SEBI Cybersecurity and Cyber Resilience Framework for Regulated Entities
Securities and Exchange Board of India mandatory cybersecurity framework for all SEBI-regulated entities including stock exchanges, depositories, clearing corporations, mutual funds, brokers, and portfolio managers. 5 cyber resilience goals (anticipate, withstand, contain, recover, evolve) across 41 control areas covering governance, risk assessment, asset management, identity and access management, data protection, network security, application security, endpoint security, vulnerability management, security monitoring, incident management, business continuity, third-party risk, and cloud security. Entity classification into 5 categories with graded compliance requirements.
Controls: 208
Total Mappings: 371
Publisher: Securities and Exchange Board of India (SEBI) Version: 2024 AC (15) AT (6) AU (14) CA (7) CM (14) CP (13) IA (7) IR (9) MA (6) MP (5) PE (17) PL (5) PM (22) PS (6) PT (4) RA (9) SA (11) SC (19) SI (13) SR (6)
AC Access Control
| Control | Name | SEBI CSCRF References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | PR.AA |
| AC-02 | Account Management | PR.AA |
| AC-03 | Access Enforcement | PR.AA |
| AC-04 | Information Flow Enforcement | DATALOCEMAIL-SECPR.AAPR.DSPR.NS |
| AC-05 | Separation Of Duties | PR.AA |
| AC-06 | Least Privilege | PR.AA |
| AC-07 | Unsuccessful Login Attempts | PR.AA |
| AC-10 | Concurrent Session Control | PR.AA |
| AC-11 | Session Lock | PR.AA |
| AC-12 | Session Termination | PR.AA |
| AC-17 | Remote Access | PR.AA |
| AC-19 | Access Control For Portable And Mobile Devices | PR.ES |
| AC-20 | Use Of External Information Systems | PR.CS |
| AC-23 | Data Mining Protection | PR.DS |
| AC-24 | Access Control Decisions | PR.AA |
AT Awareness and Training
| Control | Name | SEBI CSCRF References |
|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | CAPACITYPR.AT |
| AT-02 | Security Awareness | CAPACITYPR.AT |
| AT-03 | Security Training | CAPACITYPR.AT |
| AT-04 | Security Training Records | CAPACITYPR.AT |
| AT-05 | Contacts With Security Groups And Associations | CAPACITYPR.AT |
| AT-06 | Training Feedback | CAPACITYPR.AT |
AU Audit and Accountability
| Control | Name | SEBI CSCRF References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | DE.AU |
| AU-02 | Auditable Events | DE.AU |
| AU-03 | Content Of Audit Records | DE.AU |
| AU-04 | Audit Storage Capacity | DE.AU |
| AU-05 | Response To Audit Processing Failures | DE.AU |
| AU-06 | Audit Monitoring, Analysis, And Reporting | AUDITDE.AUDE.CMRS.ANSOC |
| AU-07 | Audit Reduction And Report Generation | DE.AU |
| AU-08 | Time Stamps | DE.AU |
| AU-09 | Protection Of Audit Information | DE.AURS.AN |
| AU-10 | Non-Repudiation | DE.AURS.AN |
| AU-11 | Audit Record Retention | DE.AURS.AN |
| AU-12 | Audit Record Generation | DE.AUDE.DP |
| AU-13 | Monitoring for Information Disclosure | DE.CM |
| AU-14 | Session Audit | DE.AU |
CA Security Assessment and Authorization
| Control | Name | SEBI CSCRF References |
|---|---|---|
| CA-02 | Security Assessments | AUDITCCICERTIFDE.VAGV.OVRC.IMRS.IMVAPT |
| CA-03 | Information System Connections | PR.CS |
| CA-05 | Plan Of Action And Milestones | AUDITGV.OVRC.IMRS.IM |
| CA-06 | Security Accreditation | AUDITCERTIFGV.OV |
| CA-07 | Continuous Monitoring | AUDITCCIDE.CMGV.OVRS.IMSOC |
| CA-08 | Penetration Testing | DE.VAVAPT |
| CA-09 | Internal System Connections | CERTIF |
CM Configuration Management
| Control | Name | SEBI CSCRF References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | PR.IP |
| CM-02 | Baseline Configuration | PR.IP |
| CM-03 | Configuration Change Control | PR.IP |
| CM-04 | Monitoring Configuration Changes | PR.IP |
| CM-05 | Access Restrictions For Change | PR.IP |
| CM-06 | Configuration Settings | PR.ESPR.IP |
| CM-07 | Least Functionality | PR.ESPR.IP |
| CM-08 | Information System Component Inventory | ID.AM |
| CM-09 | Configuration Management Plan | ID.AM |
| CM-10 | Software Usage Restrictions | PR.ESPR.IP |
| CM-11 | User-Installed Software | PR.ESPR.IP |
| CM-12 | Information Location | ID.AM |
| CM-13 | Data Action Mapping | ID.AM |
| CM-14 | Signed Components | PR.ESPR.IP |
CP Contingency Planning
| Control | Name | SEBI CSCRF References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | BCP-DRRC.RP |
| CP-02 | Contingency Plan | BCP-DRCCMPRC.CORC.IMRC.RP |
| CP-03 | Contingency Training | BCP-DRCCMP |
| CP-04 | Contingency Plan Testing And Exercises | BCP-DRCCMPRC.IMRC.RP |
| CP-05 | Contingency Plan Update | BCP-DR |
| CP-06 | Alternate Storage Site | BCP-DRRC.RP |
| CP-07 | Alternate Processing Site | BCP-DRRC.RP |
| CP-08 | Telecommunications Services | BCP-DRRC.RP |
| CP-09 | Information System Backup | BCP-DRRC.RP |
| CP-10 | Information System Recovery And Reconstitution | BCP-DRRC.RP |
| CP-11 | Alternate Communications Protocols | BCP-DRRC.RP |
| CP-12 | Safe Mode | RC.RP |
| CP-13 | Alternative Security Mechanisms | RC.RP |
IA Identification and Authentication
| Control | Name | SEBI CSCRF References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | PR.AA |
| IA-02 | User Identification And Authentication | PR.AA |
| IA-04 | Identifier Management | PR.AA |
| IA-05 | Authenticator Management | PR.AA |
| IA-06 | Authenticator Feedback | PR.AA |
| IA-08 | Identification and Authentication (Non-Organizational Users) | PR.AA |
| IA-12 | Identity Proofing | PR.AA |
IR Incident Response
| Control | Name | SEBI CSCRF References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | CCMPRS.MA |
| IR-02 | Incident Response Training | RS.MA |
| IR-03 | Incident Response Testing And Exercises | CCMPRS.MA |
| IR-04 | Incident Handling | DE.CMRS.ANRS.IMRS.MASOC |
| IR-05 | Incident Monitoring | RS.ANRS.IMRS.MASOC |
| IR-06 | Incident Reporting | RC.CORS.CO |
| IR-07 | Incident Response Assistance | RS.MA |
| IR-08 | Incident Response Plan | CCMPRS.IMRS.MA |
| IR-09 | Information Spillage Response | RS.ANRS.MA |
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | SEBI CSCRF References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | PR.PE |
| PE-02 | Physical Access Authorizations | PR.PE |
| PE-03 | Physical Access Control | PR.PE |
| PE-04 | Access Control For Transmission Medium | PR.PE |
| PE-05 | Access Control For Display Medium | PR.PE |
| PE-06 | Monitoring Physical Access | PR.PE |
| PE-08 | Access Records | PR.PE |
| PE-09 | Power Equipment And Power Cabling | PR.PE |
| PE-10 | Emergency Shutoff | PR.PE |
| PE-11 | Emergency Power | PR.PE |
| PE-12 | Emergency Lighting | PR.PE |
| PE-13 | Fire Protection | PR.PE |
| PE-14 | Temperature And Humidity Controls | PR.PE |
| PE-15 | Water Damage Protection | PR.PE |
| PE-17 | Alternate Work Site | PR.PE |
| PE-18 | Location Of Information System Components | PR.PE |
| PE-20 | Asset Monitoring and Tracking | PR.PE |
PL Planning
PM Program Management
| Control | Name | SEBI CSCRF References |
|---|---|---|
| PM-01 | Information Security Program Plan | CERTIFCLASSIFYGV.OCGV.POGV.RM |
| PM-02 | Information Security Program Leadership Role | GV.RR |
| PM-04 | Plan of Action and Milestones Process | RC.IMRS.IM |
| PM-05 | System Inventory | ID.AM |
| PM-06 | Measures of Performance | AUDITCCIGV.OV |
| PM-07 | Enterprise Architecture | GV.OC |
| PM-08 | Critical Infrastructure Plan | BCP-DRCCMPGV.OC |
| PM-09 | Risk Management Strategy | CCMPCYBER-INSGV.OCGV.POGV.RM |
| PM-10 | Authorization Process | CERTIFCLASSIFYGV.PO |
| PM-11 | Mission and Business Process Definition | BCP-DRCLASSIFYCYBER-INSGV.OCGV.PO |
| PM-13 | Security and Privacy Workforce | CAPACITYGV.RRPR.AT |
| PM-14 | Testing, Training, and Monitoring | AUDITCCIDE.CMDE.VAGV.OVRC.IMSOCVAPT |
| PM-15 | Security and Privacy Groups and Associations | CAPACITYPR.ATRS.CO |
| PM-16 | Threat Awareness Program | DE.DPID.RARS.COSOC |
| PM-24 | Data Integrity Board | GV.PO |
| PM-26 | Complaint Management | RC.CORS.CO |
| PM-27 | Privacy Reporting | CAPACITYRC.CO |
| PM-28 | Risk Framing | GV.OCGV.RM |
| PM-29 | Risk Management Program Leadership Roles | GV.RM |
| PM-30 | Supply Chain Risk Management Strategy | GV.RMGV.SC |
| PM-31 | Continuous Monitoring Strategy | CCIDE.CMGV.OV |
| PM-32 | Purposing | CLASSIFYGV.OC |
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | SEBI CSCRF References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | GV.RMID.RA |
| RA-02 | Security Categorization | CLASSIFYID.AMID.RA |
| RA-03 | Risk Assessment | GV.RMID.RA |
| RA-05 | Vulnerability Scanning | DE.DPDE.VAID.RAVAPT |
| RA-06 | Technical Surveillance Countermeasures Survey | DE.VAVAPT |
| RA-07 | Risk Response | DE.VAGV.RMID.RAVAPT |
| RA-08 | Privacy Impact Assessments | ID.RA |
| RA-09 | Criticality Analysis | DE.VAGV.OCGV.RMID.AMID.RAVAPT |
| RA-10 | Threat Hunting | DE.CMDE.DPDE.VAID.RASOCVAPT |
SA System and Services Acquisition
| Control | Name | SEBI CSCRF References |
|---|---|---|
| SA-03 | Life Cycle Support | PR.ASPR.IP |
| SA-04 | Acquisitions | GV.SCPR.AS |
| SA-08 | Security Engineering Principles | PR.ASPR.IP |
| SA-09 | External Information System Services | GV.SCPR.CS |
| SA-10 | Developer Configuration Management | PR.ASPR.IP |
| SA-11 | Developer Security Testing | PR.ASPR.IP |
| SA-15 | Development Process, Standards, and Tools | PR.ASPR.IP |
| SA-17 | Developer Security and Privacy Architecture and Design | PR.AS |
| SA-20 | Customized Development of Critical Components | PR.AS |
| SA-21 | Developer Screening | GV.SCPR.AS |
| SA-22 | Unsupported System Components | GV.SC |
SC System and Communications Protection
| Control | Name | SEBI CSCRF References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | PR.NS |
| SC-05 | Denial Of Service Protection | PR.NS |
| SC-07 | Boundary Protection | EMAIL-SECPR.CSPR.NS |
| SC-08 | Transmission Integrity | EMAIL-SECPR.CSPR.DSPR.NS |
| SC-12 | Cryptographic Key Establishment And Management | DATALOCPR.DS |
| SC-13 | Use Of Cryptography | DATALOCEMAIL-SECPR.DS |
| SC-18 | Mobile Code | PR.ES |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | PR.NS |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | PR.NS |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | PR.NS |
| SC-24 | Fail in Known State | RC.RP |
| SC-26 | Decoys | DE.CMSOC |
| SC-28 | Protection of Information at Rest | DATALOCPR.CSPR.DS |
| SC-32 | System Partitioning | PR.NS |
| SC-35 | External Malicious Code Identification | DE.CM |
| SC-39 | Process Isolation | PR.NS |
| SC-41 | Port and I/O Device Access | PR.ES |
| SC-44 | Detonation Chambers | DE.DPPR.NS |
| SC-47 | Alternate Communications Paths | PR.NS |
SI System and Information Integrity
| Control | Name | SEBI CSCRF References |
|---|---|---|
| SI-02 | Flaw Remediation | PR.IP |
| SI-03 | Malicious Code Protection | DE.DPPR.ES |
| SI-04 | Information System Monitoring Tools And Techniques | DE.CMDE.DPPR.NSRS.ANSOC |
| SI-05 | Security Alerts And Advisories | DE.DPRS.CO |
| SI-07 | Software And Information Integrity | PR.ESPR.IP |
| SI-08 | Spam Protection | EMAIL-SEC |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | PR.AS |
| SI-12 | Information Output Handling And Retention | DATALOCPR.DS |
| SI-13 | Predictable Failure Prevention | PR.MA |
| SI-16 | Memory Protection | PR.ES |
| SI-17 | Fail-safe Procedures | RC.RP |
| SI-19 | De-identification | PR.DS |
| SI-20 | Tainting | PR.DS |