed
Qatar PDPPL	Qatar — Law No.13/2016 PDPPL	Not assessed
Bahrain PDPL	Bahrain — Law No.30/2018	Not assessed
Egypt PDPL	Egypt — Law No.151/2020	Not assessed
Morocco Law 09-08	Morocco — Law 09-08 (CNDP)	Not assessed
South Africa POPIA	South Africa — Protection of Personal Information Act 2013	Not assessed
Kenya DPA 2019	Kenya — Data Protection Act 2019 (ODPC)	Not assessed
Nigeria NDPA 2023	Nigeria — NDPA 2023 (NDPC)	Not assessed
Ghana DPA 2012	Ghana — Data Protection Act 2012 (Act 843)	Not assessed

3.4 Sector and other frameworks

Framework	Scope	Status
PCI DSS 4.0	Payment card data security (global)	Not assessed
HIPAA	US — Health information privacy and BAAs	Not assessed
NIST CSF 2.0	NIST Cybersecurity Framework (voluntary, widely referenced)	Not assessed
POSH Act, 2013	India — Workplace safety, Internal Committee	Not assessed
EU NIS2	EU — NIS2 Directive (essential / important entities)	Not assessed
EU DORA	EU — Digital Operational Resilience Act (financial sector)	Not assessed
EU AI Act	EU — AI Act (GPAI Aug 2025; high-risk Dec 2027)	Not assessed
UK NIS Regs	UK — NIS Regulations 2018 (digital service providers)	Not assessed
FCA Operational Resilience	UK — FCA PS21/3 Operational Resilience	Not assessed
Cyber Essentials	UK — NCSC Cyber Essentials / Cyber Essentials Plus	Not assessed
GLBA / FTC Safeguards	US — GLBA and FTC Safeguards Rule (financial institutions)	Not assessed
CMMC 2.0	US — Cybersecurity Maturity Model Certification (DoD)	Not assessed
FedRAMP	US — Federal Risk and Authorisation Management Program	Not assessed
APRA CPS 234	Australia — CPS 234 Information Security (APRA)	Not assessed
RBI / NPCI	India — RBI payment-data localisation and NPCI directions	Not assessed

Other:

4. Risk and controls

Risk is reviewed on a [not stated] basis, owned by .

Control	In place
Compliance register maintained	No
Incident or breach response plan	No
Whistleblower or vigil mechanism	No

5. Policy stack

Policies are reviewed [not stated]. Current stack: .

6. Approval and review

Approved by on [date].

Approved by

Governance Owner