August 2025 SEBI CSCRF Technical Clarifications: ISO 27001, PM Revision & More
SEBI's August 2025 technical clarifications made ISO 27001 voluntary for QREs, downgraded Mobile App Security and BAS/CART to recommendatory, narrowed critical-systems scope, and introduced multi-regulator principles. Decoded.
On this page (15)
- ISO 27001: now voluntary for Qualified REs
- Mobile App Security: downgraded to recommendatory
- BAS / CART: recommended, not mandated
- Critical systems definition narrowed
- Zero Trust reframed
- NCIIPC adoption: CII-designated entities only
- VAPT / Cyber Audit: summary-only submission
- Portfolio Manager: final 3-tier revision
- Merchant Banker: simplified to binary
- Principle of Exclusivity and Equivalence
- Data Localisation: still in abeyance
- Where this goes beyond the prior state
- A pragmatic roadmap
- How Security Brigade helps
- FAQ
On 28 August 2025, SEBI issued circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119 — a set of "technical clarifications" to the CSCRF that walked back several mandates, introduced the Principle of Exclusivity and Equivalence for multi-regulator entities, and made a final revision to the Portfolio Manager tier table.
This circular is notable for what it removed more than what it added. ISO 27001 for QREs went from mandatory to voluntary. Mobile App Security and BAS/CART deployment became recommendatory. The critical-systems definition was narrowed. NCIIPC adoption was restricted to CII-designated entities only. And VAPT report submissions moved from full-disclosure to summary-only — a significant change for regulated entities that had been submitting raw vulnerability data.
This analysis reflects the CSCRF as it stands on 2026-05-06 — master circular read with all 6 amendments and the May 2026 AI Advisory.
ISO 27001: now voluntary for Qualified REs
Per CIR/2025/119, the ISO/IEC 27001 certification requirement was made recommended / encouraged for Qualified REs. It remains mandatory for Market Infrastructure Institutions (MIIs) only.
This is a material compliance-lift reduction for approximately half the CSCRF-regulated population. Under the original Aug 2024 master, every QRE had a one-year window to achieve ISO 27001 certification. Under the Aug 2025 clarification, QREs may pursue ISO 27001 voluntarily — though given that CSCRF's control catalogue overlaps significantly with Annex A controls, many QREs will find ISO 27001 certification pragmatic even without the mandate.
The CISO, IT Committee, and annual cyber-policy review obligations for QREs remain unchanged and binding.
Mobile App Security: downgraded to recommendatory
The CSCRF master circular required mobile application security guidelines as a mandatory control. CIR/2025/119 downgraded this to recommendatory. Regulated entities should still implement mobile app security testing and guidelines, but the obligation is no longer a compliance-submission item.
BAS / CART: recommended, not mandated
The original CSCRF language said regulated entities "shall deploy" Behaviour Analytics Systems (BAS) and Continuous Automated Red Teaming (CART). The Aug 2025 clarification softened this to: "Recommended in consultation with the IT Committee."
For REs that had already committed budget to BAS/CART deployment, this means the requirement can now be deferred or recalibrated based on the IT Committee's risk appetite — but if the IT Committee recommends deployment, it remains binding.
Critical systems definition narrowed
The master circular's paragraph (f) defined critical systems broadly: "All ancillary systems used for accessing or communicating with critical systems." CIR/2025/119 restricted this to "any other system on the same network segment" as the five explicitly named critical system categories.
The practical effect: systems that communicate with critical systems but are on a different network segment may no longer require the full critical-system control set. This simplifies network architecture compliance for larger REs.
Zero Trust reframed
The master circular's "Deny by default" language was replaced with a more structured expectation: "Implement strategies/methodologies such as Zero-trust networks, segmentation, no SPOF, HA — approved by IT Committee." The substantive expectation (Zero Trust architecture) remains, but the framing is now methodology-driven rather than permissive.
NCIIPC adoption: CII-designated entities only
GV.PO Guideline 11 in the master circular referenced NCIIPC adoption as applicable to all REs. CIR/2025/119 restricted this to REs identified as Critical Information Infrastructure (CII) by NCIIPC only. If your entity has not been designated CII by NCIIPC, Guideline 11 does not apply.
VAPT / Cyber Audit: summary-only submission
The master circular required full VAPT and cyber audit reports to be submitted. CIR/2025/119 changed this to summary only — no explicit vulnerabilities unless SEBI specifically asks. This is an important data-minimisation provision: regulated entities are no longer required to send raw vulnerability data to the regulator, reducing both compliance burden and exposure surface.
Portfolio Manager: final 3-tier revision
The April 2025 amendment simplified PM classification to a single AUM threshold. The August 2025 clarification revised it again — the final state is:
| Tier | AUM (INR Cr) |
|---|---|
| Mid-size | ≥₹10,000 Cr |
| Small-size | >₹3,000 – <₹10,000 Cr |
| Self-cert | ≤₹3,000 Cr |
No QRE category exists for Portfolio Managers. Self-cert PMs with <100 clients are exempt from M-SOC.
Merchant Banker: simplified to binary
Under the original master, MBs were classified in three activity-type buckets. The Aug 2025 clarification simplified this to a binary rule: active MBs → Small-size REs; inactive MBs (no merchant banking activity in the review period) → exempt from CSCRF entirely.
Principle of Exclusivity and Equivalence
CIR/2025/119 introduced two new principles for entities regulated by multiple bodies (e.g., an NBFC-cum-stock-broker regulated by both RBI and SEBI):
Principle of Exclusivity: CSCRF covers only SEBI-regulated activities. Shared infrastructure (e.g., a network used by both the broking and NBFC arms) is audited under SEBI only if not already covered by the primary regulator's framework.
Principle of Equivalence: If an equivalent control exists in the other regulator's cybersecurity framework and is already being followed, it may be deemed compliant with the corresponding CSCRF control — no duplicate audit required.
For multi-regulator entities, these two principles materially reduce the compliance overhead. Document the equivalence mapping; the IT Committee should ratify it.
Data Localisation: still in abeyance
Data Localisation (PR.DS.S2) was put in abeyance by the December 2024 circular (CIR/2024/184). The August 2025 clarification did not lift the abeyance. As of 2026-05-06, Data Localisation remains a non-current obligation. Do not cite it as a compliance item in FY 2026-27.
Where this goes beyond the prior state
| Item | Before Aug 2025 | After Aug 2025 |
|---|---|---|
| ISO 27001 for QREs | Mandatory | Recommended |
| Mobile App Security | Mandatory | Recommendatory |
| BAS / CART | "Shall deploy" | IT Committee consultation |
| Critical systems scope | "All ancillary systems" | "Same network segment" |
| NCIIPC adoption | All REs | CII-designated only |
| VAPT report submission | Full report | Summary only |
| PM tier model | Single AUM (Apr 2025) | 3-tier AUM (₹10k Cr threshold) |
| Merchant Banker | 3 activity buckets | Active=Small-size, Inactive=exempt |
| Multi-regulator | Not addressed | Exclusivity + Equivalence principles |
A pragmatic roadmap
QREs: reassess ISO 27001. It's now voluntary, but the CSCRF control catalogue overlaps heavily with Annex A. If you are pursuing ISO 27001 for commercial reasons (e.g., SOC 2 bridge, customer DPAs), continue. If not, you can redirect budget.
Switch VAPT reports to summary-only. Update your engagement scopes and auditor reporting templates. Full findings stay within your organisation.
Multi-regulator entities: document equivalence. Map your other regulator's control framework to CSCRF. Have the IT Committee ratify the mapping. This is audit evidence.
Portfolio Managers: reclassify. The Aug 2025 thresholds are the final, binding model. If you classified using the Apr 2025 thresholds (which had a ₹3,000 Cr Mid-size entry point), re-run the classification. Our SEBI Compliance Wizard handles this automatically — the current thresholds are baked in.
Do not build a Data Localisation programme. PR.DS.S2 remains in abeyance. Budget and plan around it, but do not implement it as a current compliance item.
Merchant Bankers: confirm activity status. If you are an inactive MB, you are exempt from CSCRF entirely — no submission required. Document the inactivity for audit trail.
How Security Brigade helps
We have been CERT-In empanelled since 2008, have delivered 6,700+ assessments, and help REs navigate CSCRF amendments as they land. Our SEBI Compliance Wizard is current as of 2026-05-06 — all entity types, tier thresholds, cadences, and exemptions reflect the Aug 2025 clarifications. Run it in 8–10 questions and get a deep-linkable readiness report you can share with your IT Committee.
FAQ
Is ISO 27001 still worth pursuing for QREs?
It depends. If you need ISO 27001 for SOC 2 bridge, customer DPAs, or commercial credibility, it's still valuable. The CSCRF control catalogue also overlaps with Annex A — pursuing certification can satisfy both requirements simultaneously. But the regulatory mandate is gone.
Do I still need to submit full VAPT reports?
No. Per CIR/2025/119, submit a summary only. Do not submit explicit vulnerability data unless SEBI specifically asks for it. Update your auditor engagement scopes accordingly.
What happens to Data Localisation?
It remains in abeyance (since Dec 2024). SEBI has not lifted the abeyance. Do not budget for it as a current compliance obligation — but retain awareness; it could be reinstated with a future circular.
How do the Exclusivity and Equivalence principles work in practice?
Document which of your business arms are regulated by which body. Map the other regulator's cybersecurity controls to CSCRF. If a control is substantively equivalent, submit the mapping to your IT Committee for ratification — this becomes your audit evidence.
Content current as of 2026-05-06. Source: docs/SEBI-CSCRF-FACTCHECK-2026-05-06.md. Verify any specific obligation against the latest SEBI circular before action — this analysis is informational and not legal advice.
About the authors
Founder & Chief Technology Officer
Founded Security Brigade in 2006 with the thesis that security assessment quality should be structural, not dependent on individual testers. 16+ years building platforms, teams, and methodologies that make enterprise security consistent.
Offensive Security Research · Security Brigade
A rotating byline for collaborative analysis pieces from Security Brigade's offensive security and threat-research practice.
Continue reading
All articles →SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
OWASP Mobile Top 10 (2024): The Definitive Guide for Indian Mobile App Teams
A reference walkthrough of every risk in the OWASP Mobile Top 10 (2024 release) — what each risk means in plain English, how attackers exploit it on Android and iOS, what your engineering team should fix, and how a CERT-In empanelled pentest validates the fix.
SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.