Sample SEBI CSCRF Audit Report (NSE-Submission Format)

What the SEBI auditor and the NSE portal expect

The SEBI Cybersecurity & Cyber Resilience Framework Master Circular prescribes a specific structure for the annual audit report. The NSE / BSE submission portal validates against this structure on upload. A report missing required sections gets rejected at the portal level and counts as non-submission.

This page shows the structure of the NSE-submission-format report Bachao.AI delivers, with sample content (anonymised from a real April 2026 audit for a mid-tier stockbroker).

Section 1: Cover and certification

Cover page (1 page) — entity name, SEBI registration number, audit period, auditor name + signature, date of submission, NSE/BSE membership.

Senior management certification (1 page) — signed declaration by the entity's IT Head or CEO that the audit findings have been reviewed, remediation plans approved, and the entity remains compliant with CSCRF obligations.

Section 2: Executive summary (1 page)

Findings rolled up by severity:

"Based on our audit conducted in accordance with the SEBI Cybersecurity & Cyber Resilience Framework, [entity name] maintains a satisfactory level of cybersecurity controls aligned with CSCRF requirements. Two High-severity findings related to access control and patch management have been identified and committed to remediation within 30 days. No Critical-severity findings were identified during this audit cycle. The control environment supports the entity's regulatory obligations under SEBI's framework."

Section 3: Scope and methodology (2 pages)

1. Entity tier (small / mid-tier / large) determination
2. Critical system count and inventory reference
3. Non-critical system count and sampling rationale (25% sample as required)
4. Audit period (start date, end date)
5. Audit team (lead auditor name, lead auditor credentials, supporting team members)
6. Methodology summary referencing CSCRF circular date
7. Limitations (if any) — e.g., specific systems excluded with documented rationale

Section 4: Findings register (variable length, 1 page per High/Critical, summary table for Medium/Low)

Sample High-severity finding:

Finding HC-001 — MFA not enforced on production database administrative access > Category: Access Control (CSCRF Control 4.2) Severity: High Affected systems: trading-prod-db-01, trading-prod-db-02 Evidence reference: Evidence section page 47, screenshots of IAM policy review > Description: Administrative access to two production database instances does not require multi-factor authentication. Four IAM users have direct admin access via password-only authentication. This violates CSCRF Control 4.2 requirement that "access to critical systems shall require multi-factor authentication" and exposes the entity to credential-compromise scenarios. > Business impact: Compromise of any of the four IAM credentials would grant attacker direct read/write access to the production trading database, including customer KYC data, transaction history, and pending orders. Potential regulatory consequence: SEBI inspection finding of inadequate access control under Control 4.2; DPDP Section 8 obligation breach if customer data accessed. > Remediation recommendation: Enforce MFA on all four IAM users within 7 days. Implement IAM policy preventing future creation of users without MFA on critical system access. Validate MFA enforcement via aws-config rule. > Management response: Accepted. Remediation owner: VP Engineering. Target close date: 2026-04-30. Validation method: aws-config rule + screenshot evidence.

Each High and Critical finding gets this depth. Medium and Low findings are tabulated.

Section 5: Control coverage map (3 pages)

All 64 CSCRF controls with:

Section 6: Vulnerability assessment summary (2 pages)

Network and application VAPT results summarised:

1. Network scan: hosts scanned, ports identified, services enumerated, vulnerabilities by CVSS severity
2. Web application scan: applications tested, OWASP Top 10 coverage, findings count by category
3. API scan: APIs tested, methods evaluated, BOLA / broken-auth tests, findings count
4. Mobile app scan (if applicable): platforms tested, MASVS controls evaluated

Section 7: Evidence index (variable length)

Every finding references an evidence page. The evidence index lists:

1. Screenshots (with hash for tamper-evidence)
2. Configuration files extracted
3. Interview transcripts (anonymised where required)
4. Scan output (raw + interpreted)
5. Sample test results (access reviews, change reviews, backup restores)

Section 8: Remediation tracker (1–2 pages)

Every finding (Critical / High / Medium / Low) plotted on a timeline with:

1. Finding ID
2. Description (one line)
3. Severity
4. Owner (named individual at the entity)
5. Target close date
6. Status (Open / In Progress / Closed)
7. Validation method

Section 9: Appendices

A. Critical system inventory (full schedule) B. Non-critical system sampling rationale C. Vulnerability scan reports (raw) D. Penetration test detail E. Interview record summary F. Sample test result detail G. Backup restore test record H. Auditor independence declaration

What the NSE / BSE portal validates

When the report is uploaded, the portal checks:

1. Cover page contains SEBI registration number in correct format
2. Senior management certification is present and signed
3. Findings count matches the count declared in the executive summary
4. Control coverage map covers all 64 controls
5. Auditor credentials match SEBI's empanelled auditor list
6. File is PDF, signed digitally, under 50MB

How to start

The first step is a 60-minute scoping call. We determine your entity tier, confirm timeline, and schedule the 7-day audit sprint.

Schedule the SEBI CSCRF scoping call →

Related: SEBI CSCRF Audit Methodology · SEBI Case Study: 4-Day Audit