What CBN IT examiners actually ask for
CBN's IT Risk Assessment follows the Risk-Based Cybersecurity Framework. Examiners arrive with a standard information request list that they send in advance. The categories of documentation requested are consistent across examinations. Knowing what will be asked for is half the preparation battle. The standard request list includes:
- Most recent penetration test report (must be dated within 12 months)
- Most recent vulnerability assessment report (must be dated within 6 months)
- IT governance policy approved by the board, including a named CISO
- IT risk assessment conducted within the last 12 months
- Documented incident response plan with evidence of the most recent test or tabletop exercise
- Business continuity plan with evidence of the most recent DR test
- Access control policy and evidence of quarterly access reviews
- List of all third-party technology vendors with risk classification
- Evidence of security awareness training for all staff within the last 12 months
- Data classification policy and evidence of implementation
- Security incident log for the past 12 months
The 30-day preparation sequence
If you receive a CBN ITRA notice today, this is the sequence that maximizes your readiness within the typical 2 to 4 week window:
Days 1 to 3: Assemble the documentation request list against what you have. Identify every gap. Penetration test older than 12 months, no vulnerability scan in the last 6 months, no incident response plan — these are the critical gaps because they cannot be retrospectively created. They must be completed and dated before the examination.
Days 4 to 10: Engage an independent penetration tester for an expedited engagement. Target the highest-risk systems first — your consumer-facing payment API, your admin panel, your mobile application. A scoped engagement on 2 to 3 systems can be completed in 5 to 7 business days and will produce a dated report. Simultaneously, conduct a vulnerability scan of all internet-facing infrastructure using a reputable tool and retain the report with the date.
Days 11 to 20: Address the documentation gaps that can be fixed quickly: draft or update the IT governance policy, document the incident response plan, run a virtual tabletop exercise and document the outcome, conduct staff security awareness training and record attendance, and perform a review of all system access rights and revoke any outdated accounts.
Days 21 to examination day: Compile the full documentation package. Ensure every document is clearly dated, version-controlled, and references the correct systems. Brief your CTO, CISO equivalent, and relevant technical leads on what the examiners are likely to ask — examiners conduct interviews, not just document reviews.
What examiners test on-site
CBN IT examiners do not just review documents — they verify controls. Common on-site verification activities include: requesting access to your admin panel to observe the MFA login flow, asking for a live demonstration of the account access review process, requesting the system audit logs for a specific period to verify that logs are complete and tamper-evident, asking the CISO to walk through the incident response plan verbally, and reviewing the data retention settings in your database or cloud storage to confirm that retention policies are enforced technically and not just documented in policy.
The documentation format CBN expects for penetration test reports
The penetration test report you present to CBN must contain: the name of the testing firm and confirmation of independence, the date the test was conducted, the systems tested with specific names and URLs, the testing methodology, a complete findings table with severity ratings, remediation recommendations for each finding, and a re-test result for any critical or high findings that were remediated before the examination. A report that does not include re-test confirmation for high findings will prompt the examiner to ask when remediation occurred and how it was verified.
18-day expedited preparation for a Payment Solution Service Provider
A Nigerian PSSP received a CBN ITRA notice with 18 business days' advance notice. Their most recent penetration test was 16 months old and had been conducted internally by a staff member — not an independent third party. Their incident response plan existed as a Word document that had never been tested. We conducted an expedited grey-box penetration test of their payment gateway API, merchant dashboard, and admin portal over 7 business days. We identified 3 high and 6 medium findings. We provided daily remediation support, and the engineering team resolved all 3 high findings within 4 days. We completed a re-test on day 12, confirming resolution of all high findings. We produced the formal report on day 13. The client supplemented the report with a tabletop incident response exercise they ran on day 14. The CBN examination proceeded on day 18, and the examiners accepted the report and re-test evidence without requesting additional documentation on the penetration test item.
Have you received a CBN ITRA notice? Contact us immediately for expedited penetration testing that meets examiner documentation requirements.
Get Expedited CBN Prep SupportFrequently asked questions
How much notice does CBN give before an IT Risk Assessment?
CBN typically notifies entities 2 to 4 weeks before a scheduled ITRA. Some examinations are announced with shorter notice, particularly targeted examinations triggered by a reported incident or a regulatory concern. Institutions that maintain current documentation and have completed their annual penetration test are not at a disadvantage regardless of how much notice they receive.
What is the difference between a CBN ITRA and a regular CBN examination?
A regular CBN examination covers the full range of banking operations including financial reporting, governance, credit risk, and compliance. An IT Risk Assessment (ITRA) is specifically focused on technology risk: cybersecurity controls, IT governance, data management, business continuity, and third-party technology risk. ITRAs are conducted by CBN's Technology Risk department and typically involve a team of 2 to 4 IT examiners.
What happens if CBN finds significant gaps during an ITRA?
CBN issues a Regulatory Direction or Directive specifying the gaps identified and a deadline for remediation. The entity must submit a remediation plan within the deadline and evidence of completion within a further defined period. Serious gaps can trigger accelerated follow-up examinations. Failure to remediate or to respond to a Directive within the required timeframe can result in fines or other regulatory sanctions.
Can we expedite a penetration test to meet a CBN examination deadline?
Yes. We offer expedited engagements specifically for CBN pre-examination preparation. We can conduct a targeted penetration test of your highest-risk systems within a 5 to 10 business day timeline, prioritize remediation support for critical and high findings, and produce a formal report structured to meet CBN documentation requirements within the same engagement.
Related reading
Blog: CBN PSP licence security requirements · What CBN audits check · CBN CSAT self-assessment guide
Services: Penetration testing · Vulnerability assessment