Free Tool · 5-Minute Self-Assessment

SEBI CSCRF Readiness Checklist

Twenty practitioner-grade questions to test whether your stock broker, RIA, AMC, MII, or KRA is ready for a CSCRF cyber audit — or whether you will get a remediation list longer than your trading day.

Questions
20
Time
5 min
Output
Score band
Email gate
None
Start the Checklist Read the Full Guide

20 questions · 5 minutes · Score band on completion

Your readiness
0 / 20
The Checklist

Answer Honestly. No One Is Watching.

Five sections, twenty yes/no questions. Click Yes only if you can produce the document or run the workflow today. Score reveals when you complete all twenty.

01

Categorisation & Governance

CSCRF starts with knowing your category. Then proving cyber is governed at the right level.

1
We have read our CSCRF category annexure (MII / Q-RE / Mid-RE / Small-RE / Self-Cert) and have written confirmation of which controls are mandatory for us.
2
We have a designated CISO or equivalent senior officer with documented appointment, JD, and reporting line to top management.
3
A board-approved Cyber Security Policy exists, refreshed in the current financial year, with documented minutes.
4
A Cyber Security Committee meets at least quarterly with documented minutes, attendance, and tracked actions.
02

Asset, Identity & Access

CSCRF expects asset and identity hygiene at control-ID granularity, not high-level claims.

5
We have a current asset inventory (hardware, software, data, services) with owners, classification, and refresh cadence — accessible to internal audit.
6
MFA is enforced on all privileged access, all administrative interfaces, and all remote access; quarterly access reviews are completed and signed.
7
PIM/PAM is deployed for production system administration with session recording, approval workflow, and break-glass procedure.
8
Trading systems are network-segregated from corporate IT, with documented zone definitions, ACLs, and change control.
03

Detection, ATT&CK & SOC

The CSCRF-specific bar — MITRE ATT&CK-aligned detection and (for Q-RE/MII) 24x7 SOC.

9
We have a SIEM with a documented use-case library where every use-case is mapped to specific MITRE ATT&CK techniques.
10
A 24x7 SOC (in-house, co-managed, or MSSP) covers critical systems with documented SLAs and current MTTD/MTTR metrics.
11
Logs are retained for at least 180 days online and securely stored within India, with integrity protection.
12
We ingest sectoral threat intelligence (SEBI advisories, MII alerts) into our SOC and act on it with documented response.
04

Testing, SBOM & Vulnerability Management

Annual VAPT plus the CSCRF-specific additions: SBOM, threat-led testing, application security pre-prod.

13
An annual VAPT was conducted by a CERT-In empanelled vendor in the current cycle, with manual exploitation, re-test letter, and audit committee acknowledgement.
14
We maintain a current SBOM (Software Bill of Materials) for material applications, refreshed at every release with vulnerability scanning of the dependency tree.
15
Quarterly external vulnerability scans of internet-facing systems are documented with remediation tickets, patch SLAs (Critical 7d, High 30d), and exception register.
16
Pre-production application security testing (OWASP ASVS L2 minimum) gates release of customer-facing apps; SAST/DAST run in CI for material applications.
05

Audit, Incident & Cloud

Cyber audit by qualified auditor + multi-regulator incident reporting + cloud localisation.

17
Our last formal CSCRF-aligned cyber audit was conducted by a CERT-In empanelled auditor, submitted via the SEBI Compliance Portal, with remediation plan and audit committee oversight.
18
We have an incident-reporting playbook covering SEBI (6 hours), CERT-In (6 hours), DPDP Board (72 hours), exchange/MII reporting, with templates pre-drafted and tested.
19
For cloud workloads we have board approval for material outsourcing, encryption keys held by us, vendor SOC 2 / ISO 27001 evidence on file, and a tested exit plan.
20
Investor data and trading data are stored primarily in India with documented localisation evidence (region tags on all storage); cross-border transfers have specific safeguards.
What "Ready" Looks Like

Three Bands. Three Plays.

0–7
Critical exposure

Your first CSCRF audit will produce major findings. Spend the next 90 days on categorisation clarity, governance fixes, asset inventory, ATT&CK-aligned SIEM use-cases, and a CERT-In empanelled VAPT.

8–14
At risk

Foundations exist but you are missing CSCRF-specific elements (SBOM, ATT&CK heat-map, vendor flow-down). Close these in the next 60 days with a documented gap closure plan and audit-committee oversight.

15–20
Audit-defensible

Your first formal CSCRF audit will land cleanly. Move to threat-led testing maturity, sectoral intel integration, vendor concentration risk, and the next category-up controls (preparing for re-categorisation).

FAQ

Common Questions

Which CSCRF category am I in? +

CSCRF defines 5 categories: MII (exchanges/depositories/clearing), Qualified RE (Q-RE), Mid-Size RE, Small-Size RE, Self-Certification RE. Categorisation is based on size, complexity, and systemic importance — explicit thresholds are in the annexure for your sub-sector. SEBI re-categorises during inspection, so conservative interpretation wins.

Do I need a CISO? +

Mandatory for MIIs and Q-REs. For Mid-RE, a designated senior officer with cyber accountability is typically required. Self-Certification REs (smallest RIAs) can have a founder/proprietor accountable. Read your category annexure for the specific requirement.

What is the SBOM requirement? +

For material applications, you must maintain a Software Bill of Materials — a list of every component (libraries, packages, dependencies) with versions. Refreshed at each release. Vulnerabilities in the SBOM tree are tracked and remediated. SPDX or CycloneDX formats are standard.

How is CSCRF different from RBI Cyber Framework? +

RBI is outcome-oriented and broad. CSCRF is control-ID prescriptive with explicit MITRE ATT&CK mapping. If you are also RBI-regulated (e.g. an entity that is both a SEBI-registered broker and an NBFC), you have a layered regime — both apply, and your audit programme must satisfy both.

What is the difference between this checklist and the buyer's guide? +

The checklist diagnoses readiness in 5 minutes. The full SEBI CSCRF guide walks through every control family, the categorisation logic, MITRE alignment, audit qualifications, incident reporting matrix, and a 90-day roadmap.

Need a CSCRF roadmap?

Skip the Guesswork. Get a 90-Day Plan.

A 30-minute consultation. Walk away with a prioritised remediation list mapped to your CSCRF category annexure and the controls you must close before audit.

Book Free Consultation Read the Full Guide

No sales pitch. Responds within 24 hours.