SEBI CSCRF Audit Methodology — Bachao.AI 7-Day Sprint

SEBI CSCRF — the deadline and the obligation

SEBI's Cybersecurity & Cyber Resilience Framework (CSCRF) applies to all SEBI-regulated entities: stockbrokers, depository participants, asset management companies, mutual funds, clearing corporations, and qualified RIAs. The Master Circular (June 2024) mandates:

1. Annual third-party cybersecurity audit
2. Audit report submission in NSE/BSE prescribed format
3. Senior management certification of cyber resilience
4. Quarterly vulnerability assessments
5. Critical system inventory + classification

This page describes how Bachao.AI delivers a SEBI CSCRF audit in 7 working days for a typical mid-tier stockbroker or AMC.

Day-by-day breakdown

Day 0 (pre-engagement, 1 hour): Kickoff call with the entity's IT head + compliance officer. We collect: SEBI registration number, last audit date, NSE/BSE membership status, current vendor list, critical system count.

Day 1: Asset and data inventory

1. AI-assisted asset discovery across cloud + on-prem + endpoints
2. Critical system classification (CSCRF defines: customer data, transaction processing, settlement, audit logs)
3. Sample 100% of critical, 25% of non-critical (CSCRF requirement)
4. Output: signed asset inventory schedule

1. Automated network mapping
2. External attack surface scan
3. Internal authenticated vulnerability scan (Tenable / Qualys grade results)
4. Configuration assessment against CIS Benchmarks
5. Output: raw scan results + vulnerability list

1. Web application VAPT on customer-facing portals (trading apps, RIA dashboards)
2. API security testing on transaction APIs
3. Mobile app security if applicable
4. Output: OWASP-categorised vulnerability list

1. 64 CSCRF controls reviewed against the entity's actual practice
2. Evidence collection from existing systems (CloudTrail, syslog, identity management)
3. Interview with IT head and one engineer per critical system
4. Output: control-to-evidence matrix

1. Penetration test depth on top 3 critical systems
2. Sample 100 user access events, validate against access policy
3. Sample 30 random change records, validate against change management policy
4. Validate backup restore (one full restore from random date)
5. Output: sample test results + any control gaps identified

1. NSE/BSE format report drafted (exact template per circular)
2. Findings categorised: Critical / High / Medium / Low / Observation
3. Each finding includes: title, description, evidence reference, business impact, remediation recommendation, target close date
4. Senior management certification draft prepared
5. Output: draft report (40–80 pages)

1. Review meeting with IT head + compliance officer (90 minutes)
2. Findings discussed, owners assigned, remediation timelines agreed
3. Final report signed by Bachao.AI CEO + Lead Auditor
4. Senior management certification finalised
5. Report submitted via the NSE/BSE portal (we handle the upload)
6. Output: submitted audit report + certification

What gets delivered on day 7

1. NSE/BSE-format audit report — 60–120 pages depending on entity size, in the exact format prescribed by Circular dated 20 August 2024 (or current circular).
2. Senior management certification — signed by the entity's IT Head or CEO.
3. Vulnerability remediation matrix — every finding has a target close date and an owner.
4. Critical system inventory — formal schedule, validated and signed.
5. Evidence package — every scan output, every interview note, every control-to-evidence mapping, archived for SEBI inspector review (we retain for 7 years per CSCRF).
6. Submission confirmation — proof of upload to NSE/BSE portal.

What it costs

Why 7 days

Most SEBI audit providers take 3–6 weeks. The actual audit work fits in 7 days because:

1. AI-assisted asset discovery and vulnerability scanning is 5–10× faster than manual
2. Bachao's control library is pre-mapped to CSCRF (not built from scratch per engagement)
3. The NSE/BSE report template is generated, not hand-written
4. The audit team is permanent (not seconded from a Big-4 advisory) so they know the framework

The catch — when it's NOT 7 days

Some engagements require longer:

1. First-time audits (entity has no prior cyber audit): add 5 days for baseline assessment
2. Multi-entity audit (holding company with multiple SEBI registrations): add 3 days per additional entity
3. Material findings requiring deep investigation: add 3 days if a vulnerability needs exploitation depth analysis
4. Customised submission format (some entities have submitted in non-standard format historically): add 1 day

Compliance with current SEBI CSCRF (June 2026 cycle)

This methodology is current as of the SEBI CSCRF Master Circular and all subsequent amendments through May 2026. The 64 controls referenced are the current control set. Any change in the next SEBI circular triggers an update to our methodology within 14 days.

How to start

The first step is a 60-minute scoping call. We confirm your entity tier, the right fee, and the right week to run the sprint. Engagement letter signed within 2 working days. Audit starts the week after.

Schedule the SEBI CSCRF scoping call →

Related: Sample SEBI CSCRF Audit Report · SEBI Case Study: 4-Day Audit