SEBI CSCRF: Who should do ISO 27001 Certification & Compliance ?
ISO 27001:2022 compliance is required under SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF), but it is not mandated universally for all types of REs (Regulatory Entities). Instead, the requirement depends on the RE’s size and impact level:
- Qualified REs and MIIs: ISO 27001 certification is mandatory for MIIs and Qualified REs, which have higher cybersecurity responsibilities due to their systemic importance .
- Other REs (Mid-size and Small-size): While not strictly required to be ISO 27001 certified, mid-size REs are encouraged to follow ISO 27001 best practices. They are required to comply with certain CSCRF guidelines derived from ISO standards.
- Exemptions for Small-size and Self-certification REs: Small-size REs and self-certifying entities have reduced compliance obligations under CSCRF and are not mandated to adhere to ISO 27001, although SEBI recommends adopting basic security measures aligned with ISO standards where feasible .
However, as mentioned SEBI encourages Other REs to incorporate best practices from standards like ISO 27001 and ISO 27002 as part of their cybersecurity measures. This adoption of ISO standards is suggested to bolster information security management systems (ISMS), ensuring a proactive approach to cybersecurity, even though ISO 27001 certification itself is only mandatory for Market Infrastructure Institutions (MIIs) and Qualified REs.
While we will discuss about ISO27001 & SEBI Guidelines in next blog, here is short checklist on Specific from Other REs as per CSCRF which include:
- Cybersecurity Policy Reviews – Conducted annually.
- Risk Management Policies – Annual risk assessments are mandatory for Other REs as well, although they may differ in scope compared to larger entities.
- Periodic Audits – Even without mandatory ISO certification, Other REs are expected to engage in regular cybersecurity audits and submit reports as per CSCRF guidelines.
- Best Practice Adoption – Adopting international standards, including parts of ISO 27001, is encouraged to maintain cybersecurity resilience.
We at AmbiSure, are helping organizations align with ISO 27001 for REs or checklist for Other REs to strengthen their security posture, meeting SEBI’s resilience objectives.
As per SEBI strong recommendation to implement security practices consistent with ISO 27001, Our expert team is equipped to help you especially in areas such as risk management, incident response, and data protection, to maintain baseline security and resilience across the financial sector.
