CERT-In empanelled cyber audits and VAPT mapped to SEBI's Cybersecurity and Cyber Resilience Framework — for market infrastructure institutions, brokers, mutual funds, intermediaries and every regulated entity in between. Scoped precisely to your CSCRF category.
Issued on 20 August 2024, SEBI's Cybersecurity and Cyber Resilience Framework replaced the earlier patchwork of entity-specific cyber circulars with a single, graded model that scales obligations to each regulated entity's size and operational footprint. It is the most comprehensive cybersecurity regulation an Indian financial regulator has issued.
CSCRF grades every regulated entity into one of five categories and frames every control around five resilience goals — Anticipate, Withstand, Contain, Recover and Evolve. It mandates periodic cyber audits and VAPT by CERT-In empanelled auditors, in SEBI's standardized formats, with strict closure timelines.
As a CERT-In empanelled auditing organization with a dedicated BFSI practice, we deliver the CSCRF cyber audit end to end — control assessment, VAPT, the prescribed reports and the MD/CEO declaration — scoped exactly to your category, so you neither under- nor over-comply.
CSCRF applies to all SEBI regulated entities, graded into five categories by asset size, trading volume, client base or AUM. Your category is fixed at the start of each financial year on the previous year's data.
| CSCRF category | Example regulated entities | Cyber audit & key obligations |
|---|---|---|
| Market Infrastructure Institutions (MIIs) | Stock exchanges, clearing corporations, depositories | Twice a year In-house SOCISO 27001CCIRed teaming |
| Qualified REs | KRAs, qualified stock brokers and other large REs above threshold | Twice a year SOCISO 27001CCICISO |
| Mid-size REs | Entities above the mid-size thresholds by AUM, clients or volume | 2×/yr if IBT/Algo, else annual IT CommitteeSOC |
| Small-size REs | Smaller brokers, advisers, RTAs and similar above the self-cert threshold | 2×/yr if IBT/Algo, else annual |
| Self-certification REs | The smallest REs and lowest-threshold entities | VAPT + self-certification CERT-In empanelled VAPT |
Categories, thresholds and obligations were revised through 2025 (April 2025 clarifications and subsequent FAQs) and are set annually on prior-year data; an entity registered in multiple capacities takes its highest applicable category. Certain entities — including FPIs, FVCIs, individual investment advisers, LPCC, QDPs, vault managers, RTAs servicing under 10,000 folios, REITs and InvITs — are outside CSCRF. We confirm your exact category and obligations during scoping.
We map your audit to the obligations that apply to your category.
The consolidated CSCRF master circular, replacing the 2015 and 2018 broad guidelines with a single, graded standard for all SEBI regulated entities.
Obligations scale across MIIs, Qualified, Mid-size, Small-size and Self-certification REs, fixed annually on prior-year data.
24×7 monitoring via an own, group, Market-SOC or managed SOC — with an in-house SOC expected of MIIs.
MIIs and Qualified REs obtain ISO 27001, use the Cyber Capability Index, and conduct red-teaming exercises.
Periodic cyber audit covering 100% of critical and 25% of non-critical systems, plus VAPT, by a CERT-In empanelled auditor in SEBI's formats.
Audit report with MD/CEO declaration within one month, findings closed within three months, and a follow-on audit within six months.
Every CSCRF control maps to one of five goals — the lens our audit assesses you against.
Threat intelligence, risk assessment and asset and data classification.
Preventive controls, segmentation, hardening and access management.
Detection through the SOC, monitoring and incident response.
Business continuity, disaster recovery and post-incident learning.
Continuous improvement and adaptive, measurable resilience.
Full coverage of the control domains CSCRF examines — 100% of critical systems and a sample of non-critical systems.
Board-approved policy, CISO function and an IT Committee with an external cyber expert.
Identification, evaluation, prioritisation and monitoring of cyber risks.
24×7 security operations, log retention and the functional efficacy of the SOC.
Least privilege, privileged-access control and segregation of duties.
Segmentation, hardening and endpoint protection across the estate.
Secure development and API controls — rate limiting, throttling, authentication and authorization.
Classification, encryption and data-localization of sensitive market data.
Software Bill of Materials and supply-chain risk across software components.
Vulnerability assessment and penetration testing in SEBI's standardized formats.
Incident handling and immediate reporting via the dedicated SEBI portal and to CERT-In.
BCP and disaster recovery with defined RTO/RPO and tested drills.
Cyber Capability Index measurement and scenario-based resilience and red-team testing.
A compliance-first lifecycle that produces SEBI's standardized reports.
We confirm your CSCRF category and the obligations and audit cadence that apply to you.
Policy, IT Committee, CISO, SOC arrangements and prior audit reports and declarations.
Testing across the five resilience goals — 100% of critical systems and 25% of non-critical, sampled.
VAPT in SEBI formats, plus red-teaming and CCI assessment for MIIs and Qualified REs.
Findings risk-rated in CSCRF formats, with support for the MD/CEO declaration and board presentation.
Remediation within three months and a follow-on audit within six months to verify closure.
The first gets you ready for the engagement; the second is the control checklist we assess, grouped by CSCRF's five goals.
Your audit is mapped to CSCRF and the standards it draws on.
IT and information-security audits for banks, NBFCs and HFCs.
Learn more →Information & cyber security audits for the insurance sector.
Learn more →Regulator-aligned vulnerability assessment and penetration testing.
Learn more →Talk to our CERT-In empanelled team about a cyber audit scoped precisely to your CSCRF category.
