SEBI Cybersecurity & Cyber Resilience Framework (CSCRF): Implementation Guide for Regulated Entities

|

SEBI CSCRF — GRC RADAR

Published: 30 May 2026 · 23 min read · Category: SEBI CSCRF

Introduction

For India’s securities market, cybersecurity stopped being optional sometime around the second NSE outage of 2021. What SEBI eventually released — the Cybersecurity and Cyber Resilience Framework (CSCRF) on 20 August 2024 — is the regulator’s attempt to set one coherent standard for everyone whose failure could ripple through the market: stock exchanges, depositories, brokers, portfolio managers, AIFs, AMCs, KRAs, RTAs, and dozens of other entities the public never sees but depends on every trading day.

If you operate any SEBI-regulated entity, the SEBI cybersecurity framework India now governs your security posture — not your internal risk preference, not your auditor’s recommendation, the regulator’s mandate. The framework replaces the older patchwork of entity-specific cyber circulars with a single, graded model that scales SEBI CSCRF compliance requirements to your size and operational footprint. CSCRF is the new baseline for SEBI regulated entity cybersecurity and the standard against which your next supervisory review will be measured.

This guide is written for the people who actually have to implement it: compliance officers, CISOs (newly appointed in many cases), and founders at small-to-mid Indian SEBI-regulated firms who do not have a 50-person security team or a seven-figure cyber budget. We will cover what CSCRF requires, who must comply, how SEBI classifies you into one of five categories, what the controls actually mean in practice, and a realistic roadmap to get audit-ready.

We will not tell you cybersecurity is critical. You already know that. What you need is a clear read of the framework and a path to compliance that fits an Indian SME’s reality.

What Is SEBI CSCRF and Who Must Comply?

The CSCRF is SEBI’s consolidated SEBI cyber resilience framework guide for its regulated entities (REs). Issued on 20 August 2024, it replaced multiple older circulars and introduced a unified standard built around five resilience goals: Anticipate, Withstand, Contain, Recover, and Evolve. The framework’s design borrows from the NIST CSF in structure but is tailored to India’s market structure and SEBI’s supervisory model.

Effective dates and the deadline shuffle. The SEBI cybersecurity framework 2025 compliance schedule formally came into force on 1 January 2025 for entities that already had a prior SEBI cyber circular, and 1 April 2025 for the rest. SEBI granted more than one SEBI CSCRF deadline extension 2025 — first on 28 March 2025, then again on 30 June 2025, which moved the implementation date to 31 August 2025 for most REs. The original (earlier) schedule continued to apply to Market Infrastructure Institutions (MIIs), KRAs, and Qualified Registrars to an Issue and Share Transfer Agents (QRTAs). Reading this in 2026: that 31 August 2025 implementation deadline has passed, and SEBI issued no further blanket extension. The live obligation now is the recurring cyber-audit cycle — for the FY 2025-26 half-yearly cycle, audit reports and action-taken reports were due by 31 March 2026, with the next cycle due by 30 June 2026 (see Cyber Audit and Empanelment, below). Smaller REs that treated the 2025 extensions as licence to delay are now exposed at audit time.

The four follow-on circulars you must read alongside the master circular. The original framework was published on 20 August 2024 (Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113), but the operative text today is the master circular as modified by:

  • 31 December 2024 clarifications — scope and applicability fixes, regulatory forbearance window Jan–Mar 2025.
  • 28 March 2025 extension — first deadline push.
  • 30 April 2025 clarifications (Circular 2025/60) — the substantive overhaul: revised categorisation thresholds, KRA reclassification, stock-broker dual-parameter rule, AIF manager-level aggregation, and HSM mandate.
  • 30 June 2025 extension + FAQs (Circular 2025/96) — moved the implementation deadline to 31 Aug 2025 (now passed) and issued a comprehensive FAQ document.
  • 28 August 2025 technical clarifications (Circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119) — disaster recovery RTO/RPO, ISO 27001 voluntariness, principle of exclusivity for multi-regulator REs, condensed VAPT report format, and the Portfolio Manager / Merchant Banker re-categorisation (Part-C).

If you read only the August 2024 master circular, you will get half the picture and the wrong category for your firm. Read the package together.

Who is in scope. CSCRF applies to a broad pool of SEBI-regulated entities, including:

  • Stock exchanges, clearing corporations, and depositories (MIIs)
  • Stock brokers and depository participants
  • Mutual fund asset management companies (AMCs)
  • Portfolio managers
  • Alternative Investment Funds (AIFs)
  • Investment advisers (corporate)
  • Research analysts (corporate)
  • Credit rating agencies and debenture trustees
  • KRAs, RTAs, and QRTAs

Who is out of scope. SEBI has explicitly carved out: Foreign Portfolio Investors (FPIs), Foreign Venture Capital Investors (FVCI), individual investment advisers, Limited Purpose Clearing Corporations (LPCC), Qualified Depository Participants (QDPs), Vault Managers, REITs, and InvITs. If you fall into one of these buckets, CSCRF does not bind you — but you may still inherit obligations from your service providers. Note that RTAs are in scope; the concession for small RTAs is narrower — those with fewer than 100 clients are exempt from the SOC/M-SOC requirement, not from CSCRF as a whole.

SEBI’s Five-Category Entity Classification

This is the single most important structural element of CSCRF and the answer to your first practical question — how much does CSCRF actually demand of my firm? SEBI grades obligations by category, not a one-size-fits-all rulebook.

The five categories:

  1. Market Infrastructure Institutions (MIIs) — Stock exchanges, clearing corporations, depositories. Highest bar. Mandatory in-house SOC, half-yearly cyber audits, board-level cybersecurity committee. Note: KYC Registration Agencies (KRAs) were initially included in the MII bucket but were reclassified as Qualified REs by the 30 April 2025 clarifications circular.
  2. Qualified REs — Large entities defined by thresholds such as AUM, client count, or trade volume. KRAs and Qualified Stock Brokers sit here. Requirements approach MII level but with more flexibility on SOC sourcing. Note: Portfolio Managers do not have a Qualified tier — a PM’s highest CSCRF category is Mid-size.
  3. Mid-size REs — Mid-tier entities. For Portfolio Managers, this is the top category: AUM of ₹10,000 crore and above. Substantial controls required, including a dedicated CISO function and structured incident response.
  4. Small-size REs — Smaller entities below the mid-size threshold (for PMs, AUM greater than ₹3,000 crore and below ₹10,000 crore). Reduced operational burden, including the option to use the Market SOC (M-SOC) operated by exchanges instead of building one in-house.
  5. Self-Certification REs — Entities below the minimum threshold for the small-size category (for PMs, AUM of ₹3,000 crore or below). Simplified compliance through self-certification on a SEBI-prescribed format. Within self-certification, the M-SOC requirement is waived for entities with fewer than 100 clients (assessed per entity type — e.g., PMs, AIF/VCF managers, DPs, or RTAs each with fewer than 100 clients).

Three classification rules introduced by the 30 April 2025 circular that materially change how you categorise yourself:

  • Stock brokers — dual-parameter classification. A broker is placed in the highest category triggered by either total client count or annual trading volume. Crucially, brokers with **fewer than 1,000 clients and less than ₹1,000 crore annual trading volume are fully exempted from CSCRF**. This carve-out captures most genuinely small brokers; if you are one of them, document the exemption claim, but do not assume it applies — re-check at the start of every financial year because crossing either threshold once flips you in.
  • AIFs — manager-level aggregation. AIF and VCF categorisation is determined at the manager level, using the combined corpus of all AIF/VCF schemes managed by the same manager — not the individual fund’s AUM. A manager running multiple sub-threshold funds whose combined corpus crosses a category line is treated as the higher category for every fund.
  • Multi-registration Investment Advisers. IAs registered in more than one capacity must adhere to the highest category triggered under any of their registrations. Unregistered IAs are excluded from CSCRF.

How to figure out where you fit. Your category is determined at the beginning of each financial year, based on the previous financial year’s data, and you stay in that category for the entire FY regardless of mid-year changes. Thresholds vary by entity type. Your starting point is the 20 August 2024 master circular as modified by the 30 April 2025 clarifications and the June 2025 FAQs — these together lay out the operative threshold tables.

If you are a fintech or service provider to a SEBI-regulated entity but not yourself regulated, CSCRF does not bind you directly. But your customers will push CSCRF obligations down into your contract through vendor risk requirements — read on.

The Five Cyber Resilience Goals (and How CSCRF Compares to CERT-In, ISO 27001)

CSCRF is built around five cyber resilience goals that frame every control: Anticipate (threat intelligence, risk assessment), Withstand (preventive controls, segmentation, hardening), Contain (detection, incident response), Recover (business continuity, disaster recovery, post-incident learning), and Evolve (continuous improvement, adaptive controls, lessons-learned cycles).

If you have lived inside CERT-In or ISO 27001, here is how to triangulate CSCRF against what you already know:

  • CERT-In is India’s national CERT and sets baseline cybersecurity directions for all entities operating in India — including the 2022 incident reporting directions. CERT-In is broad: it applies everywhere. CSCRF inherits from CERT-In (including reporting obligations) and adds securities-market-specific governance and resilience requirements.
  • ISO 27001 is an international information security management standard, certification-based. Under CSCRF its status is graded: ISO 27001 is mandatory for MIIs, but encouraged and recommended — not mandatory — for Qualified REs per the 28 August 2025 technical clarifications, and voluntary for Mid-size, Small-size, and Self-Certification REs. It is useful as evidence of maturity, but for most SMEs you cannot point at it and skip CSCRF-specific obligations. CSCRF is mandatory for SEBI REs and includes ISO-27001-adjacent control families but goes further on resilience, recovery, and continuous monitoring.
  • CSCRF is the securities-market overlay — applicable only to SEBI REs, focused on systemic stability of India’s capital markets, with explicit obligations around SOC operations, M-SOC integration, SBOM, and audit empanelment that the other two frameworks do not specify.

The practical implication for SMEs: if you already have CERT-In controls in place and an ISO 27001-aligned ISMS, you have a strong base. CSCRF will add specific demands — particularly around governance, SOC, SBOM, and audit cadence — but you are not starting from zero.

Governance and CISO Requirements

CSCRF is unusually prescriptive on governance for an Indian cybersecurity regulation. SEBI wants cybersecurity to be a board-level concern, not an IT-team afterthought.

Board-level structure. Every RE in scope (above Self-Certification) must:

  • Establish a Technology Committee at the board level with cybersecurity as a standing agenda item, meeting at defined frequencies.
  • Designate a Chief Information Security Officer (CISO) or equivalent role, with documented responsibilities and authority.
  • Maintain a documented cyber crisis management plan signed off at board level.

CISO seniority. For MIIs and Qualified REs, the CISO role must be at least equivalent in level and standing to the CTO or CIO, with a direct reporting line to the Managing Director or CEO and unfettered access to the Board. This is not a hire-a-consultant-and-call-it-done role. CSCRF is closing the loophole many smaller REs used — naming a junior IT lead as “CISO” to satisfy past circulars.

For Mid-size, Small-size, and Self-Certification REs, the CISO function still must be designated, but flexibility exists on whether the role is full-time, fractional, or fulfilled through an outsourced virtual CISO (vCISO) arrangement. This is one of the most important practical accommodations for Indian SMEs.

Board reporting. Cybersecurity posture, incidents, audit findings, and remediation status must be reported to the board at defined cadences (typically quarterly for higher categories, half-yearly or annually for smaller REs). The board cannot delegate ultimate accountability for cyber risk.

The hardest part of this for most SMEs is not the documentation — it is genuinely building board-level fluency in cyber risk. Plan for it. Train your directors. The first time a board member reads a CSCRF audit finding without context, you will wish you had.

Cyber Resilience Strategies: SOC, SBOM, VAPT, Data Classification

This is where the CSCRF rubber meets the road. Five operational pillars do most of the heavy lifting in any SEBI CSCRF implementation steps plan.

1. Security Operations Centre (SOC). Every category above Self-Certification must have monitoring coverage:

  • MIIs must operate their own dedicated SOC.
  • Qualified and Mid-size REs may use SOC services from CERT-In-empanelled managed SOC providers or build in-house.
  • Small-size REs can leverage the Market SOC (M-SOC) operated by the exchanges — the SEBI-sanctioned shared SOC designed precisely for entities that cannot sustain a standalone operation. For most Indian brokers below the Qualified threshold, satisfying the SEBI CSCRF SOC requirement small broker rule will mean enrolling with M-SOC and integrating logs from critical systems via the prescribed connector profile.
  • Self-Certification REs with fewer than 100 clients are exempt from the M-SOC mandate (assessed per entity type). Small-size and self-certification REs are otherwise expected to onboard the M-SOC; those that already operate their own SOC may leverage it but must file SOC-efficacy reports.

Whichever model you adopt, your SOC must do real things: ingest logs from critical systems, correlate them, run detection use cases, generate alerts, and route them through a defined incident workflow. A monitoring contract that produces nothing but a monthly PDF is not CSCRF-compliant.

2. Software Bill of Materials (SBOM). New requirement, big implementation lift. Every new software product or SaaS application related to your core and critical business activities must come with a SBOM at the time of procurement. For existing or legacy critical systems where obtaining an SBOM is not feasible, the master circular requires documented rationale approved by the Board, Partners, or Proprietor — not a fixed six-month deadline. A compliant SBOM must contain at minimum: component inventory (top-level and transitive dependencies), supplier name, version, license information, encryption details, cryptographic hashes, and update frequency. Every software upgrade requires an updated SBOM.

3. Vulnerability Assessment and Penetration Testing (VAPT). All REs must conduct VAPT after every major release of applications or software. VAPT must be performed by a CERT-In-empanelled IS Auditing Organisation. Vulnerabilities identified must be closed within 3 months of the report. High-severity vulnerabilities arising from the non-implementation of available patches must be remediated within 1 week.

4. Data classification and protection. CSCRF requires a formal data classification scheme (typically Public, Internal, Confidential, Restricted) tied to control requirements — encryption at rest and in transit, access management, DLP for sensitive classes. The framework expects classifications to be applied consistently across structured and unstructured data.

5. Third-party and vendor risk. Vendors handling regulated entity data — including cloud providers, SaaS vendors, and outsourced IT — must be assessed for cybersecurity posture. SLAs must include security controls, audit rights, breach notification timelines, and exit clauses for non-compliance.

6. Hardware Security Module (HSM). The 30 April 2025 circular introduced an explicit HSM requirement. Implementation of a dedicated HSM is mandatory for MIIs and Qualified REs. Mid-size, Small-size, and Self-Certification REs may implement HSM alternatives based on a documented risk assessment, provided the alternative is approved by the Board, Partners, or Proprietor (depending on entity structure). The alternative cannot just be “we use TLS”; the risk assessment and board approval are real artefacts that the cyber auditor will sample.

7. Disaster Recovery and Business Continuity. Per the 28 August 2025 technical clarifications, REs must design systems to resume critical operations within 2 hours (Recovery Time Objective) with a Recovery Point Objective of 15 minutes — aligning CSCRF with IOSCO’s principles for financial market infrastructures. For most Mid-size and Small-size REs, hitting RTO 2h / RPO 15min on critical systems will be the single most expensive technical line item in the CSCRF programme. Plan DR strategy and budget accordingly.

Incident Reporting Under CSCRF

CSCRF inherits and reinforces CERT-In’s 2022 incident reporting framework. Cybersecurity incidents must be reported within 6 hours of detection to the relevant authorities — CERT-In nationally and SEBI for entity-specific notification.

What counts as a reportable incident is broad: unauthorised access, data breach, ransomware, defacement, identity theft, denial-of-service, and any attack on critical infrastructure. The classification is intentionally wide — the regulator prefers over-reporting to under-reporting.

Practical operational requirements:

  • Documented incident response plan, tested at least annually
  • Defined escalation matrix with named owners
  • Forensic readiness — log retention for the SEBI-prescribed period and evidence-preservation protocols
  • Post-incident root cause analysis, remediation tracking, and lessons-learned documentation
  • Customer and counterparty notification protocols where applicable

The 6-hour reporting clock is the single most operationally demanding requirement for many REs. If you don’t have a 24×7 monitoring function, you will miss it.

Cyber Audit and Empanelment Requirements

CSCRF mandates an annual SEBI cybersecurity audit requirement for most REs. For Qualified Stock Brokers, the cadence is half-yearly. Audits must be conducted by CERT-In-empanelled Information Security auditing organisations — a deliberate constraint that ensures audit quality and creates a verifiable trail for SEBI’s supervisory teams.

The audit period concept is important: REs are required to conduct cyber audits after the end of the audit period. For example, an RE on an annual audit cycle covering April 2025 to March 2026 will begin the audit in April 2026. Audit findings, management responses, and remediation timelines must be documented and submitted to SEBI through the prescribed reporting channel.

Audit scope typically includes governance review, control testing, VAPT findings reconciliation, SOC effectiveness assessment, vendor risk review, and SBOM compliance — essentially the full CSCRF spectrum, not just technical controls.

CSCRF Implementation Roadmap by Entity Category

A realistic implementation timeline for a Mid-size or Small-size RE looks like this. Adjust scale up for Qualified REs, scale down for Self-Certification.

Months 1–2: Governance and Scope Definition

  • Confirm your CSCRF category against published thresholds for your entity type
  • Constitute or augment Technology Committee with cyber as standing agenda
  • Designate CISO (in-house or vCISO) with documented role description
  • Approve cyber crisis management plan at board level

Months 3–4: Assessment and Gap Analysis

  • Engage CERT-In-empanelled auditor for baseline CSCRF gap assessment
  • Map existing controls against CSCRF requirements; identify deltas
  • Build remediation roadmap with owners, timelines, and budget estimates
  • Begin data classification exercise

Months 5–8: Technical Implementation

  • Stand up SOC capability (in-house, managed, or M-SOC)
  • Implement MFA, EDR, log aggregation, and SIEM tooling
  • Complete SBOM exercise for critical systems
  • Conduct VAPT against critical applications
  • Encrypt data at rest and in transit per classification scheme
  • Refresh vendor contracts with CSCRF-aligned SLAs

Months 9–12: Operationalisation and First Audit

  • Run incident response tabletop exercise
  • Train staff on cyber awareness and incident reporting protocols
  • Conduct first cyber audit by CERT-In-empanelled organisation
  • File audit submission with SEBI
  • Submit board-level cyber posture review

Ongoing

  • Monthly board/management cyber dashboard
  • Quarterly Technology Committee review
  • Continuous threat intelligence ingestion
  • Annual (or half-yearly for QSBs) cyber audit
  • VAPT after every major release

Indicative budget bands for Indian SMEs. Small-size REs typically plan ₹15–35 lakh for first-year implementation, dropping to ₹10–18 lakh in run-rate, assuming vCISO and managed SOC. Mid-size REs run materially higher — ₹40 lakh to ₹1 crore depending on existing infrastructure and chosen SOC model. These are indicative, not benchmarks; your numbers will depend on the gap.

Common Implementation Challenges for Mid and Small REs

Five patterns show up repeatedly when smaller Indian REs work toward CSCRF readiness:

  • Board fluency gap. Directors lack technical context to interpret cyber dashboards. Fix: build a one-page board cyber primer; rotate director-level training every six months.
  • CISO bandwidth. A full-time CISO is not financially viable for most Small-size REs. Fix: structured vCISO engagement with defined cadence, deliverables, and access to internal leadership.
  • SOC sourcing. Building an in-house SOC is rarely the right move below Qualified RE scale. Fix: choose between empanelled managed SOC and M-SOC based on data sensitivity, integration cost, and audit clarity.
  • SBOM operational lift. Many REs underestimate the work to inventory transitive dependencies across legacy systems. Fix: prioritise critical systems first, automate SBOM generation in the build pipeline, accept manual catch-up for legacy.
  • Audit auditor mismatch. Some firms appoint generalist auditors who do not understand CSCRF. Fix: verify CERT-In empanelment and ask for CSCRF-specific audit references before engaging.

The pattern across all five: the framework rewards structured, phased execution over heroic catch-up.

Key Takeaways and Next Steps

CSCRF is the most significant cybersecurity regulation Indian SEBI-regulated entities have faced, and it is no longer hypothetical. The August 2025 implementation deadline has passed; the live obligation now is the recurring cyber audit — FY 2025-26 half-yearly reports were due 31 March 2026, the next cycle is due 30 June 2026, and SEBI’s supervisory teams are reviewing submissions.

Five things to act on this quarter:

  1. Confirm your category. Look up your entity-type threshold table from the SEBI CSCRF circular and June 2025 FAQs. Document the decision.
  2. Designate your CISO. In-house, fractional, or vCISO. Get the role description and reporting line on paper, signed by the board.
  3. Run a gap assessment. Engage a CERT-In-empanelled auditor for a CSCRF baseline. Cheap insurance against an audit surprise.
  4. Decide your SOC model. In-house, managed, or M-SOC. Build the integration; do not let monitoring become a paper exercise.
  5. Build your SBOM inventory. Start with the most critical system. Iterate. Wire it into your procurement and change management processes.

If you are a Small-size or Self-Certification RE without the in-house capacity to interpret and implement CSCRF, a structured external assessment is a high-ROI first step. GRC RADAR is publishing a CSCRF readiness checklist and self-assessment template aligned to this guide — sign up for the newsletter to receive it on release. A dedicated SEBI CSCRF checklist for brokers, covering category determination, SOC enrolment, SBOM intake, and audit submission timelines, will be released as part of the cluster series accompanying this pillar.

What the 28 August 2025 Technical Clarifications Changed

The 28 August 2025 circular is the most recent substantive amendment to CSCRF and deserves its own read. It does not change what you must comply with; it changes how in five operationally significant ways.

  • Principle of Exclusivity and Equivalence for multi-regulator REs. Where a SEBI RE is also regulated by another financial regulator (most often RBI, sometimes IRDAI), SEBI clarified that the entity follows the regime with the more stringent or equivalent requirement for a given control area, rather than being subject to two parallel control regimes that are mostly identical. The practical effect: less duplicated work for entities that already comply with RBI’s cybersecurity guidance, more clarity on which auditor’s report SEBI will accept.
  • Condensed VAPT report format. SEBI moved VAPT reporting toward a single, condensed deliverable rather than the multi-document submission used in early-2025 audits. This reduces administrative overhead for both the RE and SEBI’s supervisory teams.
  • Disaster recovery alignment with IOSCO. RTO 2h / RPO 15min for critical operations is now the operative target.
  • Portfolio Manager & Merchant Banker re-categorisation (Part-C). The clarifications restated PM categorisation (PMs have no Qualified tier — Mid-size ≥ ₹10,000 cr, Small-size > ₹3,000 cr and < ₹10,000 cr, Self-certification ≤ ₹3,000 cr) and brought Merchant Bankers into the grid (active MBs = Small-size; inactive MBs = Exempt).
  • Cyber audit report confidentiality. Specific safeguards on how cyber audit reports may be shared, who may receive them, and how findings may be referenced in onward submissions.
  • NCIIPC guidelines applicability. For REs whose systems are designated as Critical Information Infrastructure, NCIIPC guidelines apply alongside CSCRF — relevant primarily for MIIs and some Qualified REs.

If your firm is mid-sized or below and you read only one of the post-master circulars, read this one — it most clearly defines the supervisory expectations for the FY 2025-26 audit cycle.

The newest development (May 2026). On 5 May 2026 SEBI issued an Advisory on Emerging Advanced AI Tools for Vulnerability Detection, nudging REs toward AI-assisted vulnerability detection, faster M-SOC onboarding, and SBOM/asset-inventory upkeep. It is advisory only — it changes no deadline, threshold, or category — but it signals where supervisory attention is heading.

Frequently Asked Questions

Does CSCRF apply if my brokerage is below the Self-Certification threshold? If you are a stock broker with **fewer than 1,000 clients and less than ₹1,000 crore annual trading volume**, the 30 April 2025 clarifications circular fully exempts you from CSCRF. If you trip either threshold, you are in — and your category is set by whichever parameter is higher. For non-broker REs, falling below Self-Certification thresholds usually means simplified compliance rather than full exemption: you file an annual self-certification on a SEBI-prescribed format instead of going through a full empanelled-auditor cycle. The framework’s view is that no in-scope entity can opt out of cybersecurity entirely; the design choice is how much process, not whether to bother.

Has the August 2025 deadline passed, or is another extension coming? The 31 August 2025 implementation deadline (set by SEBI’s 30 June 2025 circular) has passed, and SEBI did not issue a further blanket extension. The operative checkpoints now are the recurring cyber-audit submissions — for FY 2025-26, the half-yearly audit reports and action-taken reports were due by 31 March 2026, with the next cycle due 30 June 2026. Firms with no documented progress are now exposed at audit time rather than waiting on another extension.

Can I use my existing ISO 27001 controls to satisfy CSCRF? You can use them as a foundation but not as a substitute. CSCRF goes beyond ISO 27001 on specific items — SOC operation, M-SOC integration where applicable, SBOM, CERT-In-empanelled auditor engagement, and incident reporting to CERT-In and SEBI. Map your existing controls to the CSCRF requirement catalogue and identify the deltas; do not assume an ISO certification gives you a pass.

What if my CSCRF audit identifies material gaps right before the deadline? Disclose, do not conceal. SEBI’s supervisory model rewards transparent self-disclosure with a credible remediation roadmap. Filing a clean-looking audit that papers over real gaps is the worst possible outcome — it surfaces later, and the regulator’s view of the gap will be coloured by the fact that you knew and did not say so.

Are vendors and outsourced IT providers covered by CSCRF? Not directly — CSCRF binds only SEBI-regulated entities. But your CSCRF obligations flow down to vendors through your contracts. Expect your customers (if you are a vendor to a broker, PM, or AMC) to push CSCRF-aligned SLAs, audit rights, breach notification clocks, and right-to-terminate clauses into your agreements. Build CSCRF readiness into your service offering rather than treating it as a customer-specific concession.

This guide reflects CSCRF as published in the SEBI master circular dated 20 August 2024 (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113), as modified by the clarifications circulars of 31 December 2024, 28 March 2025, 30 April 2025 (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60), the FAQs and extension circular of 30 June 2025, and the technical clarifications circular of 28 August 2025 (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119), plus the 5 May 2026 AI-tools advisory. Verify dates, thresholds, and timelines against the latest SEBI publications before relying on them for compliance decisions — SEBI touched CSCRF six times between August 2024 and May 2026 and is likely to issue further clarifications.