We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / SEBI CSCRF
SEBI · India

SEBI CSCRF

SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities.

Introduction: The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)

The Securities and Exchange Board of India (SEBI) issued the consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) via circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024. The CSCRF supersedes and consolidates the earlier fragmented set of cybersecurity circulars that SEBI had issued to individual categories of Regulated Entities (REs) since 2015. It establishes a single, harmonised, outcome-based framework applicable across the entire Indian securities market ecosystem, from Market Infrastructure Institutions (MIIs) such as stock exchanges, clearing corporations and depositories, down to smaller intermediaries such as portfolio managers, investment advisers and KYC Registration Agencies.

The CSCRF is materially different from its predecessors. It moves the market from a purely control-based checklist regime towards a graded, outcome-driven and resilience-centred model. It is explicitly anchored on the five Cyber Resilience Goals derived from the NIST Cybersecurity Framework, namely Anticipate, Withstand, Contain, Recover and Evolve, and it introduces a Cyber Capability Index (CCI) for self-assessment and third-party assessment of cyber maturity. This guide is an auditor-grade, practitioner deep-dive intended for CISOs, IT heads, compliance officers, internal auditors and the empanelled auditors who must certify compliance.

Copyright and source note
SEBI CSCRF is a regulatory framework issued by SEBI, a statutory authority of the Government of India. The circular text is a public government document. This guide is original explanatory and audit-methodology content authored by CyberSigma and is not a reproduction of SEBI's circular. Regulated Entities must always refer to the authoritative SEBI circular, its subsequent amendments, corrigenda and FAQs, and to the technical standards published by the relevant MII/SRO for the binding requirements. Where specific identifiers, dates or thresholds are cited here, verify them against the live circular before relying on them for certification.

What is SEBI CSCRF

The Cybersecurity and Cyber Resilience Framework is SEBI's overarching mandate that requires Regulated Entities in the Indian securities market to establish, operate and continuously improve a cybersecurity and cyber-resilience programme proportionate to their size, complexity and criticality. It is not a voluntary standard; compliance is a condition of continued registration and operation in the securities market, and non-compliance is a regulatory breach that attracts enforcement action.

The framework is structured around five Cyber Resilience Goals and a set of functions adapted from the NIST CSF. The goals are: Anticipate (proactively identify and prepare for threats), Withstand (limit the impact of an attack while continuing critical operations), Contain (isolate and control an incident), Recover (restore capabilities and services) and Evolve (learn and improve). Mapped beneath these goals are the operational functions, which the CSCRF expresses as Governance, Identify, Protect, Detect, Respond and Recover. Each function is decomposed into standards and guidelines, and each RE must implement them at a depth commensurate with its assigned category.

A defining feature of the CSCRF is graded applicability. SEBI recognises that a national stock exchange and a single-office investment adviser cannot reasonably be held to identical operational burdens. The framework therefore classifies REs into categories and sets a differentiated depth of obligation, audit frequency, and assessment method for each. The highest tier, MIIs and Qualified REs, must undertake the full Cyber Capability Index self-assessment and third-party audit; the lowest tiers follow a lighter, principle-based compliance path.

The other headline additions in the CSCRF are: mandatory functional Security Operations Centre (SOC) coverage (own SOC, Market SOC provided by an MII, or a managed/group SOC), a Cyber Capability Index for measuring maturity, structured Vulnerability Assessment and Penetration Testing (VAPT), Software Bill of Materials (SBOM) expectations, data classification and localisation controls, ISO 27001 certification for higher tiers, and detailed incident reporting timelines to SEBI and to CERT-In.

Who must comply

The CSCRF applies to all entities regulated by SEBI, collectively termed Regulated Entities. SEBI has grouped REs into categories that determine the depth of compliance. The exact categorisation thresholds (client numbers, trading volumes, assets under management, transaction values) are set in the circular and its annexures and are periodically revised; the categories below describe the framework's tiering model.

RE categoryIllustrative entitiesCompliance depth
Market Infrastructure Institutions (MIIs)Stock exchanges, clearing corporations, depositoriesHighest; full CSCRF, CCI self-assessment plus third-party audit, ISO 27001, dedicated SOC, cyber resilience testing
Qualified REsLarger stockbrokers, depository participants, mutual funds/AMCs, KRAs, larger RTAs, larger portfolio managersHigh; CCI-based assessment, ISO 27001, SOC (own/market/managed), VAPT, comprehensive controls
Mid-size REsMedium stockbrokers, mid-size intermediaries above threshold but below QualifiedModerate; substantial controls, SOC coverage, periodic VAPT and audit
Small-size REsSmaller intermediaries below mid-size thresholdsReduced; core controls, lighter audit cadence
Self-certification REsSmallest intermediaries, certain individual registrants (e.g. small investment advisers, research analysts)Lowest; principle-based self-certification of baseline hygiene controls
  • Stock exchanges, clearing corporations and depositories (MIIs).
  • Stockbrokers and depository participants, graded by size and activity.
  • Mutual funds and Asset Management Companies (AMCs).
  • Portfolio managers, Alternative Investment Funds and venture capital funds where applicable.
  • KYC Registration Agencies (KRAs) and Registrars to an Issue and Share Transfer Agents (RTAs).
  • Investment advisers and research analysts (largely self-certification tier).
  • Credit rating agencies, custodians, debenture trustees and other SEBI-registered intermediaries.
  • Vendors and Managed Service Providers are not directly regulated but are brought into scope contractually through third-party risk requirements imposed on REs.
Determining your category first
Category assignment is the single most consequential scoping decision under the CSCRF, because it drives whether you need CCI assessment, ISO 27001, a dedicated SOC and third-party audit. Confirm your category in writing against the circular's thresholds, document the basis of that determination, and re-confirm it whenever your client base, AUM or transaction volumes cross a threshold.

Structure of SEBI CSCRF

The CSCRF is organised as five Cyber Resilience Goals sitting above six operational functions, which in turn contain standards, guidelines and specific parameters. The functions are the practical audit units. The table below sets out the structure that auditors work against.

LayerComponentPurpose
Cyber Resilience GoalsAnticipate, Withstand, Contain, Recover, EvolveStrategic outcomes the entire programme must deliver
Function: GovernanceCyber governance, policy, roles, board oversight, risk appetiteEstablishes accountability and direction
Function: IdentifyAsset management, risk assessment, third-party/supply-chain risk, data classificationUnderstand what must be protected and the risks to it
Function: ProtectAccess control, data security, encryption, network security, secure configuration, awarenessSafeguards that prevent or limit incidents
Function: DetectSOC, monitoring, logging, anomaly detection, threat intelligence, VAPTTimely discovery of events and vulnerabilities
Function: RespondIncident response, reporting to SEBI/CERT-In, communication, forensicsContain and manage confirmed incidents
Function: RecoverBackup, restoration, business continuity, disaster recovery, cyber resilience testingRestore services and demonstrate resilience
MeasurementCyber Capability Index (CCI)Graded, quantitative maturity score for higher-tier REs

Cross-cutting mandates that sit alongside the functions include: mandatory SOC coverage, ISO 27001 certification for MIIs and Qualified REs, VAPT with defined frequency and closure timelines, SBOM for critical systems, data localisation and classification, root cause analysis (RCA) for incidents, and structured incident reporting to SEBI and CERT-In within prescribed timelines.

Master assessment checklist

This is the operative section of the guide. It enumerates each function of the CSCRF as an audit group, with a table of what an auditor must verify and the typical evidence that satisfies the requirement. Work through every group; do not skip any function. For higher-tier REs each verified control also feeds the Cyber Capability Index score.

Group 1 — Governance

What to verifyTypical evidence
A board-approved cybersecurity and cyber-resilience policy exists and is reviewed at least annuallySigned policy document, board/committee minutes recording approval and review dates
A designated CISO (or equivalent senior officer) is appointed with defined authority and reporting line to the board/IT strategy committeeAppointment letter, organisation chart, role description, board reporting cadence
A cyber risk appetite / tolerance statement is defined and approvedRisk appetite statement, board minutes
The Technology/IT Strategy Committee reviews cyber posture periodicallyCommittee charter, meeting minutes, dashboards presented
Cybersecurity budget and resourcing are approved and trackedBudget approvals, spend reports, headcount records
Compliance responsibility for CSCRF reporting is assignedCompliance calendar, designated officer records, filing acknowledgements

Group 2 — Identify (asset, risk and third-party management)

What to verifyTypical evidence
A complete, current inventory of hardware, software, information assets and data flows exists, with criticality/Critical System taggingAsset register/CMDB, critical system list, data flow diagrams
Critical Systems are formally identified and documentedCritical system inventory, board-noted criticality assessment
A documented risk assessment methodology is applied and risks are recorded with treatment plansRisk assessment reports, risk register, treatment plans and owners
Data is classified (e.g. public, internal, confidential, sensitive/regulated) and handling rules definedData classification policy, classification labels, handling matrix
Third-party / vendor and supply-chain risks are assessed, with security clauses in contractsVendor risk assessments, contracts with security/annexure clauses, due-diligence records
Software Bill of Materials (SBOM) is maintained for critical/in-house applicationsSBOM artefacts, component inventories, licence/vulnerability tracking
Data localisation requirements (data held within India where mandated) are metHosting location records, cloud region configuration, data residency attestations

Group 3 — Protect (access control and identity)

What to verifyTypical evidence
Role-based access control and least-privilege are enforced across systemsAccess control matrix, role definitions, provisioning records
Multi-factor authentication is enforced for remote, privileged and critical system accessMFA policy, authentication logs, configuration screenshots
Privileged access is managed and monitored (PAM), with session recording where applicablePAM tool records, privileged account inventory, session logs
Periodic user access reviews / recertification are performedAccess review reports, sign-offs, revocation evidence
Joiner-mover-leaver process promptly revokes accessJML tickets, deprovisioning logs, HR-IT reconciliation
Password/credential policy meets standards and default credentials are removedPassword policy, configuration baselines, exception logs

Group 4 — Protect (data security and cryptography)

What to verifyTypical evidence
Data at rest and in transit is encrypted using approved algorithmsEncryption standard, TLS/at-rest config, key strength records
Cryptographic key management (generation, storage, rotation, destruction) is controlledKey management policy, HSM/KMS records, rotation logs
Data Loss Prevention controls are deployed for sensitive/regulated dataDLP policy, DLP alerts and reports, blocked-transfer evidence
Secure data disposal and media sanitisation are practisedDisposal policy, sanitisation certificates, asset retirement records
Removable media and endpoint data controls are enforcedEndpoint policy, USB control config, exception approvals

Group 5 — Protect (network and infrastructure security)

What to verifyTypical evidence
Network segmentation isolates critical systems and untrusted zonesNetwork architecture diagrams, firewall zone config, segmentation review
Firewalls, IPS/IDS and secure gateways are deployed and rule-reviewed periodicallyFirewall rule base, rule review logs, IPS/IDS config
Secure baseline / hardening standards are applied and drift is monitoredHardening baselines (CIS-aligned), compliance scan reports
Patch and vulnerability management follows defined SLAs by severityPatch policy, patch deployment reports, exception register
Anti-malware / endpoint detection and response is deployed on all endpoints and serversEDR/AV coverage reports, detection logs, quarantine records
Email and web security controls (anti-phishing, sandboxing) are in placeEmail gateway config, phishing-block statistics

Group 6 — Protect (application and secure development)

What to verifyTypical evidence
A secure SDLC is followed with security requirements and code reviewSDLC policy, code review records, security gate sign-offs
Application security testing (SAST/DAST) is performed before releaseSAST/DAST reports, remediation tracking
Change management controls govern production changesChange tickets, CAB approvals, rollback plans
APIs and web-facing applications are secured and rate-limitedAPI security config, WAF rules, testing evidence

Group 7 — Protect (security awareness and training)

What to verifyTypical evidence
All staff receive periodic cybersecurity awareness trainingTraining records, completion rates, curriculum
Phishing simulations are conducted and results acted uponSimulation reports, click-rate trends, follow-up training
Role-specific / specialised training for IT, SOC and developers is providedSpecialised training logs, certifications

Group 8 — Detect (SOC, monitoring and logging)

What to verifyTypical evidence
Functional SOC coverage is in place (own, Market SOC via MII, or managed/group SOC)SOC engagement contract/charter, coverage hours, staffing
Centralised logging / SIEM aggregates logs from critical systemsSIEM architecture, log source inventory, ingestion reports
Log retention meets the mandated period and logs are tamper-protectedRetention policy, storage config, integrity controls
Use cases / correlation rules detect key threat scenariosUse-case catalogue, alert tuning records
Cyber threat intelligence is consumed and operationalisedThreat-intel feed subscriptions, IOC ingestion, advisories acted upon
Alert triage, escalation and mean-time-to-detect are measuredSOC runbooks, ticket metrics, MTTD/MTTR reports

Group 9 — Detect (VAPT and continuous testing)

What to verifyTypical evidence
VAPT is conducted at mandated frequency by CERT-In empanelled auditorsVAPT engagement letters, scope, empanelment proof
VAPT covers all critical and internet-facing systemsScope documents, asset coverage mapping
Findings are risk-rated and remediated within defined timelines, with re-testingVAPT reports, remediation tracker, closure/re-test evidence
VAPT closure is reported to SEBI/MII as requiredClosure reports, filing acknowledgements

Group 10 — Respond (incident management and reporting)

What to verifyTypical evidence
A documented, tested incident response plan with severity classification existsIR plan, severity matrix, contact tree
Incidents are reported to SEBI/MII and CERT-In within mandated timelinesIncident tickets, SEBI/CERT-In submission acknowledgements, timelines
Root Cause Analysis is completed for significant incidentsRCA reports, corrective/preventive action tracking
Forensic readiness and evidence-preservation procedures existForensic policy, chain-of-custody templates, retainer with forensic provider
Post-incident lessons feed the Evolve goalLessons-learned records, updated runbooks/controls
Communication and stakeholder notification protocols are definedCommunication plan, notification templates

Group 11 — Recover (backup, BCP and DR)

What to verifyTypical evidence
Backups of critical data/systems are taken, encrypted and stored securely (including offline/immutable copies)Backup policy, backup job logs, immutability config
Recovery Time and Recovery Point Objectives (RTO/RPO) are defined and metBCP/DR policy, RTO/RPO definitions, test results
Disaster recovery site exists and DR drills are performed periodicallyDR architecture, drill reports, failover evidence
Restoration of backups is periodically testedRestore test logs, integrity verification
Business continuity plan covers cyber scenarios (e.g. ransomware)BCP document, scenario playbooks, exercise records

Group 12 — Cyber resilience testing and Evolve

What to verifyTypical evidence
Cyber resilience / scenario testing (e.g. red-team, tabletop, cyber drills) is conductedExercise plans, tabletop minutes, red-team reports
Cyber Capability Index (CCI) self-assessment is performed at mandated frequency (higher tiers)CCI scoring workbook, evidence mapping, board sign-off
CCI is validated by a third-party auditor where requiredIndependent CCI assessment report
Continuous improvement actions from assessments are tracked to closureImprovement register, management review minutes

Scoping

Scoping under the CSCRF flows directly from category assignment, but the technical scope must then be drawn around every system and dataset that supports the RE's regulated activity. A common audit failure is a scope that omits cloud workloads, third-party-hosted trading/back-office platforms, or shadow IT.

  • Confirm RE category (MII, Qualified, Mid-size, Small-size, Self-certification) and the resulting obligations.
  • Identify and formally designate Critical Systems that, if compromised, would impair regulated services or market integrity.
  • Include all environments: on-premise, data centre, cloud (IaaS/PaaS/SaaS), and managed/outsourced platforms.
  • Include internet-facing assets, APIs and third-party integrations used for regulated functions.
  • Map data flows and identify where regulated/sensitive data resides, including data localisation obligations.
  • Bring vendors and MSPs into scope through contractual security obligations and right-to-audit clauses.
  • Document explicit exclusions with justification; unjustified exclusions are an audit finding.
Critical Systems drive obligation depth
The identification of Critical Systems is not a formality. It determines which assets need the strictest controls, the tightest patch SLAs, priority SOC monitoring and inclusion in cyber-resilience testing. Under-scoping Critical Systems is the fastest route to a material non-compliance.

Implementation approach

A structured, phased implementation lets an RE reach demonstrable compliance in a defensible sequence. The phases below assume a Qualified RE; smaller REs can compress phases, and MIIs will run each phase with greater rigour and independent validation.

Phase 1 — Mobilise and assess (weeks 1-6)

  • Activities: confirm RE category; appoint CISO and programme sponsor; establish governance forum; perform CSCRF gap assessment against every function; identify Critical Systems and build/refresh the asset inventory.
  • Deliverables: category determination memo, gap assessment report, Critical System register, prioritised remediation roadmap, board briefing.

Phase 2 — Govern and design (weeks 4-12)

  • Activities: draft and obtain board approval for the cybersecurity policy suite; define risk appetite; establish data classification and third-party risk processes; design target-state architecture (segmentation, SOC model, backup/DR).
  • Deliverables: board-approved policies, data classification scheme, vendor risk framework, SOC operating model decision (own/market/managed), target architecture.

Phase 3 — Build and remediate (weeks 8-24)

  • Activities: implement MFA/PAM, encryption, DLP, EDR, network segmentation, hardening baselines, patch management SLAs; stand up SIEM and SOC coverage; implement backup immutability and DR site; run first VAPT.
  • Deliverables: control implementation evidence, SOC live with use cases, VAPT report with remediation plan, DR configuration, hardening compliance reports.

Phase 4 — Operate and test (weeks 20-32)

  • Activities: run incident response and cyber-resilience exercises; conduct access reviews; complete VAPT remediation and re-test; deliver awareness training and phishing simulations; pursue ISO 27001 certification where mandated.
  • Deliverables: tabletop/drill reports, VAPT closure evidence, training records, ISO 27001 audit progress, operational metrics baseline.

Phase 5 — Assess, certify and improve (weeks 30-40)

  • Activities: complete Cyber Capability Index self-assessment; commission third-party CCI/audit validation; file required reports with SEBI/MII; establish continuous improvement and management review cadence.
  • Deliverables: CCI score with evidence, independent assessment report, SEBI/MII filings, continuous improvement register, management review minutes.

Cyber Capability Index (CCI) maturity model

For MIIs and Qualified REs the CSCRF requires measurement of cyber maturity through the Cyber Capability Index. The CCI aggregates scores across defined parameters into an overall index and a maturity band. The exact parameters, weightings and band thresholds are specified by SEBI; the table below describes the maturity progression an auditor uses to interpret a score and to plan improvement. Treat the band names and score ranges as an illustrative interpretation model and confirm the binding thresholds against the circular.

Maturity bandInterpretationTypical characteristics
Level 1 — Basic / Bare minimumFoundational controls partially presentAd-hoc processes, minimal documentation, reactive posture, gaps in monitoring
Level 2 — DevelopingCore controls implemented but inconsistentPolicies exist, some automation, SOC coverage established, testing occasional
Level 3 — Manageable / DefinedControls consistent and documented across scopeRepeatable processes, measured VAPT/patch SLAs, functional SOC, DR tested
Level 4 — Managed / OptimisedControls measured, monitored and continuously tunedMetrics-driven, threat-intel integrated, resilience testing routine, strong governance
Level 5 — Advanced / ExceptionalLeading-practice, adaptive and resilientAutomation, proactive threat hunting, mature evolve loop, board-level cyber assurance

The CCI is not merely a badge. SEBI expects REs to use the index to identify weak parameters, prioritise investment, and demonstrate year-on-year improvement. A score that stagnates or regresses is itself a supervisory concern.

Assessment and audit approach

The following is the sequence an empanelled auditor or internal assurance function follows to assess CSCRF compliance and, where applicable, validate the CCI.

  1. Confirm the RE's category and the corresponding scope of obligations, and agree the audit scope and Critical System list in writing.
  2. Collect and review documentation: policies, risk register, asset inventory, prior VAPT and audit reports, incident logs and SEBI/CERT-In filings.
  3. Perform control walkthroughs for each function (Governance, Identify, Protect, Detect, Respond, Recover), interviewing owners.
  4. Test control operating effectiveness with sampling: access reviews, patch records, backup restores, log retention, MFA enforcement.
  5. Independently validate technical controls where possible: configuration review, SIEM use-case testing, and review of VAPT scope and closure.
  6. Assess incident reporting timeliness against SEBI/CERT-In mandated timelines using actual incident records.
  7. Score each CCI parameter (higher tiers), map every score to evidence, and compute the overall index and maturity band.
  8. Rate findings by risk, agree remediation owners and timelines, and distinguish design gaps from operating-effectiveness gaps.
  9. Draft the report with an executive summary, detailed findings, evidence references and the CCI result.
  10. Present to management/board, obtain management responses, and file the required certification/report with SEBI or the relevant MII.
  11. Schedule re-testing of high-risk findings and confirm closure before sign-off.

Evidence request list

Auditors should request the following, categorised by function. Providing these in a structured evidence pack materially shortens the audit.

  • Governance: board-approved cybersecurity policy, CISO appointment, IT strategy committee minutes, risk appetite statement, cyber budget approvals.
  • Identify: asset inventory/CMDB, Critical System register, risk assessment reports and risk register, data classification policy, vendor risk assessments and contracts, SBOM artefacts, data residency records.
  • Protect (access): access control matrix, MFA/PAM configuration, access review sign-offs, JML records, password policy.
  • Protect (data): encryption standards and configuration, key management records, DLP reports, media disposal certificates.
  • Protect (network/infra): network diagrams, firewall rule base and review logs, hardening baselines and scan reports, patch reports, EDR coverage.
  • Protect (application): secure SDLC policy, SAST/DAST reports, change management records.
  • Protect (people): training records, phishing simulation results.
  • Detect: SOC contract/charter, SIEM log-source inventory, retention policy, use-case catalogue, threat-intel subscriptions, MTTD/MTTR metrics.
  • Detect (VAPT): VAPT engagement letters (CERT-In empanelled), scope, reports, remediation tracker, closure and re-test evidence.
  • Respond: incident response plan, incident register, SEBI/CERT-In submission acknowledgements, RCA reports, forensic readiness records.
  • Recover: backup policy and job logs, immutability/offline config, DR architecture and drill reports, restore test logs, BCP.
  • Evolve/CCI: cyber resilience exercise reports, CCI scoring workbook with evidence mapping, third-party assessment report, management review minutes.

Roles and responsibilities

RoleKey responsibilities
Board / Governing bodyApprove policy and risk appetite, oversee cyber posture, ensure resourcing, receive periodic assurance
IT / Technology Strategy CommitteeReview cyber programme, monitor CCI and remediation, escalate to board
CISO / designated senior officerOwn the cybersecurity programme, drive implementation, ensure reporting to SEBI/CERT-In, maintain CCI
IT / Infrastructure teamsImplement and operate technical controls: patching, hardening, backups, network security
SOC / Detection team (own/market/managed)Monitor, detect, triage and escalate; maintain use cases and threat intelligence
Incident Response teamContain and manage incidents, perform RCA, preserve forensic evidence, coordinate reporting
Compliance officerMaintain compliance calendar, ensure timely SEBI/MII filings and certifications
Internal auditIndependent assurance over control design and operating effectiveness
Empanelled external auditorIndependent CSCRF audit and CCI validation, VAPT where empanelled
Business/data ownersClassify data, own risk acceptance, validate access appropriateness
Third parties / MSPsMeet contractual security obligations, support audit and incident response

KPIs to track

  • Cyber Capability Index score and trend versus target band.
  • Percentage of Critical Systems under SOC monitoring.
  • Mean time to detect (MTTD) and mean time to respond/contain (MTTR).
  • VAPT findings open by severity and average time to closure against SLA.
  • Patch compliance rate for critical/high vulnerabilities within SLA.
  • Percentage of privileged accounts under PAM and MFA coverage.
  • Backup success rate and successful restore-test percentage; RTO/RPO achievement.
  • Percentage of staff completing awareness training; phishing simulation click rate trend.
  • Number of security incidents, and percentage reported to SEBI/CERT-In within mandated timelines.
  • Percentage of third parties with completed security risk assessments and compliant contracts.
  • Access review completion rate and number of orphaned/stale accounts remediated.
  • Open audit/remediation actions past due date.

Readiness checklist

  • RE category determined and documented, with obligations mapped.
  • Board-approved cybersecurity and cyber-resilience policy in place and reviewed.
  • CISO / designated officer appointed with clear authority and board reporting.
  • Critical Systems identified and asset inventory current.
  • Risk assessment complete with a maintained risk register and treatment plans.
  • Data classification scheme applied and data localisation requirements met.
  • MFA, PAM and least-privilege access controls enforced and reviewed.
  • Encryption of data at rest and in transit with managed keys.
  • Network segmentation, hardening baselines and patch SLAs operating.
  • Functional SOC coverage live with SIEM, log retention and threat intelligence.
  • VAPT conducted by CERT-In empanelled auditor with findings remediated and re-tested.
  • Incident response plan tested; SEBI/CERT-In reporting process proven within timelines.
  • Backups immutable/offline and restores tested; DR site and drills in place.
  • Cyber resilience exercises conducted and lessons applied.
  • ISO 27001 certification obtained where mandated.
  • Cyber Capability Index self-assessment completed and, where required, third-party validated.
  • Required SEBI/MII filings and certifications submitted on time.

Common gaps

  • Incorrect or undocumented RE category leading to under-scoped obligations.
  • Incomplete Critical System identification, so key assets miss the strictest controls.
  • Cloud and third-party-hosted platforms left out of scope and monitoring.
  • SOC coverage nominal rather than functional; poor use-case tuning and unactioned alerts.
  • Log retention below the mandated period or logs not tamper-protected.
  • VAPT scope too narrow, or findings not closed and re-tested within timelines.
  • Incident reporting to SEBI/CERT-In missing mandated timelines or lacking RCA.
  • Backups not immutable/offline, or restores never actually tested.
  • MFA/PAM gaps on privileged and remote access.
  • Weak third-party risk management with no security clauses or right-to-audit.
  • CCI self-assessment done as a paper exercise without evidence mapping.
  • Policies approved once but not reviewed, and no evidence of board oversight.
  • Data localisation obligations unmet due to default cloud region settings.
  • Awareness training and phishing simulations absent or not tracked.

SEBI CSCRF mapped to other frameworks

The CSCRF is deliberately aligned with international standards, which lets REs reuse existing control work. The mapping below is indicative for planning; it is not a substitute for a control-by-control crosswalk.

CSCRF areaISO/IEC 27001:2022NIST CSF 2.0CIS Controls v8
GovernanceClauses 5-6, A.5 organisational controlsGV (Govern)CIS 14, 17 (governance/training/IR)
Identify (asset & risk)A.5.9 asset inventory, 6.1 riskID (Identify)CIS 1, 2 (asset inventory)
Protect (access)A.5.15-5.18, A.8.2-8.5 access/identityPR.AA / PR.ACCIS 5, 6 (account & access management)
Protect (data)A.8.10-8.12, A.8.24 cryptographyPR.DSCIS 3 (data protection)
Protect (network/config)A.8.20-8.23, A.8.9 configurationPR.PS / PR.IRCIS 4, 12, 13 (secure config, network)
Detect (monitoring/SOC)A.8.15-8.16 logging & monitoringDE (Detect)CIS 8, 13 (audit logs, monitoring)
Detect (VAPT)A.8.8 technical vulnerabilitiesID.RA / DE.CMCIS 7, 18 (vuln mgmt, pen testing)
Respond (incident)A.5.24-5.28 incident managementRS (Respond)CIS 17 (incident response)
Recover (backup/BCP/DR)A.8.13 backup, A.5.29-5.30 continuityRC (Recover)CIS 11 (data recovery)
Third-party / supply chainA.5.19-5.23 supplier relationshipsGV.SCCIS 15 (service provider management)
CCI maturityISMS continual improvement (Clause 10)GV.OC / ImprovementCIS Implementation Groups (IG1-3)
How CyberSigma helps
CyberSigma brings CERT-In empanelled auditors and QSA-grade rigour to the full SEBI CSCRF lifecycle. We confirm your RE category and Critical System scope, run a function-by-function gap assessment, stand up or optimise your SOC (own, Market or managed), execute empanelled VAPT with remediation and re-testing, and drive your ISO 27001 certification where mandated. We build your Cyber Capability Index with fully evidenced scoring, prepare board-ready assurance, and manage SEBI/MII and CERT-In reporting so your filings are timely and defensible. From first gap assessment to independent CCI validation and continuous improvement, CyberSigma gets you compliant, resilient and audit-ready — and keeps you there.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Who must comply with SEBI CSCRF?
SEBI-regulated intermediaries and market infrastructure institutions, with requirements graded by the entity’s classification and criticality.

Need help with SEBI CSCRF?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.