← Frameworks / Financial Regulation

SEBI Cybersecurity and Cyber Resilience Framework for Regulated Entities

Securities and Exchange Board of India mandatory cybersecurity framework for all SEBI-regulated entities including stock exchanges, depositories, clearing corporations, mutual funds, brokers, and portfolio managers. 5 cyber resilience goals (anticipate, withstand, contain, recover, evolve) across 41 control areas covering governance, risk assessment, asset management, identity and access management, data protection, network security, application security, endpoint security, vulnerability management, security monitoring, incident management, business continuity, third-party risk, and cloud security. Entity classification into 5 categories with graded compliance requirements.

Clauses: 41

Avg Coverage: 73.8%

Publisher: Securities and Exchange Board of India (SEBI) Version: 2024

SEBI CSCRF → SP 800-53 SP 800-53 → SEBI CSCRF Coverage Analysis

Clause	Title	SP 800-53 Controls
AUDIT	Periodic Audit and Compliance Reporting	CA-02 CA-05 CA-06 CA-07 AU-06 PM-06 PM-14
BCP-DR	Business Continuity and Disaster Recovery	CP-01 CP-02 CP-03 CP-04 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 PM-08 PM-11
CAPACITY	Capacity Building and Cyber Awareness	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PM-13 PM-15 PM-27
CCI	Cyber Capability Index Assessment	CA-02 CA-07 PM-06 PM-14 PM-31
CCMP	Cyber Crisis Management Plan	CP-02 CP-03 CP-04 IR-01 IR-03 IR-08 PM-08 PM-09
CERTIF	ISO 27001 Certification and Standards Compliance	CA-02 CA-06 CA-09 PM-01 PM-10
CLASSIFY	Entity Classification and Compliance Matrix	PM-01 PM-10 PM-11 PM-32 RA-02 PL-02
CYBER-INS	Cyber Insurance	PM-09 PM-11
DATALOC	Data Localisation and Cross-Border Data Transfer	SC-28 SC-12 SC-13 PT-02 PT-04 PT-05 AC-04 SI-12
DE.AU	Detect — Audit Logging and Monitoring	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-14
DE.CM	Detect — Security Continuous Monitoring and SOC	SI-04 AU-06 AU-13 CA-07 IR-04 PM-14 PM-31 SC-26 SC-35 RA-10
DE.DP	Detect — Detection Processes and Threat Intelligence	SI-03 SI-04 SI-05 PM-16 RA-05 RA-10 SC-44 AU-12
DE.VA	Detect — Vulnerability Assessment and Penetration Testing	CA-02 CA-08 RA-05 RA-06 RA-07 RA-09 RA-10 PM-14
EMAIL-SEC	Secure Communication and Email Security	SC-07 SC-08 SC-13 SI-08 AC-04
GV.OC	Governance — Organisational Context	PM-01 PM-07 PM-08 PM-09 PM-11 PM-28 PM-32 PL-08 RA-09
GV.OV	Governance — Oversight and Compliance	CA-02 CA-05 CA-06 CA-07 PM-06 PM-14 PM-31
GV.PO	Governance — Cybersecurity and Cyber Resilience Policy	PM-01 PL-01 PL-02 PL-04 PM-09 PM-10 PM-11 PM-24
GV.RM	Governance — Cyber Risk Management Framework	PM-01 PM-09 PM-28 PM-29 PM-30 RA-01 RA-03 RA-07 RA-09 PL-09
GV.RR	Governance — Roles, Responsibilities and Authorities	PM-02 PM-13 PS-01 PS-02 PS-03 PS-06 PS-07 PS-09
GV.SC	Governance — Supply Chain Risk Management	SA-04 SA-09 SA-21 SA-22 SR-01 SR-02 SR-03 SR-05 SR-06 PM-30 PS-07
ID.AM	Identify — Asset Management	CM-08 CM-09 CM-12 CM-13 PM-05 RA-02 RA-09
ID.RA	Identify — Risk Assessment	RA-01 RA-02 RA-03 RA-05 RA-07 RA-08 RA-09 RA-10 PM-16
PR.AA	Protect — Identity Management, Authentication and Access Control	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-10 AC-11 AC-12 AC-17 AC-24 IA-01 IA-02 IA-04 IA-05 IA-06 IA-08 IA-12
PR.AS	Protect — Application Security and SBOM	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17 SA-20 SA-21 SI-10 SR-04
PR.AT	Protect — Awareness and Training	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PM-13 PM-15
PR.CS	Protect — Cloud Security	SA-09 AC-20 SC-07 SC-08 SC-28 SR-01 SR-06 CA-03
PR.DS	Protect — Data Security and Classification	SC-08 SC-12 SC-13 SC-28 MP-01 MP-02 MP-04 MP-05 MP-06 AC-04 AC-23 SI-12 SI-19 SI-20 PT-02 PT-03
PR.ES	Protect — Endpoint and Platform Security	CM-06 CM-07 CM-10 CM-11 CM-14 SC-18 SC-41 SI-03 SI-07 SI-16 AC-19
PR.IP	Protect — Information Protection Processes and Procedures	CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-10 CM-11 CM-14 SI-02 SI-07 SA-03 SA-08 SA-10 SA-11 SA-15
PR.MA	Protect — Maintenance	MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 SI-13
PR.NS	Protect — Network Security and Segmentation	SC-01 SC-05 SC-07 SC-08 SC-20 SC-21 SC-22 SC-32 SC-39 SC-44 SC-47 AC-04 SI-04
PR.PE	Protect — Physical and Environmental Security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18 PE-20
RC.CO	Recover — Recovery Communication	IR-06 CP-02 PM-26 PM-27
RC.IM	Recover — Recovery Improvements	CP-02 CP-04 CA-02 CA-05 PM-04 PM-14
RC.RP	Recover — Incident Recovery Plan Execution	CP-01 CP-02 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13 SC-24 SI-17
RS.AN	Respond — Incident Analysis and Forensics	AU-06 AU-09 AU-10 AU-11 IR-04 IR-05 IR-09 SI-04
RS.CO	Respond — Incident Reporting and Communication	IR-06 PM-15 PM-16 PM-26 SI-05
RS.IM	Respond — Incident Response Improvements	IR-04 IR-05 IR-08 CA-02 CA-05 CA-07 PM-04
RS.MA	Respond — Incident Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-07 IR-08 IR-09
SOC	Security Operations Centre Requirements	SI-04 AU-06 CA-07 IR-04 IR-05 PM-14 PM-16 SC-26 RA-10
VAPT	VAPT and Red Team Exercises	CA-02 CA-08 RA-05 RA-06 RA-07 RA-09 RA-10 PM-14