SEBI had introduced the Cybersecurity and Cyber Resilience Framework (CSCRF) vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 for all SEBI-regulated entities. The framework aims to address rising cyber threats, ensure industry alignment, and improve regulatory compliance through structured governance and audit mechanisms. Following stakeholder feedback and consultations, SEBI has now released a comprehensive set of Frequently Asked Questions (FAQs) to clarify implementation aspects of CSCRF and the associated Framework for Adoption of Cloud Services.

The FAQs provide detailed guidance on key operational and compliance areas within CSCRF and cloud adoption, covering topics under the following 17 broad heads:

1. Governance and CISO requirements
2. Thresholds for categorisation of REs
3. Asset inventory and classification of systems
4. VAPT (Vulnerability Assessment and Penetration Testing) and patching
5. Cyber audits and reporting timelines
6. Cyber Capability Index (CCI)
7. Software Bill of Materials (SBOM)
8. Outsourcing norms
9. Cloud Service Providers (CSPs) and hosted services
10. Testing of Commercial Off-The-Shelf (COTS) software
11. Log management, data security, and protection measures
12. ISO 27001 certification requirements
13. Security Operations Centres (SOC) and Market-SOC
14. Threat intelligence practices
15. DC-DR (Data Centre – Disaster Recovery) drills
16. Incident response and recovery
17. Classification and handling of cybersecurity incidents