SEBI CSCRF Playbook · 2026
How regulated entities prepare for the SEBI Cyber Security & Cyber Resilience Framework — scope, controls, evidence pack and 90-day rollout plan.
SEBI's Cyber Security & Cyber Resilience Framework (CSCRF) reshapes how regulated entities — stockbrokers, depositories, AMCs, MIIs and intermediaries — prove their security posture. This whitepaper unpacks the framework into a scope-map, a control-evidence matrix, and a 90-day rollout plan that an internal team can run without external hand-holding.
1. Why CSCRF, why now
CSCRF is SEBI's response to a decade of cyber incidents in the Indian capital-markets ecosystem. It moves entities from a tick-box ISO 27001 posture to evidence-driven, control-tested resilience. Where ISO certifies management systems, CSCRF audits real-world cyber operations — pentests, SOC monitoring, IR drills, supply-chain risk and recovery time objectives.
The framework graduates entities into MII / Qualified / Mid-size / Self-certified tiers. Each tier inherits a different control surface and a different audit cadence. The mistake we see most often: an entity audited at the wrong tier — usually one tier above their actual classification — burns auditing budget and engineering time on controls that were never expected of them.
Confirm your CSCRF tier in writing with your CISO + Compliance head before any control work begins. The tier dictates the entire scope, including pentest depth, RTO targets, and SOC requirements.
2. Mapping CSCRF control families to evidence artefacts
Auditors don't grade intent — they grade evidence. The table below lists the seven CSCRF control families with the artefact a tier-1 auditor expects to see for each.
| Control family | Auditor expects | Macksofy artefact |
|---|---|---|
| Identify & Govern | Asset register, risk register, signed-off policies | Risk-register template, board-pack walkthrough |
| Protect — IAM | Privileged-access reviews, MFA enforcement evidence | Quarterly PAM review report |
| Protect — Network | Segmentation diagram, firewall ruleset audit | Network arch + ruleset hygiene report |
| Detect | SOC use-case catalogue, MTTD / MTTR metrics | SIEM use-case library + tuning runbook |
| Respond | IR plan, tabletop minutes, CERT-In submission template | IR runbook + tabletop facilitation |
| Recover | Backup test logs, RTO/RPO drill evidence | DR drill report |
| Pentest & Assurance | Manual pentest report, retest evidence, fix-rate metrics | CERT-In format pentest with retest sign-off |
3. The five gaps that fail CSCRF audits
- Pentest scope set to 'web app' only — CSCRF expects API + cloud + internal network in-scope.
- Vulnerabilities marked 'closed' without retest evidence — the auditor wants a live retest, not a JIRA ticket close.
- SOC use-case catalogue ungoverned — no MITRE-mapped library, no tuning logs.
- DR drills run on backups but never on tier-0 systems — backup ≠ DR.
- Third-party / supply-chain risk register absent or stale — CSCRF makes this a tier-1 expectation.
4. The 90-day CSCRF rollout plan
An internal team can run this plan without an external prime. Macksofy can plug in for the pentest + DR drill weeks if internal capacity is constrained.
- Days 0–14 · Tier confirmation + scope-mapConfirm CSCRF tier in writing. Build the asset register against the in-scope estate.
- Days 15–30 · Policy + IAM hygieneRefresh policies; complete a quarterly PAM review; enforce MFA on every tier-0 / tier-1 account.
- Days 31–55 · Detect + RespondBuild/refresh SOC use-case library; run a tabletop with IR plan; submit a CERT-In drill report.
- Days 56–75 · Pentest + retestManual pentest covering web + API + cloud + internal AD. Retest within 30 days.
- Days 76–90 · DR drill + audit-ready packRestore drill on tier-0 systems. Compile evidence pack mapped to CSCRF control IDs.
Don't wait for the annual audit cycle to assemble evidence. A standing quarterly cadence — pentest retest, PAM review, SOC tuning logs, DR drill — produces an always-current pack that any auditor can consume in two days.
5. Engaging Macksofy
Macksofy is a CERT-In empanelled cybersecurity auditor. Our CSCRF engagements range from full-scope tier-1 audits down to focused pentest + retest packages for self-certified entities. Reports are accepted by the major audit and Big-4 firms without rework.
Macksofy offers full-service engagements that map directly to this resource. Common starting points: