// INDIAN REGULATORY COMPLIANCE

SEBI CSCRF Audit

Cyber Security and Cyber Resilience Framework audit for SEBI-regulated market infrastructure institutions and intermediaries.

SEBICSCRF 2023
5Maturity Levels
CERT-InEmpanelled
AnnualCompliance Report
Overview

SEBI Cyber Security and Cyber Resilience Framework Audit

The Securities and Exchange Board of India (SEBI) mandates the Cyber Security and Cyber Resilience Framework (CSCRF) for all regulated entities — including stock brokers, depository participants, investment managers, and Market Infrastructure Institutions (MIIs). The framework is structured around five domains mirroring the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. Entities are categorised into maturity levels 1 through 5 and must demonstrate progressive control implementation against their assigned tier.

Intelliroot is a CERT-In empanelled and CREST-certified firm with deep capital market domain expertise. We conduct the annual CSCRF audit, prepare the mandatory SEBI compliance report, and support the entity's SEBI CIRT incident reporting obligations — providing a single point of accountability for all SEBI cybersecurity regulatory deliverables.

SEBI CSCRF 2023 SEBI Circular 2019 SEBI Master Circular CERT-In Empanelled
Why This Matters

Why SEBI CSCRF Compliance Cannot Wait

Mandatory Annual Submission

SEBI requires all regulated entities to submit an annual cybersecurity compliance report prepared by a qualified auditor. Non-submission or gaps identified in the report attract regulatory action and potential licence implications.

Maturity Level Accountability

SEBI categorises entities into five maturity tiers based on size and criticality. Each tier has a defined minimum control baseline — falling below your assigned tier level is a direct regulatory breach.

Capital Markets Are High-Value Targets

Trading platforms, order management systems, and market data feeds are prime targets for nation-state actors, insider threats, and financially motivated attackers. CSCRF controls directly address these vectors.

Qualified Auditor Requirement

SEBI requires the CSCRF audit to be conducted by a CERT-In empanelled organisation with capital market domain experience. Intelliroot satisfies both requirements, ensuring your audit report is regulator-accepted without challenge.

Scope

CSCRF Domains Covered

Identify & Govern

  • Asset inventory and classification
  • Cyber risk management framework assessment
  • Governance structure and board oversight
  • Third-party and supply chain risk evaluation

Protect

  • Access control and identity management
  • Data security and encryption controls
  • Secure configuration and patch management
  • Network segmentation and perimeter defence

Detect

  • Security monitoring and SIEM coverage
  • Anomaly and event detection capabilities
  • Log management and retention compliance
  • Threat intelligence integration

Respond & Recover

  • Incident response plan and playbook review
  • SEBI CIRT reporting capability assessment
  • Business continuity and disaster recovery testing
  • Recovery time and recovery point objective verification
Methodology

Our CSCRF Audit Approach

01

Entity Classification & Scoping

Determine the entity's SEBI-assigned maturity level tier, define the audit scope boundary (trading systems, network, applications, third-party connections), and confirm the applicable CSCRF control baseline for that tier.

02

Document Review & Policy Gap Analysis

Review information security policies, risk management frameworks, BCP/DR documentation, and vendor contracts against CSCRF requirements. Identify documentation gaps and classify findings by domain.

03

Technical Assessment

Conduct vulnerability assessment of trading infrastructure, network security review, configuration audit of critical systems (order management, market data, settlement), and endpoint security review across the in-scope environment.

04

Control Testing & Interviews

Test implemented controls against CSCRF requirements through interviews with CISO, IT, and operations staff. Validate access control effectiveness, monitoring coverage, and incident response readiness through tabletop exercises.

05

Maturity Scoring & SEBI Report Preparation

Score controls against the five CSCRF domains, calculate maturity scores, and prepare the annual compliance report in SEBI's prescribed format — including the mandatory attestation and qualified auditor sign-off.

Regulatory Coverage
SEBI CSCRF Capital Markets Stock Brokers Depository Participants Investment Managers MII Compliance SEBI CIRT Incident Reporting CERT-In Empanelled Annual Compliance Report
FAQ

Frequently Asked Questions

All SEBI-regulated entities are covered, including stock brokers, depository participants, portfolio managers, investment advisers, research analysts, KRAs, and Market Infrastructure Institutions such as stock exchanges, depositories, and clearing corporations. Each entity type is assigned a maturity level tier based on its criticality and size.
SEBI CSCRF defines five maturity levels (1–5). Level 1 entities are smaller intermediaries with a lighter control baseline; Level 5 entities are MIIs and systemically important participants with the most rigorous requirements. SEBI assigns each entity its level, and the audit assesses compliance against that level's specific control set.
Gaps must be disclosed in the annual compliance report along with a remediation timeline. SEBI takes a risk-based approach — critical control gaps may trigger follow-up inspection or a show-cause notice. Our audit includes a prioritised remediation roadmap so you can address findings before they become regulatory issues.
Yes. As part of the CSCRF audit, we assess your SEBI CIRT reporting capability and help establish the processes, templates, and escalation chains required to meet SEBI's incident notification timelines. We can also provide on-call advisory support during an active incident.

Deliverables

SEBI Annual Compliance Report

CSCRF compliance report in SEBI's prescribed format, signed by the qualified CERT-In empanelled auditor, ready for submission to SEBI.

Maturity Scorecard

Domain-wise maturity scores across all five CSCRF domains — Identify, Protect, Detect, Respond, and Recover — with benchmark comparison against your assigned tier.

Gap Register & Control Mapping

Detailed register of all findings mapped to specific CSCRF control requirements, with risk ratings, evidence references, and recommended remediation actions.

Board Presentation Pack

Executive-level presentation summarising the audit outcome, risk posture, critical findings, and remediation priorities — formatted for SEBI-required Board IT/Risk Committee reporting.

Remediation Roadmap

Prioritised remediation plan with effort estimates, ownership assignments, and compliance deadline alignment to the next SEBI annual reporting cycle.

Related Services in Indian Regulatory Compliance

CERT-In Empanelled Audit RBI Information Security Audit IRDAI Information Security Audit UIDAI / Aadhaar Audit
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.