Introduction: The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)
The Securities and Exchange Board of India (SEBI) issued the consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) via circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024. The CSCRF supersedes and consolidates the earlier fragmented set of cybersecurity circulars that SEBI had issued to individual categories of Regulated Entities (REs) since 2015. It establishes a single, harmonised, outcome-based framework applicable across the entire Indian securities market ecosystem, from Market Infrastructure Institutions (MIIs) such as stock exchanges, clearing corporations and depositories, down to smaller intermediaries such as portfolio managers, investment advisers and KYC Registration Agencies.
The CSCRF is materially different from its predecessors. It moves the market from a purely control-based checklist regime towards a graded, outcome-driven and resilience-centred model. It is explicitly anchored on the five Cyber Resilience Goals derived from the NIST Cybersecurity Framework, namely Anticipate, Withstand, Contain, Recover and Evolve, and it introduces a Cyber Capability Index (CCI) for self-assessment and third-party assessment of cyber maturity. This guide is an auditor-grade, practitioner deep-dive intended for CISOs, IT heads, compliance officers, internal auditors and the empanelled auditors who must certify compliance.
What is SEBI CSCRF
The Cybersecurity and Cyber Resilience Framework is SEBI's overarching mandate that requires Regulated Entities in the Indian securities market to establish, operate and continuously improve a cybersecurity and cyber-resilience programme proportionate to their size, complexity and criticality. It is not a voluntary standard; compliance is a condition of continued registration and operation in the securities market, and non-compliance is a regulatory breach that attracts enforcement action.
The framework is structured around five Cyber Resilience Goals and a set of functions adapted from the NIST CSF. The goals are: Anticipate (proactively identify and prepare for threats), Withstand (limit the impact of an attack while continuing critical operations), Contain (isolate and control an incident), Recover (restore capabilities and services) and Evolve (learn and improve). Mapped beneath these goals are the operational functions, which the CSCRF expresses as Governance, Identify, Protect, Detect, Respond and Recover. Each function is decomposed into standards and guidelines, and each RE must implement them at a depth commensurate with its assigned category.
A defining feature of the CSCRF is graded applicability. SEBI recognises that a national stock exchange and a single-office investment adviser cannot reasonably be held to identical operational burdens. The framework therefore classifies REs into categories and sets a differentiated depth of obligation, audit frequency, and assessment method for each. The highest tier, MIIs and Qualified REs, must undertake the full Cyber Capability Index self-assessment and third-party audit; the lowest tiers follow a lighter, principle-based compliance path.
The other headline additions in the CSCRF are: mandatory functional Security Operations Centre (SOC) coverage (own SOC, Market SOC provided by an MII, or a managed/group SOC), a Cyber Capability Index for measuring maturity, structured Vulnerability Assessment and Penetration Testing (VAPT), Software Bill of Materials (SBOM) expectations, data classification and localisation controls, ISO 27001 certification for higher tiers, and detailed incident reporting timelines to SEBI and to CERT-In.
Who must comply
The CSCRF applies to all entities regulated by SEBI, collectively termed Regulated Entities. SEBI has grouped REs into categories that determine the depth of compliance. The exact categorisation thresholds (client numbers, trading volumes, assets under management, transaction values) are set in the circular and its annexures and are periodically revised; the categories below describe the framework's tiering model.
| RE category | Illustrative entities | Compliance depth |
|---|---|---|
| Market Infrastructure Institutions (MIIs) | Stock exchanges, clearing corporations, depositories | Highest; full CSCRF, CCI self-assessment plus third-party audit, ISO 27001, dedicated SOC, cyber resilience testing |
| Qualified REs | Larger stockbrokers, depository participants, mutual funds/AMCs, KRAs, larger RTAs, larger portfolio managers | High; CCI-based assessment, ISO 27001, SOC (own/market/managed), VAPT, comprehensive controls |
| Mid-size REs | Medium stockbrokers, mid-size intermediaries above threshold but below Qualified | Moderate; substantial controls, SOC coverage, periodic VAPT and audit |
| Small-size REs | Smaller intermediaries below mid-size thresholds | Reduced; core controls, lighter audit cadence |
| Self-certification REs | Smallest intermediaries, certain individual registrants (e.g. small investment advisers, research analysts) | Lowest; principle-based self-certification of baseline hygiene controls |
- Stock exchanges, clearing corporations and depositories (MIIs).
- Stockbrokers and depository participants, graded by size and activity.
- Mutual funds and Asset Management Companies (AMCs).
- Portfolio managers, Alternative Investment Funds and venture capital funds where applicable.
- KYC Registration Agencies (KRAs) and Registrars to an Issue and Share Transfer Agents (RTAs).
- Investment advisers and research analysts (largely self-certification tier).
- Credit rating agencies, custodians, debenture trustees and other SEBI-registered intermediaries.
- Vendors and Managed Service Providers are not directly regulated but are brought into scope contractually through third-party risk requirements imposed on REs.
Structure of SEBI CSCRF
The CSCRF is organised as five Cyber Resilience Goals sitting above six operational functions, which in turn contain standards, guidelines and specific parameters. The functions are the practical audit units. The table below sets out the structure that auditors work against.
| Layer | Component | Purpose |
|---|---|---|
| Cyber Resilience Goals | Anticipate, Withstand, Contain, Recover, Evolve | Strategic outcomes the entire programme must deliver |
| Function: Governance | Cyber governance, policy, roles, board oversight, risk appetite | Establishes accountability and direction |
| Function: Identify | Asset management, risk assessment, third-party/supply-chain risk, data classification | Understand what must be protected and the risks to it |
| Function: Protect | Access control, data security, encryption, network security, secure configuration, awareness | Safeguards that prevent or limit incidents |
| Function: Detect | SOC, monitoring, logging, anomaly detection, threat intelligence, VAPT | Timely discovery of events and vulnerabilities |
| Function: Respond | Incident response, reporting to SEBI/CERT-In, communication, forensics | Contain and manage confirmed incidents |
| Function: Recover | Backup, restoration, business continuity, disaster recovery, cyber resilience testing | Restore services and demonstrate resilience |
| Measurement | Cyber Capability Index (CCI) | Graded, quantitative maturity score for higher-tier REs |
Cross-cutting mandates that sit alongside the functions include: mandatory SOC coverage, ISO 27001 certification for MIIs and Qualified REs, VAPT with defined frequency and closure timelines, SBOM for critical systems, data localisation and classification, root cause analysis (RCA) for incidents, and structured incident reporting to SEBI and CERT-In within prescribed timelines.
Master assessment checklist
This is the operative section of the guide. It enumerates each function of the CSCRF as an audit group, with a table of what an auditor must verify and the typical evidence that satisfies the requirement. Work through every group; do not skip any function. For higher-tier REs each verified control also feeds the Cyber Capability Index score.
Group 1 — Governance
| What to verify | Typical evidence |
|---|---|
| A board-approved cybersecurity and cyber-resilience policy exists and is reviewed at least annually | Signed policy document, board/committee minutes recording approval and review dates |
| A designated CISO (or equivalent senior officer) is appointed with defined authority and reporting line to the board/IT strategy committee | Appointment letter, organisation chart, role description, board reporting cadence |
| A cyber risk appetite / tolerance statement is defined and approved | Risk appetite statement, board minutes |
| The Technology/IT Strategy Committee reviews cyber posture periodically | Committee charter, meeting minutes, dashboards presented |
| Cybersecurity budget and resourcing are approved and tracked | Budget approvals, spend reports, headcount records |
| Compliance responsibility for CSCRF reporting is assigned | Compliance calendar, designated officer records, filing acknowledgements |
Group 2 — Identify (asset, risk and third-party management)
| What to verify | Typical evidence |
|---|---|
| A complete, current inventory of hardware, software, information assets and data flows exists, with criticality/Critical System tagging | Asset register/CMDB, critical system list, data flow diagrams |
| Critical Systems are formally identified and documented | Critical system inventory, board-noted criticality assessment |
| A documented risk assessment methodology is applied and risks are recorded with treatment plans | Risk assessment reports, risk register, treatment plans and owners |
| Data is classified (e.g. public, internal, confidential, sensitive/regulated) and handling rules defined | Data classification policy, classification labels, handling matrix |
| Third-party / vendor and supply-chain risks are assessed, with security clauses in contracts | Vendor risk assessments, contracts with security/annexure clauses, due-diligence records |
| Software Bill of Materials (SBOM) is maintained for critical/in-house applications | SBOM artefacts, component inventories, licence/vulnerability tracking |
| Data localisation requirements (data held within India where mandated) are met | Hosting location records, cloud region configuration, data residency attestations |
Group 3 — Protect (access control and identity)
| What to verify | Typical evidence |
|---|---|
| Role-based access control and least-privilege are enforced across systems | Access control matrix, role definitions, provisioning records |
| Multi-factor authentication is enforced for remote, privileged and critical system access | MFA policy, authentication logs, configuration screenshots |
| Privileged access is managed and monitored (PAM), with session recording where applicable | PAM tool records, privileged account inventory, session logs |
| Periodic user access reviews / recertification are performed | Access review reports, sign-offs, revocation evidence |
| Joiner-mover-leaver process promptly revokes access | JML tickets, deprovisioning logs, HR-IT reconciliation |
| Password/credential policy meets standards and default credentials are removed | Password policy, configuration baselines, exception logs |
Group 4 — Protect (data security and cryptography)
| What to verify | Typical evidence |
|---|---|
| Data at rest and in transit is encrypted using approved algorithms | Encryption standard, TLS/at-rest config, key strength records |
| Cryptographic key management (generation, storage, rotation, destruction) is controlled | Key management policy, HSM/KMS records, rotation logs |
| Data Loss Prevention controls are deployed for sensitive/regulated data | DLP policy, DLP alerts and reports, blocked-transfer evidence |
| Secure data disposal and media sanitisation are practised | Disposal policy, sanitisation certificates, asset retirement records |
| Removable media and endpoint data controls are enforced | Endpoint policy, USB control config, exception approvals |
Group 5 — Protect (network and infrastructure security)
| What to verify | Typical evidence |
|---|---|
| Network segmentation isolates critical systems and untrusted zones | Network architecture diagrams, firewall zone config, segmentation review |
| Firewalls, IPS/IDS and secure gateways are deployed and rule-reviewed periodically | Firewall rule base, rule review logs, IPS/IDS config |
| Secure baseline / hardening standards are applied and drift is monitored | Hardening baselines (CIS-aligned), compliance scan reports |
| Patch and vulnerability management follows defined SLAs by severity | Patch policy, patch deployment reports, exception register |
| Anti-malware / endpoint detection and response is deployed on all endpoints and servers | EDR/AV coverage reports, detection logs, quarantine records |
| Email and web security controls (anti-phishing, sandboxing) are in place | Email gateway config, phishing-block statistics |
Group 6 — Protect (application and secure development)
| What to verify | Typical evidence |
|---|---|
| A secure SDLC is followed with security requirements and code review | SDLC policy, code review records, security gate sign-offs |
| Application security testing (SAST/DAST) is performed before release | SAST/DAST reports, remediation tracking |
| Change management controls govern production changes | Change tickets, CAB approvals, rollback plans |
| APIs and web-facing applications are secured and rate-limited | API security config, WAF rules, testing evidence |
Group 7 — Protect (security awareness and training)
| What to verify | Typical evidence |
|---|---|
| All staff receive periodic cybersecurity awareness training | Training records, completion rates, curriculum |
| Phishing simulations are conducted and results acted upon | Simulation reports, click-rate trends, follow-up training |
| Role-specific / specialised training for IT, SOC and developers is provided | Specialised training logs, certifications |
Group 8 — Detect (SOC, monitoring and logging)
| What to verify | Typical evidence |
|---|---|
| Functional SOC coverage is in place (own, Market SOC via MII, or managed/group SOC) | SOC engagement contract/charter, coverage hours, staffing |
| Centralised logging / SIEM aggregates logs from critical systems | SIEM architecture, log source inventory, ingestion reports |
| Log retention meets the mandated period and logs are tamper-protected | Retention policy, storage config, integrity controls |
| Use cases / correlation rules detect key threat scenarios | Use-case catalogue, alert tuning records |
| Cyber threat intelligence is consumed and operationalised | Threat-intel feed subscriptions, IOC ingestion, advisories acted upon |
| Alert triage, escalation and mean-time-to-detect are measured | SOC runbooks, ticket metrics, MTTD/MTTR reports |
Group 9 — Detect (VAPT and continuous testing)
| What to verify | Typical evidence |
|---|---|
| VAPT is conducted at mandated frequency by CERT-In empanelled auditors | VAPT engagement letters, scope, empanelment proof |
| VAPT covers all critical and internet-facing systems | Scope documents, asset coverage mapping |
| Findings are risk-rated and remediated within defined timelines, with re-testing | VAPT reports, remediation tracker, closure/re-test evidence |
| VAPT closure is reported to SEBI/MII as required | Closure reports, filing acknowledgements |
Group 10 — Respond (incident management and reporting)
| What to verify | Typical evidence |
|---|---|
| A documented, tested incident response plan with severity classification exists | IR plan, severity matrix, contact tree |
| Incidents are reported to SEBI/MII and CERT-In within mandated timelines | Incident tickets, SEBI/CERT-In submission acknowledgements, timelines |
| Root Cause Analysis is completed for significant incidents | RCA reports, corrective/preventive action tracking |
| Forensic readiness and evidence-preservation procedures exist | Forensic policy, chain-of-custody templates, retainer with forensic provider |
| Post-incident lessons feed the Evolve goal | Lessons-learned records, updated runbooks/controls |
| Communication and stakeholder notification protocols are defined | Communication plan, notification templates |
Group 11 — Recover (backup, BCP and DR)
| What to verify | Typical evidence |
|---|---|
| Backups of critical data/systems are taken, encrypted and stored securely (including offline/immutable copies) | Backup policy, backup job logs, immutability config |
| Recovery Time and Recovery Point Objectives (RTO/RPO) are defined and met | BCP/DR policy, RTO/RPO definitions, test results |
| Disaster recovery site exists and DR drills are performed periodically | DR architecture, drill reports, failover evidence |
| Restoration of backups is periodically tested | Restore test logs, integrity verification |
| Business continuity plan covers cyber scenarios (e.g. ransomware) | BCP document, scenario playbooks, exercise records |
Group 12 — Cyber resilience testing and Evolve
| What to verify | Typical evidence |
|---|---|
| Cyber resilience / scenario testing (e.g. red-team, tabletop, cyber drills) is conducted | Exercise plans, tabletop minutes, red-team reports |
| Cyber Capability Index (CCI) self-assessment is performed at mandated frequency (higher tiers) | CCI scoring workbook, evidence mapping, board sign-off |
| CCI is validated by a third-party auditor where required | Independent CCI assessment report |
| Continuous improvement actions from assessments are tracked to closure | Improvement register, management review minutes |
Scoping
Scoping under the CSCRF flows directly from category assignment, but the technical scope must then be drawn around every system and dataset that supports the RE's regulated activity. A common audit failure is a scope that omits cloud workloads, third-party-hosted trading/back-office platforms, or shadow IT.
- Confirm RE category (MII, Qualified, Mid-size, Small-size, Self-certification) and the resulting obligations.
- Identify and formally designate Critical Systems that, if compromised, would impair regulated services or market integrity.
- Include all environments: on-premise, data centre, cloud (IaaS/PaaS/SaaS), and managed/outsourced platforms.
- Include internet-facing assets, APIs and third-party integrations used for regulated functions.
- Map data flows and identify where regulated/sensitive data resides, including data localisation obligations.
- Bring vendors and MSPs into scope through contractual security obligations and right-to-audit clauses.
- Document explicit exclusions with justification; unjustified exclusions are an audit finding.
Implementation approach
A structured, phased implementation lets an RE reach demonstrable compliance in a defensible sequence. The phases below assume a Qualified RE; smaller REs can compress phases, and MIIs will run each phase with greater rigour and independent validation.
Phase 1 — Mobilise and assess (weeks 1-6)
- Activities: confirm RE category; appoint CISO and programme sponsor; establish governance forum; perform CSCRF gap assessment against every function; identify Critical Systems and build/refresh the asset inventory.
- Deliverables: category determination memo, gap assessment report, Critical System register, prioritised remediation roadmap, board briefing.
Phase 2 — Govern and design (weeks 4-12)
- Activities: draft and obtain board approval for the cybersecurity policy suite; define risk appetite; establish data classification and third-party risk processes; design target-state architecture (segmentation, SOC model, backup/DR).
- Deliverables: board-approved policies, data classification scheme, vendor risk framework, SOC operating model decision (own/market/managed), target architecture.
Phase 3 — Build and remediate (weeks 8-24)
- Activities: implement MFA/PAM, encryption, DLP, EDR, network segmentation, hardening baselines, patch management SLAs; stand up SIEM and SOC coverage; implement backup immutability and DR site; run first VAPT.
- Deliverables: control implementation evidence, SOC live with use cases, VAPT report with remediation plan, DR configuration, hardening compliance reports.
Phase 4 — Operate and test (weeks 20-32)
- Activities: run incident response and cyber-resilience exercises; conduct access reviews; complete VAPT remediation and re-test; deliver awareness training and phishing simulations; pursue ISO 27001 certification where mandated.
- Deliverables: tabletop/drill reports, VAPT closure evidence, training records, ISO 27001 audit progress, operational metrics baseline.
Phase 5 — Assess, certify and improve (weeks 30-40)
- Activities: complete Cyber Capability Index self-assessment; commission third-party CCI/audit validation; file required reports with SEBI/MII; establish continuous improvement and management review cadence.
- Deliverables: CCI score with evidence, independent assessment report, SEBI/MII filings, continuous improvement register, management review minutes.
Cyber Capability Index (CCI) maturity model
For MIIs and Qualified REs the CSCRF requires measurement of cyber maturity through the Cyber Capability Index. The CCI aggregates scores across defined parameters into an overall index and a maturity band. The exact parameters, weightings and band thresholds are specified by SEBI; the table below describes the maturity progression an auditor uses to interpret a score and to plan improvement. Treat the band names and score ranges as an illustrative interpretation model and confirm the binding thresholds against the circular.
| Maturity band | Interpretation | Typical characteristics |
|---|---|---|
| Level 1 — Basic / Bare minimum | Foundational controls partially present | Ad-hoc processes, minimal documentation, reactive posture, gaps in monitoring |
| Level 2 — Developing | Core controls implemented but inconsistent | Policies exist, some automation, SOC coverage established, testing occasional |
| Level 3 — Manageable / Defined | Controls consistent and documented across scope | Repeatable processes, measured VAPT/patch SLAs, functional SOC, DR tested |
| Level 4 — Managed / Optimised | Controls measured, monitored and continuously tuned | Metrics-driven, threat-intel integrated, resilience testing routine, strong governance |
| Level 5 — Advanced / Exceptional | Leading-practice, adaptive and resilient | Automation, proactive threat hunting, mature evolve loop, board-level cyber assurance |
The CCI is not merely a badge. SEBI expects REs to use the index to identify weak parameters, prioritise investment, and demonstrate year-on-year improvement. A score that stagnates or regresses is itself a supervisory concern.
Assessment and audit approach
The following is the sequence an empanelled auditor or internal assurance function follows to assess CSCRF compliance and, where applicable, validate the CCI.
- Confirm the RE's category and the corresponding scope of obligations, and agree the audit scope and Critical System list in writing.
- Collect and review documentation: policies, risk register, asset inventory, prior VAPT and audit reports, incident logs and SEBI/CERT-In filings.
- Perform control walkthroughs for each function (Governance, Identify, Protect, Detect, Respond, Recover), interviewing owners.
- Test control operating effectiveness with sampling: access reviews, patch records, backup restores, log retention, MFA enforcement.
- Independently validate technical controls where possible: configuration review, SIEM use-case testing, and review of VAPT scope and closure.
- Assess incident reporting timeliness against SEBI/CERT-In mandated timelines using actual incident records.
- Score each CCI parameter (higher tiers), map every score to evidence, and compute the overall index and maturity band.
- Rate findings by risk, agree remediation owners and timelines, and distinguish design gaps from operating-effectiveness gaps.
- Draft the report with an executive summary, detailed findings, evidence references and the CCI result.
- Present to management/board, obtain management responses, and file the required certification/report with SEBI or the relevant MII.
- Schedule re-testing of high-risk findings and confirm closure before sign-off.
Evidence request list
Auditors should request the following, categorised by function. Providing these in a structured evidence pack materially shortens the audit.
- Governance: board-approved cybersecurity policy, CISO appointment, IT strategy committee minutes, risk appetite statement, cyber budget approvals.
- Identify: asset inventory/CMDB, Critical System register, risk assessment reports and risk register, data classification policy, vendor risk assessments and contracts, SBOM artefacts, data residency records.
- Protect (access): access control matrix, MFA/PAM configuration, access review sign-offs, JML records, password policy.
- Protect (data): encryption standards and configuration, key management records, DLP reports, media disposal certificates.
- Protect (network/infra): network diagrams, firewall rule base and review logs, hardening baselines and scan reports, patch reports, EDR coverage.
- Protect (application): secure SDLC policy, SAST/DAST reports, change management records.
- Protect (people): training records, phishing simulation results.
- Detect: SOC contract/charter, SIEM log-source inventory, retention policy, use-case catalogue, threat-intel subscriptions, MTTD/MTTR metrics.
- Detect (VAPT): VAPT engagement letters (CERT-In empanelled), scope, reports, remediation tracker, closure and re-test evidence.
- Respond: incident response plan, incident register, SEBI/CERT-In submission acknowledgements, RCA reports, forensic readiness records.
- Recover: backup policy and job logs, immutability/offline config, DR architecture and drill reports, restore test logs, BCP.
- Evolve/CCI: cyber resilience exercise reports, CCI scoring workbook with evidence mapping, third-party assessment report, management review minutes.
Roles and responsibilities
| Role | Key responsibilities |
|---|---|
| Board / Governing body | Approve policy and risk appetite, oversee cyber posture, ensure resourcing, receive periodic assurance |
| IT / Technology Strategy Committee | Review cyber programme, monitor CCI and remediation, escalate to board |
| CISO / designated senior officer | Own the cybersecurity programme, drive implementation, ensure reporting to SEBI/CERT-In, maintain CCI |
| IT / Infrastructure teams | Implement and operate technical controls: patching, hardening, backups, network security |
| SOC / Detection team (own/market/managed) | Monitor, detect, triage and escalate; maintain use cases and threat intelligence |
| Incident Response team | Contain and manage incidents, perform RCA, preserve forensic evidence, coordinate reporting |
| Compliance officer | Maintain compliance calendar, ensure timely SEBI/MII filings and certifications |
| Internal audit | Independent assurance over control design and operating effectiveness |
| Empanelled external auditor | Independent CSCRF audit and CCI validation, VAPT where empanelled |
| Business/data owners | Classify data, own risk acceptance, validate access appropriateness |
| Third parties / MSPs | Meet contractual security obligations, support audit and incident response |
KPIs to track
- Cyber Capability Index score and trend versus target band.
- Percentage of Critical Systems under SOC monitoring.
- Mean time to detect (MTTD) and mean time to respond/contain (MTTR).
- VAPT findings open by severity and average time to closure against SLA.
- Patch compliance rate for critical/high vulnerabilities within SLA.
- Percentage of privileged accounts under PAM and MFA coverage.
- Backup success rate and successful restore-test percentage; RTO/RPO achievement.
- Percentage of staff completing awareness training; phishing simulation click rate trend.
- Number of security incidents, and percentage reported to SEBI/CERT-In within mandated timelines.
- Percentage of third parties with completed security risk assessments and compliant contracts.
- Access review completion rate and number of orphaned/stale accounts remediated.
- Open audit/remediation actions past due date.
Readiness checklist
- RE category determined and documented, with obligations mapped.
- Board-approved cybersecurity and cyber-resilience policy in place and reviewed.
- CISO / designated officer appointed with clear authority and board reporting.
- Critical Systems identified and asset inventory current.
- Risk assessment complete with a maintained risk register and treatment plans.
- Data classification scheme applied and data localisation requirements met.
- MFA, PAM and least-privilege access controls enforced and reviewed.
- Encryption of data at rest and in transit with managed keys.
- Network segmentation, hardening baselines and patch SLAs operating.
- Functional SOC coverage live with SIEM, log retention and threat intelligence.
- VAPT conducted by CERT-In empanelled auditor with findings remediated and re-tested.
- Incident response plan tested; SEBI/CERT-In reporting process proven within timelines.
- Backups immutable/offline and restores tested; DR site and drills in place.
- Cyber resilience exercises conducted and lessons applied.
- ISO 27001 certification obtained where mandated.
- Cyber Capability Index self-assessment completed and, where required, third-party validated.
- Required SEBI/MII filings and certifications submitted on time.
Common gaps
- Incorrect or undocumented RE category leading to under-scoped obligations.
- Incomplete Critical System identification, so key assets miss the strictest controls.
- Cloud and third-party-hosted platforms left out of scope and monitoring.
- SOC coverage nominal rather than functional; poor use-case tuning and unactioned alerts.
- Log retention below the mandated period or logs not tamper-protected.
- VAPT scope too narrow, or findings not closed and re-tested within timelines.
- Incident reporting to SEBI/CERT-In missing mandated timelines or lacking RCA.
- Backups not immutable/offline, or restores never actually tested.
- MFA/PAM gaps on privileged and remote access.
- Weak third-party risk management with no security clauses or right-to-audit.
- CCI self-assessment done as a paper exercise without evidence mapping.
- Policies approved once but not reviewed, and no evidence of board oversight.
- Data localisation obligations unmet due to default cloud region settings.
- Awareness training and phishing simulations absent or not tracked.
SEBI CSCRF mapped to other frameworks
The CSCRF is deliberately aligned with international standards, which lets REs reuse existing control work. The mapping below is indicative for planning; it is not a substitute for a control-by-control crosswalk.
| CSCRF area | ISO/IEC 27001:2022 | NIST CSF 2.0 | CIS Controls v8 |
|---|---|---|---|
| Governance | Clauses 5-6, A.5 organisational controls | GV (Govern) | CIS 14, 17 (governance/training/IR) |
| Identify (asset & risk) | A.5.9 asset inventory, 6.1 risk | ID (Identify) | CIS 1, 2 (asset inventory) |
| Protect (access) | A.5.15-5.18, A.8.2-8.5 access/identity | PR.AA / PR.AC | CIS 5, 6 (account & access management) |
| Protect (data) | A.8.10-8.12, A.8.24 cryptography | PR.DS | CIS 3 (data protection) |
| Protect (network/config) | A.8.20-8.23, A.8.9 configuration | PR.PS / PR.IR | CIS 4, 12, 13 (secure config, network) |
| Detect (monitoring/SOC) | A.8.15-8.16 logging & monitoring | DE (Detect) | CIS 8, 13 (audit logs, monitoring) |
| Detect (VAPT) | A.8.8 technical vulnerabilities | ID.RA / DE.CM | CIS 7, 18 (vuln mgmt, pen testing) |
| Respond (incident) | A.5.24-5.28 incident management | RS (Respond) | CIS 17 (incident response) |
| Recover (backup/BCP/DR) | A.8.13 backup, A.5.29-5.30 continuity | RC (Recover) | CIS 11 (data recovery) |
| Third-party / supply chain | A.5.19-5.23 supplier relationships | GV.SC | CIS 15 (service provider management) |
| CCI maturity | ISMS continual improvement (Clause 10) | GV.OC / Improvement | CIS Implementation Groups (IG1-3) |
Frequently asked questions
Need help with SEBI CSCRF?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
