The Problem With Scoring Your Own Maturity
The SEBI CSCRF framework requires regulated entities to conduct annual cyber security and cyber resilience maturity assessments and submit them to a SEBI-designated audit firm. The framework uses a 5-level maturity model across 6 domains and 39 controls. Sounds straightforward.
The challenge is that self-assessment frameworks invite optimism bias. When the person who designed the incident response process is also the one scoring it, Level 3 suddenly seems very achievable — even when the last tabletop exercise was 18 months ago and the results were never documented.
CreativeCyber practitioners consistently find a 1–2 level gap between what organizations report in self-assessments and what independent auditors verify. The gap isn’t usually dishonesty — it’s a fundamental confusion between “we have this control” and “we have verifiable evidence that this control works.”
CSCRF Level 3 doesn’t mean your policy is approved and filed. It means your policy is approved, implemented consistently, tested regularly, and the test results are documented. Most organizations have the first part. Few have all four.
What Each Level Actually Requires
The most important discipline in CSCRF assessment is translating each level’s definition into concrete evidence requirements. Here’s how each level translates in practice:
Continuous improvement cycle. Metrics drive control evolution. Board-level risk quantification integrated.
Controls measured quantitatively. Deviations detected automatically. Evidence collected continuously.
Documented policies and procedures. Consistent implementation across the enterprise. Regular testing.
Controls exist but are inconsistent. Depends on individual effort. No formal testing cadence.
Reactive. Controls exist only in response to incidents. No formal program.
The 6 Domains — Where the Gaps Actually Are
The CSCRF framework follows the NIST CSF structure: Govern, Identify, Protect, Detect, Respond, Recover. Indian BFSI organizations consistently score higher in the paper-heavy domains (Govern, Identify) and lower in the evidence-heavy operational domains (Detect, Respond, Recover). SEBI auditors know this asymmetry and test accordingly.
Evidence Quality: What Passes and What Doesn’t
The single most common finding in CSCRF audits is not missing controls — it’s missing evidence for controls that do exist. Here’s a practical guide to what auditors consider insufficient, acceptable, and strong evidence across key control areas:
| Control Area | ❌ Poor (fails audit) | ⚠️ Acceptable (borderline) | ✅ Strong (audit-ready) |
|---|---|---|---|
| Access Control Policy | Policy document only | Policy + quarterly access review report | Policy + access review + exception log + approval trail |
| SIEM / Log Management | Screenshot of SIEM dashboard | SIEM configuration doc + 90-day alert summary | SIEM config + alert KPIs + tuning log + escalation records |
| Incident Response Plan | IRP document in SharePoint | IRP + last tabletop exercise report | IRP + tabletop results + post-incident review + plan updates |
| Vulnerability Management | List of open vulnerabilities | Scan reports + SLA compliance rate | Scan reports + SLA data + remediation evidence + exception register |
| Vendor Risk Assessment | Vendor contract with security clause | Vendor assessment questionnaire responses | Assessment + independent verification + annual review record |
| BCP / DRP | BCP document | BCP + last DR test results | BCP + DR test + RTO/RPO actuals + lessons learned + updates |
The Controls That Will Trip You Up
Based on practitioner assessments across Indian BFSI entities, these are the controls most frequently found to have insufficient evidence for Level 3 or above:
Based on CreativeCyber practitioner assessments across Indian BFSI entities. “Fail rate” = percentage with evidence insufficient to demonstrate Level 3 or above.
The Maker / Checker Structure That Holds Up
The most defensible CSCRF assessments use a three-tier governance structure with clear separation of duties. SEBI auditors specifically look for evidence that the person who scored a control is not the same person who implemented it. Without this separation, the assessment is presumed biased.
- ›Documents control implementation
- ›Collects and uploads evidence
- ›Scores control per maturity criteria
- ›Flags gaps or exceptions
- ›Independently reviews evidence quality
- ›Challenges score if evidence is insufficient
- ›Approves or returns for remediation
- ›Documents review rationale
- ›Signs off final assessment scores
- ›Escalates unresolved disagreements
- ›Submits to SEBI-designated auditor
- ›Retains records for 3 years
The 6-Month Assessment Calendar
A credible CSCRF assessment is not a two-week exercise. Organizations that start collecting evidence 6 weeks before the submission deadline consistently produce thin assessments. Start 6 months out:
- ›Appoint Maker/Checker/Approver for each domain
- ›Agree on evidence collection templates
- ›Baseline current scores against last year
- ›Control owners collect and upload evidence
- ›Reviewer challenges and returns incomplete items
- ›Track completion rate weekly (target: 80% by Month 3)
- ›Prioritise gaps by audit risk (fail rate data)
- ›Implement quick wins (documentation, test scheduling)
- ›Exception register for controls that need >1 year to close
- ›Run internal audit against CSCRF checklist
- ›Simulate auditor questions on top 5 failed controls
- ›Update scores based on challenge outcomes
- ›CISO and Board sign-off on final scores
- ›Submit via SEBI-designated audit firm
- ›Retain evidence package for 3 years
The SEBI auditor is not there to catch you out. They are there to verify that your self-assessment is honest. The fastest way to pass is to score conservatively and show clear evidence for every point you claim.
Run Your CSCRF Assessment on a Platform Built for It
The Practitioner Toolkit’s Assessment module maps directly to CSCRF’s 6 domains and 39 controls, with built-in Maker/Checker workflow, evidence file attachment at the control level, exception registers, and 5-level maturity scoring with configurable evidence requirements. No spreadsheets. No version confusion.
CSCRF Assessment — Built for SEBI Audit Readiness
4 structured assessment modules with Maker/Checker workflow, 5-level maturity scoring, Indian regulatory alignment, and evidence collection built in from day one.
Share it with your audit team, GRC leads, and CISO peers running CSCRF assessments.