A clean SEBI CSCRF audit report confirms that controls exist, governance is documented and you have met regulatory obligation for the cycle. But there is a caveat; it does not confirm that those controls perform under real conditions.
SEBI designed the CSCRF around five explicit resilience goals: Anticipate, Withstand, Contain, Recover and Evolve. Most entities that pass their audit address Withstand – and Contain goals. However, Anticipate, Recover and Evolve goals remain largely aspirational for the majority of the regulated entities now inside the framework.
Three specific gaps consistently survive a clean audit. None of them surface in the audit report unless an auditor specifically digs. All three are the difference between cyber-resilience beyond compliance and a well-documented compliance posture.
Compliance and cyber-resilience are not the same state
The CSCRF’s own framework language draws this distinction. Compliance means meeting the stated requirements i.e. controls implemented, reports submitted, timelines observed.
Resilience, on the other hand, means the ability to anticipate, withstand, contain, recover and evolve when a real incident occurs.
SEBI embedded both inside the same framework deliberately. The audit measures the compliance state. The five goals describe the resilience state. Entities that treat the audit as the finish line are meeting the letter of the framework. Entities that treat the five goals as an operational target are building what the framework was designed to produce.
The three gaps below live in that space between what the audit verifies and what genuine resilience requires.
Gap 1: SOC contract vs SOC coverage
What compliance looks like here
A compliant entity has a Security Operations Centre (SOC) arrangement in place. For smaller REs this means onboarding to the Market SOC operated by NSE or BSE. For mid-size and qualified entities it means an in-house SOC, a group SOC or a third-party managed SOC with a submitted SOC efficacy report. The audit verifies that the arrangement exists and that the efficacy report has been filed.
What resilience looks like here
A resilient SOC is not measured by the contract or the report. It is measured by what it actually ingests. If your SIEM is not receiving identity logs, privileged account activity and application-layer events from your critical systems, you have a monitoring gap that will not surface in a standard audit. A SOC agreement is auditable. What that SOC sees on a given Tuesday at 2am is not.
The test of SOC coverage depth is operational, not documentary: can your SOC detect lateral movement across your critical trading systems within a timeframe that allows a meaningful response? If you cannot answer that with evidence, the compliance box is ticked and the resilience gap is open.
Entities building genuine SOC depth go beyond onboarding – they verify log sources, test detection rules against their own environment and measure mean time to detect against their critical system inventory.
Gap 2: VAPT as a report vs VAPT as security intelligence
What compliance looks like here
A compliant entity conducts Vulnerability Assessment and Penetration Testing (VAPT) at the cadence CSCRF requires which is periodically and after major releases. The report is submitted. High-severity findings are logged. The audit verifies that VAPT was conducted and the report format is correct.
What resilience looks like here
The VAPT report is not the outcome. The closure discipline is.
The CSCRF sets specific remediation SLAs for findings by severity. The most common failure is not conducting VAPT but the follow-through. High-severity findings get logged and then live in a tracker while patch cycles, change management approvals and vendor timelines extend the exposure window. When the same finding appears in consecutive VAPT cycles, it is a compliance issue. It is also a signal that the finding has been managed as a compliance track rather than a security risk.
Resilient entities use VAPT outputs differently. Findings feed directly into change management, patch prioritisation and architecture decisions. Repeat findings trigger a process review, not just a remediation ticket. Red teaming – mandatory for MIIs and Qualified REs under CSCRF – validates whether the controls that VAPT identified as gaps have been closed under adversarial conditions.
Gap 3: Incident response as a document vs incident response as a tested capability
What compliance looks like here
A compliant entity has a documented incident response plan, approved by the IT Committee and tested through an annual tabletop exercise. The audit verifies the plan exists and the exercise was conducted.
What resilience looks like here
SEBI requires regulated entities to report cyber incidents within six hours of detection. That six-hour window is the real test of incident response capability – and it runs simultaneously with the scramble to understand what happened.
A documented IR plan describes what your organisation intends to do. The tabletop exercise tests whether your team can follow those steps in a structured discussion. Neither replicates the pressure of a live incident where the scope is unclear, systems may be unavailable and the SEBI reporting clock has already started.
The gap between a compliant IR plan and a resilient IR capability is the gap between rehearsed steps and tested muscle memory. Resilient entities run scenario-based drills that simulate real incident conditions – incomplete information, live system constraints, communication pressure across CISO, IT Committee and board. The CSCRF explicitly references scenario-based cyber resilience testing in its annexures. Most entities treat this as an optional enhancement. Under genuine resilience standards it is the only test that matters.
For a detailed breakdown of what cyber auditors verify in the incident response domain, our cyber audit guide under SEBI CSCRF covers the scope and evidence expectations in full.
How the Cyber Capability Index surfaces all three gaps
The Cyber Capability Index (CCI) is the measurement instrument SEBI built precisely for this purpose. Its 23 weighted parameters assess cybersecurity maturity across governance and operational domains, with ratings that run from Fail through Bare Minimum to Exceptional.
Each of the three gaps above has a direct CCI dimension. SOC coverage depth, VAPT closure discipline and IR testing cadence all map to specific CCI parameters. Qualified REs self-assess annually against these parameters. MIIs undergo third-party assessment every six months.
An entity that passes its audit but scores at the lower end of the CCI range has a visible, measurable resilience gap – not a compliance gap. The CCI exists to make that distinction legible and to give entities a structured path toward the Exceptional end of the scale.
For a detailed breakdown of how CCI parameters map to operational controls, our CCI implementation guide covers the full 23-parameter structure and the automation approach we use with regulated entities.
CyberNX is a CERT-In empanelled cybersecurity firm with end-to-end capability across the full CSCRF obligation set, from audit readiness and SOC operations to red teaming, VAPT and vCISO support. If your organisation has passed its first CSCRF audit and is now asking what genuine resilience looks like, connect with our SEBI CSCRF consulting team.
Cyber-resilience beyond compliance FAQs
Does passing the SEBI CSCRF audit mean an entity is cyber-resilient?
Passing the audit confirms that mandatory controls have been implemented and evidence has been submitted as required. It does not validate that those controls perform under real conditions. The CSCRF’s five resilience goals – Anticipate, Withstand, Contain, Recover, Evolve – describe a target state that the audit alone cannot confirm. Resilience requires operational depth across SOC coverage, VAPT closure and tested incident response, not just documentation of their existence.
Which entities need to close these gaps most urgently?
Qualified REs and Mid-size REs face the most direct exposure. Qualified REs carry the full obligation set – mandatory red teaming, half-yearly VAPT cycles and CCI self-assessment – which means the gaps above have direct audit consequences in their second and third cycles. Mid-size REs have full SOC and IR obligations but typically lack the in-house capacity to verify coverage depth without external support. The gaps are present across tiers but the regulatory consequence of leaving them open is highest at the Qualified tier.
