Skip to main contentChat with us

ISO 27001 · SEBI CSCRF

ISO 27001 Under SEBI's CSCRF:
Who Must Certify, and How Far

SEBI's Cybersecurity and Cyber Resilience Framework doesn't just recommend ISO 27001 — for Market Infrastructure Institutions and Qualified REs it requires certification, prescribes how far the scope must reach, and flows the requirement down to your vendors. Here is the mandate, from the circular itself.

Primary sources used on this page: SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 (20 Aug 2024) and SEBI's CSCRF FAQs (June 2025) — not other consultancies' blogs.

PR.IP.S16the CSCRF guideline mandating certification
5facilities the scope must include
FYall CSCRF periodicities run on financial year

Cites the SEBI circular & official FAQs · Auditor-led · Last reviewed July 2026

Under SEBI's CSCRF, ISO 27001 certification is a standing requirement for MIIs and Qualified REs (guideline PR.IP.S16), and the certification scope must include — at minimum — the PDC site, DR site, NDR site, SOC, and any colocation facility. If any of those are outsourced, the third-party provider must be ISO 27001 certified for the outsourced service. That single paragraph, drawn from the framework and SEBI's own FAQ 58, settles the three questions regulated entities ask most. What remains is execution: getting an ISMS certified across a boundary most first-time certificates never reach, evidencing the CSCRF-specific controls ISO 27001 doesn't prescribe, and keeping pace with a financial-year audit cadence run by CERT-In-empanelled auditors. This page maps the framework's expectations onto the 93 Annex A controls so you can see what your existing ISMS already covers — and what it doesn't.

The Mandated Scope

Five Facilities Your Certificate Must Cover

Per SEBI's FAQ 58, the ISO 27001 scope “shall include (but not limited to)” the following — and outsourcing any of them flows the certification requirement to the vendor.

Facility / functionWhat that means in practice
Primary Data Centre (PDC) siteThe production environment running your regulated operations.
Disaster Recovery (DR) siteThe failover environment — certification cannot stop at production.
Near Data Recovery (NDR) siteWhere an NDR site exists in your architecture, it is in scope.
Security Operations Centre (SOC)Your SOC — in-house or outsourced — falls inside the certified ISMS boundary.
Colocation facilityThird-party colocation hosting regulated systems is part of the required scope.

The Crosswalk

CSCRF Themes → ISO 27001:2022 Controls

Indicative mapping of the framework's recurring requirement areas to the Annex A controls that evidence them — each control links to its implementation guide in our 93-control catalog.

CSCRF requirement areaISO 27001:2022 home
Governance & CISO requirements (CISO at CTO/CIO grade for MIIs and Qualified REs, reporting per organisational structure)Clause 5 (leadership), A.5.1–A.5.4 (policies, roles, segregation of duties)
Asset inventory & classification of critical systemsA.5.9–A.5.12 (asset inventory, acceptable use, classification)
VAPT with closure of findings within 3 months of report submissionA.8.8 (technical vulnerability management) + A.8.29 (security testing)
Log management and retentionA.8.15 (logging) + A.8.16 (monitoring activities)
Outsourcing and third-party guidelinesA.5.19–A.5.23 (supplier relationships, cloud services)
Response, recovery & DC-DR drillsA.5.24–A.5.30 (incident management, ICT readiness for business continuity)
Data security and Software Bill of Materials (SBOM)A.8.24–A.8.28 (cryptography, secure development), A.5.23

Mapping is indicative and for planning; CSCRF compliance is assessed against the framework itself by CERT-In-empanelled auditors. CSCRF-specific instruments — the Cyber Capability Index, SBOM, Market-SOC — have no Annex A equivalent and are implemented alongside the ISMS.

CSCRF × ISO 27001 — Common Questions

The mandate, the scope, the flow-down, and the audit cadence — answered from the primary sources.

Does SEBI CSCRF make ISO 27001 certification mandatory?

For the top two categories of regulated entities, yes. Under the CSCRF (SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, dated 20 August 2024), Market Infrastructure Institutions (MIIs) and Qualified REs are required to obtain ISO 27001 certification — guideline PR.IP.S16 of the framework. Mid-size, small-size, and self-certification REs are not required to certify, though the CSCRF's cybersecurity controls still apply to them in proportion to their category.

What must the ISO 27001 certification scope cover under CSCRF?

SEBI's CSCRF FAQs (June 2025, FAQ 58) state the scope "shall include (but not limited to) PDC site, DR site, NDR site, SOC, and Colocation facility." In other words, a certificate scoped to a head office alone does not satisfy the framework — the certified ISMS boundary must wrap the regulated technology estate, including recovery sites and the security operations function.

Do our outsourced vendors also need ISO 27001 certification?

If any in-scope facility or function (PDC, DR, NDR, SOC, colocation) is outsourced, CSCRF FAQ 58 is explicit: "it must be ensured that those third-party service providers are also ISO 27001 certified for the services being outsourced to them." That flow-down clause is the part most REs discover late — vendor certificates must cover the specific outsourced service, not just the vendor's corporate office.

Which entities count as MIIs and Qualified REs?

MIIs are the market infrastructure institutions — stock exchanges, depositories, and clearing corporations. The Qualified RE category, per the CSCRF's categorisation thresholds, sweeps in larger intermediaries: banks and NBFCs operating as SEBI REs, mutual funds/AMCs, RTAs, custodians, clearing members, and other financial institutions above the framework's size thresholds — plus Qualified Stock Brokers (QSBs), who carry enhanced obligations including half-yearly VAPT and cyber audits. Where you land determines whether ISO 27001 certification is required or the controls apply without certification.

What is the CSCRF audit cadence, and who performs it?

CSCRF compliance is verified through cyber audits by CERT-In-empanelled auditors, with periodicity depending on your RE category (half-yearly for MIIs and QSBs; annual for most Qualified REs) — all periodicities run on the financial year. VAPT findings must be closed within three months of report submission. The ISO 27001 certificate complements, not replaces, these audits: certification evidences the ISMS; the CERT-In-empanelled audit tests CSCRF-specific controls.

We already hold ISO 27001 — what is the actual gap to CSCRF?

Typically three things. First, scope: your existing certificate probably does not cover the full PDC/DR/NDR/SOC/colocation boundary CSCRF expects. Second, CSCRF-specific requirements that ISO 27001 does not prescribe — the Cyber Capability Index (CCI) for MIIs and Qualified REs, SBOM requirements, Market-SOC onboarding decisions, and SEBI's incident-reporting flows. Third, evidence cadence: CSCRF's financial-year audit and VAPT timelines are stricter than a standard three-year certification cycle. A gap assessment against both instruments at once is the efficient path — that is exactly what we run.

Related reading: the ISO 27001 hub, all 93 Annex A controls, the certification process, ISO 27001 under IRDAI's 2026 guidelines, and certification costs in India.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations