SEBI CSCRF defines six security functions: Governance, Identify, Protect, Detect, Respond and Recover. Listing governance as first is deliberate. That’s because you can’t secure what has no clear owner. Plus, you cannot respond to incidents without defined authority. And you cannot meet SEBI’s audit expectations if the accountability structure above the technical layer is informal or absent. The governance function is the foundation on which every control downstream depends.
This article maps how governance works under SEBI CSCRF. Also, the three-layer accountability chain, the mandatory policies it produces, how obligations vary by RE category and what board-level oversight looks like in practice.
What the governance pillar covers under CSCRF
The CSCRF governance function is not limited to drafting a cybersecurity policy. It defines the entire accountability architecture for managing cybersecurity risk across your organisation. The governance pillar covers:
- Accountability structure: who owns cybersecurity risk at each organisational level
- Policy framework: the mandatory documents that set expected behaviour
- CISO designation: the role, seniority and reporting line required by category
- IT Committee mandate: oversight, review and board escalation responsibilities
- Board approval and review cycles: what the board signs off on and how often
Without a functioning governance layer, every downstream control is unanchored. That is the lens SEBI auditors apply when reviewing the governance pillar.
The three-layer accountability structure
CSCRF distributes cybersecurity accountability across three layers. Each has defined responsibilities. Each produces outputs that feed upward. Understanding this chain is the starting point for building a governance structure that holds under audit.
Layer 1: the board
The board sits at the top of the accountability chain. Under the CSCRF, the board is responsible for approving the cybersecurity policy, receiving regular updates on the organisation’s cyber posture and treating cybersecurity as a strategic business risk.
For all REs above the Self-Certification category, SEBI requires a Technology Committee at board level with cybersecurity as a standing agenda item. The board must also approve the cyber crisis management plan. These are governance artefacts the audit will sample.
Layer 2: the IT Committee
The IT Committee sits between the board and the CISO. For MIIs, Qualified REs and Mid-size REs, constituting an IT Committee is mandatory under CSCRF. The committee must include at least one external independent cybersecurity expert.
The committee’s defined role is to review cybersecurity policies, examine incident reports, monitor CSCRF compliance and make formal recommendations to the board. Its meeting records form part of the audit evidence trail.
For smaller REs where an IT Committee is not mandated, the board itself, through the MD, CEO, Board member, Partner or Proprietor, absorbs this review and approval function directly.
Layer 3: the CISO or Designated Officer
The CISO is the operational anchor of the governance structure. For MIIs and Qualified REs, CSCRF requires the CISO to hold a seniority level at least equivalent to the CTO or CIO. The reporting line must run to the MD/CEO or to an Executive Director in charge of the Risk function – the SEBI FAQs issued on June 11, 2025 confirm both arrangements are compliant.
For Mid-size, Small-size and Self-Certification REs, a designated officer who performs CISO-equivalent responsibilities is required. A remote CISO arrangement is permitted, but the individual must be dedicated exclusively to one organisation and cannot manage more than one simultaneously. Part-time CISO arrangements are not permitted. A group-level CISO can serve multiple entities within the same corporate group.
How governance obligations vary by RE category
CSCRF is graded. Governance requirements scale with the size and systemic exposure of the entity. Your category is determined at the start of each financial year based on prior year data.
| RE Category | IT Committee | CISO Requirement | Policy Approval Authority |
| MIIs | Mandatory; external expert required | Mandatory; CTO/CIO equivalent; direct MD/CEO reporting | Board |
| Qualified REs | Mandatory; external expert required | Mandatory; CTO/CIO equivalent; direct MD/CEO reporting | Board |
| Mid-size REs | Mandatory; external expert required | CISO function required; vCISO permitted | Board or IT Committee |
| Small-size REs | Not mandatory | Designated Officer required | MD/CEO/Board Member/Partner/Proprietor |
| Self-Certification REs | Not mandatory | Designated Officer required | MD/CEO/Board Member/Partner/Proprietor |
Getting your category right matters not just for controls but for understanding precisely which governance obligations apply to your entity.
The two policy documents CSCRF mandates
CSCRF requires two distinct policy documents. Conflating them into one is a gap that surfaces at audit.
The cybersecurity policy
Every RE must maintain a board-approved cybersecurity policy. For MIIs and Qualified REs, this is a comprehensive document covering governance roles, access controls, data handling, vendor management, incident response and audit expectations. For Self-Certification and Small-size REs, a basic policy addressing essential areas is required.
All RE categories must review the policy annually. Mid-size REs must also formally update it each year to reflect changes in threats, systems and regulatory requirements.
For a detailed guide on designing the policy itself – what it must contain and how to structure it for your RE category, read our blog on designing a board-approved cybersecurity policy for SEBI CSCRF.
The cybersecurity risk management policy
Separate from the cybersecurity policy, CSCRF mandates a cybersecurity risk management policy. This document identifies major risks, defines risk scoring methods, assigns ownership, sets mitigation timelines and supports board-level visibility into the organisation’s risk exposure.
The risk management policy requires annual review across all RE categories. Auditors check for both documents. A single document that conflates policy and risk management functions is likely to be flagged.
What board-level oversight requires
Governance under CSCRF is not satisfied by approving a policy document once a year. SEBI expects ongoing, evidenced oversight. The audit scope for the governance pillar includes:
- Board meeting minutes showing cybersecurity discussed as a standing agenda item
- Documented CISO reporting records to the MD/CEO
- IT Committee meeting records with attendance and formal recommendations
- Annual policy review and update evidence
- Risk appetite statements approved at board level
- Cyber crisis management plan with board sign-off
- Cyber Capability Index (CCI) scores for MIIs and Qualified REs submitted periodically to SEBI
The CCI deserves specific attention. It is SEBI’s instrument for MIIs and Qualified REs to measure and report cybersecurity maturity over time. Governance controls are a scored component of the CCI. A board that receives CCI reports, interrogates them and acts on findings is demonstrating active oversight, which is precisely what the framework expects.
Conclusion
Governance under SEBI CSCRF is a structured accountability system. The board sets direction and approves policy. The IT Committee reviews, challenges and escalates. The CISO executes and reports upward. Each layer produces evidence that SEBI auditors will examine.
Getting this structure right from the start reduces audit exposure, distributes accountability clearly and builds the foundation that every other CSCRF control depends on.
If you need support designing your governance structure, appointing a qualified CISO function or preparing your board for CSCRF audit readiness, our team at CyberNX works directly with regulated entities across India. Reach out to our SEBI CSCRF consulting team to get started.
Role of governance, policies and board-level oversight under SEBI CSCRF FAQs
What is the CISO’s mandatory reporting line under SEBI CSCRF?
For MIIs and Qualified REs, the CISO must report directly to the MD or CEO. The SEBI FAQs issued in June 2025 confirmed this requirement applies even where an organisation’s structure typically routes cybersecurity through an Executive Director in charge of the Risk function. The direct reporting line is non-negotiable for these categories.
Is an IT Committee mandatory for all regulated entities?
No. An IT Committee is mandatory for MIIs, Qualified REs and Mid-size REs. For Small-size and Self-Certification REs, an IT Committee is not required. In those cases, the MD, CEO, Board member, Partner or Proprietor takes on the approval and oversight responsibilities directly.
Are the cybersecurity policy and the risk management policy the same document?
No. CSCRF treats them as separate requirements. The cybersecurity policy covers governance roles, access, data handling, vendor management and incident response. The risk management policy documents risk identification, scoring, ownership and mitigation timelines. Both require annual review. Both are checked at audit.
