CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
SEBI Cybersecurity & Cyber Resilience Framework

SEBI CSCRF Audit

CSCRF audit for stock brokers, depository participants, AMCs.

SEBI's CSCRF (effective 2025) consolidates earlier circulars into a single framework graded by entity type and size. Macksofy delivers full CSCRF audit + cyber resilience assessment + System Audit submission for SEBI-regulated entities.

Request AuditTalk to a consultant
Download sample audit report
CERT-In format · anonymised
Aligned to
  • SEBI CSCRF (Cybersecurity & Cyber Resilience Framework, 2024)
  • SEBI Cybersecurity Circular 2015 (legacy controls retained)
  • CERT-In Information Security Audit
  • ISO 27001:2022 (mapped to CSCRF)
  • NIST Cybersecurity Framework 2.0
Why this matters

Compliance is leverage, not paperwork.

CSCRF replaces SEBI's 2015–2022 cybersecurity circulars with a unified, graded framework. Every regulated entity now sits in one of five categories — Market Infrastructure Institutions, Qualified REs, Mid-size REs, Small REs, Self-certification REs — with controls calibrated to scale. Non-compliance attracts SEBI penalties under Sections 11/15HA. Macksofy's CSCRF audit ships in a format SEBI's IT department reads in days, not weeks.

Applicability
  • Stock Exchanges, Clearing Corporations, Depositories (MIIs)
  • Stock Brokers + Depository Participants (Qualified / Mid-size / Small)
  • Asset Management Companies + Mutual Fund RTAs
  • Custodians, Portfolio Managers, RIAs
  • Investment Bankers, Merchant Bankers
  • Alternative Investment Funds (AIFs)
Standards & frameworks

Aligned to the regulations that matter.

SEBI CSCRF (Cybersecurity & Cyber Resilience Framework, 2024)
SEBI Cybersecurity Circular 2015 (legacy controls retained)
CERT-In Information Security Audit
ISO 27001:2022 (mapped to CSCRF)
NIST Cybersecurity Framework 2.0
Methodology

How we run a SEBI CSCRF engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

SEBI CSCRF · Start
  1. Phase 01

    1 · Categorisation + scoping

    • Determine RE category (MII / Qualified / Mid-size / Small / SC)
    • Scoped controls from CSCRF Annexure
    • Cyber resilience baseline assessment
    01
    Phase 01

    1 · Categorisation + scoping

    • Determine RE category (MII / Qualified / Mid-size / Small / SC)
    • Scoped controls from CSCRF Annexure
    • Cyber resilience baseline assessment
  2. Phase 02

    2 · Control assessment

    • Identify · Protect · Detect · Respond · Recover (NIST CSF aligned)
    • Cyber Capability Index (CCI) computation
    • Cyber Resilience Maturity Model (CRMM) scoring
    02
    Phase 02

    2 · Control assessment

    • Identify · Protect · Detect · Respond · Recover (NIST CSF aligned)
    • Cyber Capability Index (CCI) computation
    • Cyber Resilience Maturity Model (CRMM) scoring
  3. Phase 03

    3 · Technical testing

    • VAPT covering trading + back-office systems
    • DR drill validation + recovery time evidence
    • Cloud + colocation environment testing
    • API gateway + customer-facing surface
    03
    Phase 03

    3 · Technical testing

    • VAPT covering trading + back-office systems
    • DR drill validation + recovery time evidence
    • Cloud + colocation environment testing
    • API gateway + customer-facing surface
  4. Phase 04

    4 · Reporting

    • SEBI System Audit Report (CSCRF format)
    • CCI score + CRMM tier report
    • Quarterly compliance certificate
    04
    Phase 04

    4 · Reporting

    • SEBI System Audit Report (CSCRF format)
    • CCI score + CRMM tier report
    • Quarterly compliance certificate
  5. Phase 05

    5 · Submission + advisory

    • Submission to SEBI / MII as applicable
    • Board / Audit Committee briefing
    • Annual surveillance + change-event re-audit
    05
    Phase 05

    5 · Submission + advisory

    • Submission to SEBI / MII as applicable
    • Board / Audit Committee briefing
    • Annual surveillance + change-event re-audit
Closure + retest
Deliverables

Everything you need to satisfy auditors.

  • CSCRF Annexure-mapped findings register
  • Cyber Capability Index (CCI) score sheet
  • Cyber Resilience Maturity Model (CRMM) tier report
  • SEBI-format System Audit Report
  • Quarterly compliance certificate template
  • Free retest within 30 days · SEBI inspector support
Recent engagements
Stock Broker (Mid-size RE, Mumbai)

First CSCRF audit + transition from 2015 circular

Outcome: Submitted in CSCRF format ahead of go-live; CCI score 78 / 100; zero penalty

AMC (Top-10 by AUM)

Annual CSCRF + DR drill validation

Outcome: DR RTO reduced from 6h to 90 min; CRMM tier moved from Bronze to Silver

At a glance

The shape of a SEBI CSCRF engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

0
Methodology phases
0
Documented activities
0
Auditor-ready deliverables
0 day
Day retest window
Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

18CONTROLS MAPPEDacross 6 pillars
Coverage breakdown
  • Governance & cyber-risk management3 pts
  • Identify & inventory3 pts
  • Protect & detect3 pts
  • Respond & recover3 pts
  • Outsourcing & third-party3 pts
  • Reporting & assurance3 pts
Pillar 01
Governance & cyber-risk management

Board, MD/CEO and CISO accountability lined up to SEBI CSCRF clauses.

  • Cyber-security & cyber-resilience policy review
  • CSC / CRC committee minutes evidence
  • Annual self-assessment + board-approved risk register
Pillar 02
Identify & inventory

What SEBI auditors check first — completeness of the protected asset list.

  • Critical-systems inventory keyed to business processes
  • Data classification + ownership matrix
  • Third-party / vendor / DP / RTA dependency map
Pillar 03
Protect & detect

The technical-control evidence that CSCRF inspections actually consume.

  • Network segmentation + DMZ posture
  • EDR / SIEM coverage on critical systems
  • VAPT + secure-SDLC artefacts
Pillar 04
Respond & recover

Cyber-incident & recovery capabilities mapped to the SEBI CSCRF lifecycle.

  • Cyber-IR playbook + escalation matrix
  • DR / BCP drill evidence (RTO/RPO recorded)
  • Major-incident communication to SEBI
Pillar 05
Outsourcing & third-party

Where most CSCRF gaps actually surface — cloud, MII, RTA, custodian linkages.

  • Vendor-risk classification (critical / non-critical)
  • Cloud + DR-site security audits
  • MII / Depository / Exchange interface review
Pillar 06
Reporting & assurance

What you submit, when, and in which format — preserved for inspectors.

  • Quarterly SAR + cyber-resilience reports
  • Half-yearly compliance status to board
  • Annual third-party CSCRF audit pack
Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a SEBI CSCRF engagement. Click any station for detail in the methodology section above.

01
Week 1
Categorisation + scoping
02
Week 2
Control assessment
03
Week 3
Technical testing
04
Week 4
Reporting
05
Week 5
Submission + advisory
What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

Google
4.9 · 612 reviews
Trustpilot
4.8 · 412 reviews
LinkedIn
20K+ · followers
CERT-In Empanelled
Govt of India · MeitY
EC-Council ATC
Authorized Training
ISO 27001 Certified
Info Security Mgmt
We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.
AK
Aisha Khan
Information Security Manager · Listed Fintech · BKC, Mumbai
The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.
IK
Inspector K. Joshi
Cyber Cell · Maharashtra Police · Mumbai
Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.
VI
Vivek Iyer
DevSecOps Lead · Healthcare SaaS · Hyderabad
Read all 612 reviews on Google →
FAQ

Things compliance leads ask before signing.

CSCRF is effective in phases through 2025. Qualified REs and MIIs first; Mid-size and Small REs thereafter. Self-certification REs need a Macksofy review for the self-attestation.
Other audit engagements

Cybersecurity Audit Services

An honest mirror to your security posture.

Learn more

Compliance & Regulatory Audits

Compliance, simplified.

Learn more

Cybersecurity Risk Assessment

Know what to fix first. With math.

Learn more
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.