Continuous Audit Mandate Mapping
SEBI CSCRF (April 2024) mandates continuous cybersecurity auditing for all regulated entities — stock exchanges, depositories, clearing corporations, mutual funds, brokers, and market infrastructure institutions. This is not annual compliance; it is ongoing.
Quarterly VAPT — Vulnerability Assessment and Penetration Testing must be conducted every quarter for internet-facing systems
Annual comprehensive audit — Full cybersecurity audit by CERT-In empanelled firm covering all CSCRF control domains
Continuous vulnerability scanning — Automated scanning of all systems at least weekly; critical systems daily
Real-time security monitoring — SOC (in-house or managed) with 24/7 monitoring capability and documented escalation procedures
Incident response testing — Tabletop exercises quarterly; full simulation exercises annually
Configuration compliance monitoring — CIS benchmark compliance checked continuously with drift detection
Third-party risk assessments — Critical vendors assessed annually; material changes trigger re-assessment
4-Hour Reporting Window
SEBI CSCRF mandates incident reporting within 4 hours of detection — tighter than CERT-In's 6-hour window. Regulated entities must maintain parallel reporting workflows for both SEBI and CERT-In.
NIST CSF 2.0 Tier 1–4 Alignment
SEBI CSCRF explicitly aligns with NIST CSF 2.0. Each regulated entity must self-assess against the four implementation tiers and demonstrate progression.
| Tier | Name | Characteristics | SEBI Expectation |
|---|---|---|---|
| Tier 1 | Partial | Ad hoc, reactive; limited awareness of cybersecurity risk | Not acceptable for any regulated entity |
| Tier 2 | Risk-Informed | Risk management approved but not org-wide; some awareness | Minimum for small brokers/intermediaries |
| Tier 3 | Repeatable | Formal policies; org-wide risk management; regular updates | Expected for most regulated entities |
| Tier 4 | Adaptive | Continuous improvement; lessons learned integrated; predictive | Required for MIIs, exchanges, depositories |
Self-assessment completed against all four NIST CSF 2.0 tiers with evidence documentation
Current tier determination approved by CISO and presented to Board/IT Committee
Gap analysis between current tier and SEBI-expected tier documented
Tier progression roadmap with milestones and target dates defined
Annual re-assessment scheduled to track tier progression
Maturity Scoring per NIST CSF 2.0 Function
CSCRF requires maturity scoring across all six NIST CSF 2.0 functions. Each function must be independently assessed and scored.
| Function | Key Control Areas | Minimum Maturity | Audit Evidence |
|---|---|---|---|
| GOVERN (GV) | Cybersecurity policy, roles, risk strategy, supply chain | Tier 2 | Board-approved policy, CISO appointment, risk appetite statement |
| IDENTIFY (ID) | Asset management, risk assessment, business environment | Tier 2 | Asset register, CMDB, risk register, BIA |
| PROTECT (PR) | Access control, awareness training, data security, platform security | Tier 3 | IAM policy, training records, encryption standards, hardening baselines |
| DETECT (DE) | Continuous monitoring, anomaly detection, event analysis | Tier 3 | SIEM deployment, SOC procedures, detection use cases, alert metrics |
| RESPOND (RS) | Incident management, analysis, mitigation, communication | Tier 3 | IR plan, playbooks, SEBI 4hr reporting workflow, post-incident review |
| RECOVER (RC) | Recovery planning, improvements, communication | Tier 2 | BCP/DR plan, tested annually, lessons learned integration |
Each function scored independently using 1-5 maturity scale with evidence mapping
GOVERN function: Board-approved cybersecurity policy with annual review cycle
IDENTIFY function: Complete asset inventory with classification and criticality tagging
PROTECT function: Multi-factor authentication deployed for all privileged and remote access
DETECT function: SIEM with minimum 25 detection use cases mapped to MITRE ATT&CK
RESPOND function: SEBI 4-hour incident reporting workflow tested and documented
RECOVER function: DR failover tested annually with documented RPO/RTO achievement
Cross-function dependencies identified and documented in maturity assessment
CISO Dashboard Mandate Gate Items
SEBI CSCRF mandates that the CISO present a cybersecurity dashboard to the Board/IT Committee at defined intervals. The dashboard must include specific mandatory gate items.
Overall Maturity Score — Aggregate and per-function maturity scores with quarter-over-quarter trend
Vulnerability Posture — Open vulnerabilities by severity (Critical, High, Medium, Low) with ageing analysis
Incident Metrics — Incidents detected, reported, MTTR (mean time to respond), MTTC (mean time to contain)
SEBI Reporting Compliance — All incidents reported within 4-hour window; any deadline breaches flagged
Audit Findings Status — Open findings from quarterly VAPT and annual audit with remediation progress
Third-Party Risk Summary — Critical vendor risk scores, pending assessments, material changes
Compliance Posture — CSCRF control compliance percentage with gap items and remediation timeline
Security Awareness — Training completion rates, phishing simulation results, policy acknowledgement status
BCP/DR Readiness — Last test date, RPO/RTO achievement, identified gaps
Budget Utilisation — Cybersecurity budget spend vs. allocation with forecast for upcoming quarter
Board Accountability
SEBI holds the Board directly accountable for cybersecurity governance. The CISO dashboard is not advisory — it is a mandatory governance artifact. Missing or incomplete dashboards constitute a CSCRF non-compliance finding.
RiskSage Capability
RiskSage by CreativeCyber automates SEBI CSCRF compliance — continuous maturity scoring across all six NIST CSF 2.0 functions, automated CISO dashboard generation with all mandate gate items, quarterly VAPT tracking, and 4-hour incident reporting workflow for SEBI-regulated entities.
Request access to RiskSage →
Request access to RiskSage →