Mobile security checklist with shield and checkmark icon representing verified app protection

If your business is regulated by SEBI, cybersecurity is no longer a best-effort exercise — it’s a defined, auditable obligation. On 20 August 2024, SEBI issued the Cybersecurity and Cyber Resilience Framework (CSCRF), consolidating and replacing its earlier cyber circulars into a single, far-reaching standard for Regulated Entities (REs). This guide breaks down who it applies to, what it demands — especially around VAPT and audits — and gives you a practical compliance checklist.

What is the SEBI CSCRF?

The CSCRF is SEBI’s comprehensive cybersecurity and cyber-resilience standard for the entities it regulates. It moves the market from a patchwork of older circulars to one framework built around five cyber-resilience goals — Anticipate, Withstand, Contain, Recover and Evolve — and it applies a graded set of obligations based on the size and criticality of each entity.

Who does CSCRF apply to?

The framework covers a wide pool of SEBI Regulated Entities — stock exchanges, clearing corporations and depositories (Market Infrastructure Institutions), plus stock brokers, AMCs / mutual funds, custodians, KRAs, RTAs, merchant bankers, portfolio managers, AIFs and more. REs are grouped into categories — such as MIIs, Qualified REs, Mid-size, Small-size and Self-certification — with obligations scaled accordingly. A limited set of entities (for example FPIs, individual investment advisers and very small RTAs) are excluded, so confirm your exact category against the circular.

What CSCRF requires: the essentials

Vulnerability Assessment & Penetration Testing

VAPT is a core mandate. REs must test critical systems, infrastructure and IT assets, with defined remediation timelines:

Requirement Timeline
Close all vulnerabilities found in a VAPT Within 3 months of submitting the VAPT report
Fix high-severity vulnerabilities (unpatched) Within 1 week
Re-test after every major release / change Mandatory
Qualified Stock Brokers — VAPT & cyber audit Half-yearly

Testing typically spans web applications, APIs, networks and cloud — and, for higher-category entities, adversary-style red team assessments that test people, process and technology together.

ISO 27001 and an ISMS

CSCRF makes ISO/IEC 27001 certification mandatory for MIIs and Qualified REs, anchoring a formal Information Security Management System (ISMS) as the backbone of the programme.

Security operations & monitoring

Continuous monitoring and the ability to detect and respond to incidents are central to the “Withstand” and “Contain” goals. For many REs this means a SOC (in-house or as-a-service) or managed detection and response, plus a tested incident-response plan.

Audits and reporting

REs must undergo periodic cyber audits and report incidents in line with SEBI and CERT-In requirements. Governance, documented policies and board-level oversight are expected throughout.

CSCRF compliance checklist

  • □ Confirm your RE category and exact obligations under the circular
  • □ Stand up (or align) an ISO 27001 ISMS — mandatory for MIIs / Qualified REs
  • □ Run VAPT on all critical systems; remediate within the 3-month / 1-week windows
  • □ Re-test after every major release
  • □ Implement continuous monitoring (SOC / MDR) and 24/7 detection
  • □ Maintain a tested incident-response and reporting process (SEBI + CERT-In)
  • □ Complete periodic cyber audits by a competent auditor
  • □ Document governance, policies and board oversight

Frequently asked questions

When did SEBI CSCRF come into effect?

SEBI issued the CSCRF on 20 August 2024, replacing its earlier cybersecurity circulars. Compliance dates are phased by entity category — confirm your applicable timeline against SEBI’s circular and updates.

How often do we need VAPT under CSCRF?

At minimum after every major release, with all findings remediated within three months (high-severity within a week). Qualified Stock Brokers face half-yearly VAPT and cyber audits.

Is ISO 27001 mandatory under CSCRF?

Yes, for Market Infrastructure Institutions and Qualified REs. Other categories still need a robust ISMS and should treat ISO 27001 as the practical baseline.

Does CSCRF require a SOC?

REs must have continuous monitoring and incident detection/response capability. A SOC or MDR service is the usual way to meet this, especially without a large in-house team.

Make your entity CSCRF-ready with Selkey

Selkey Cyber Security helps SEBI Regulated Entities meet CSCRF end-to-end — SEBI compliance consulting, VAPT and red teaming, ISO 27001 readiness, and SOC/MDR monitoring. Our team holds credentials including ISO 27001 Lead Auditor, OSCP, CEH Master and CPENT.

Explore Selkey’s SEBI CSCRF services or book a CSCRF readiness consultation →

This article is general information, not legal or regulatory advice. Confirm your obligations against the current SEBI CSCRF circular and any updates, or with qualified advisors.

Leave A Comment

All fields marked with an asterisk (*) are required