For Internal Audit + Compliance · CSCRF-Ready Format
CSCRF + AI advisory crosswalk.
Every Annexure-A directive mapped to its CSCRF control domain. Each row tagged "net-new," "extends," or "amplifies" so you know whether to build something fresh or update existing evidence. Designed for the audit trail, not the marketing deck.
10
Annexure-A Directives
8
CSCRF Domains
3
Net-New Obligations
Audit-Ready
Submission Format
Summary view
10 directives. 3 categories of work.
Net-new (3)
M-SOC onboarding (item 6c), SBOM mandate (item 9), Long-term AI plan (item 10)
Extends CSCRF (3)
AI-based VA tooling (item 2), Vendor AI-VD risk (item 3), AI threat scenarios in risk register (item 7)
Amplifies CSCRF (4)
Virtual patching (item 1), Minor-change management (item 4), API security explicit (item 5), ZTNA naming (item 8)
How to use
- For each Annexure-A item, you have an existing CSCRF control area to anchor evidence against. Use that as your audit-trail starting point.
- The "Net-new" rows are where you need fresh artefacts. Prioritise them in your gap assessment.
- The "Amplifies" rows usually need policy or evidence updates, not new programmes.
- The "Extends" rows are where you should review your existing programme and add the AI-aware overlay.
- Use the right column ("Evidence impact") to scope what your IT committee will ask for.
CSCRF + SEBI AI Advisory Control Crosswalk
SEBI Circular HO/13/19/12(1)2026 (5 May 2026) · Read with the CSCRF baseline (SEBI/HO/MIRSD/TPD-1/P/CIR/2024/113)
| # | Annexure-A directive | CSCRF domain | Relation | What changes | Evidence impact |
|---|---|---|---|---|---|
| 01 | Patch management + virtual patching | Endpoint Security | amplifies | CSCRF already mandates patch management. The advisory adds explicit endorsement of virtual patching as an interim control where vendor patches are unavailable — driven by AI-driven attackers compressing the disclosure-to-exploitation window. | Add a virtual-patch register to your existing patch-management evidence. Each entry needs CVE reference, control mechanism, retirement criteria. |
| 02 | VA using conventional + AI-based tools | Application Security · VAPT | extends | CSCRF mandates VAPT cadence (annual for MIIs, half-yearly for QREs, change-driven for all REs). The advisory extends this with explicit endorsement of AI-based VA tools "where possible." VAPT cadence does not change; AI tooling becomes an evaluation requirement. | Add an AI VA tooling evaluation memo to your VAPT documentation. If AI tools rejected, document rationale. If accepted, document evaluation criteria. |
| 03 | Third-party + COTS vendor risk assessment | Vendor / Third-Party Risk | extends | CSCRF requires periodic third-party risk assessment. The advisory specifically requires Exchanges and Depositories to direct empaneled COTS vendors to assess AI-led VD risks — a "shall direct" obligation that flows down the supply chain. | Vendor-management programme must add an AI-VD risk assessment row to vendor scorecards. For Exchanges and Depositories: documented vendor-direction trail. |
| 04 | Change management for all changes | Application Security · SDLC | amplifies | CSCRF requires change management for material changes. The advisory amplifies scope to include minor changes — "(including minor changes) should encompass full documentation, thorough impact analysis, structured review, rigorous testing and secure deployment." | Change-management policy must be revised to make minor-change documentation mandatory, not optional. CAB review of last 30 days minor changes for compliance evidence. |
| 05 | API security (inventory, authN/Z, rate-limit, whitelist) | Application Security · API | amplifies | CSCRF references API security at high level. The advisory adds four specific sub-items: inventory, strong authN/Z + least privilege, rate limiting + throttling, whitelist-based connections. None are net-new concepts but the explicit enumeration creates audit evidence demand. | API security programme must produce: API inventory artefact, authZ policy doc, rate-limit configuration export, whitelist register. Most REs have these implicitly; explicit documentation needed. |
| 06 | SOC monitoring + SOAR/SIEM + M-SOC onboarding | Security Operations · Monitoring | net-new | CSCRF requires SOC for MIIs and QSBs. The advisory adds: (a) explicit SOAR + SIEM integration expectation, (b) "shall expedite" M-SOC onboarding for all eligible REs not yet onboarded, (c) MII obligation to run member-onboarding workshops. (b) and (c) are net-new. | M-SOC eligibility determination, onboarding plan, and (for MIIs) member-engagement programme become required evidence. SOAR playbook documentation needed if not already present. |
| 07 | Risk assessment with AI-based threat scenarios | Governance · Risk Management | extends | CSCRF mandates periodic risk assessment with scenario-based testing. The advisory extends scope: "the capability of AI based models may also be considered as one of the risk scenarios." Permissive language ("may"), but the audit expectation is clear. | Risk register must add AI-attacker scenarios. Recalibrate likelihood scores on existing entries where AI capability changes the threat (credential stuffing, API enumeration, business-logic abuse). |
| 08 | System hardening + ZTNA | Network Security · Endpoint Security | amplifies | CSCRF mandates secure configuration + least privilege. The advisory specifically names Zero Trust Network Access (ZTNA) — first explicit naming in SEBI cybersecurity guidance. Most REs have ZTNA roadmaps; the advisory makes them programme commitments. | ZTNA architecture document and deployment roadmap become required evidence. CIS-benchmark drift report adds an audit value. |
| 09 | Asset inventory + Software Bill of Materials | Asset Management | net-new | CSCRF requires asset inventory. SBOM is net-new in Indian sectoral regulation — the first SEBI mandate for SBOM "for all critical applications including open source stack." This creates a tooling and process obligation most REs have not yet operationalised. | SBOM artefacts (CycloneDX or SPDX format) for every critical application. SCA tool integration. SBOM refresh cadence aligned to release cadence. |
| 10 | IT-committee guidance + long-term AI plan | Governance · Cyber Strategy | net-new | CSCRF requires board-approved cyber policy + IT/CSC committee. The advisory adds: (a) "shall seek guidance from IT committees" on AI-VD risk (binding consultation), (b) "need to prepare a long-term plan" for AI in detection and autonomous/agentic mitigation (directory deliverable). (a) is binding; (b) is the most strategic obligation in the entire advisory. | IT-committee minutes recording the consultation. Long-term AI plan as a ratified document. Annual revision cadence. |
Need this crosswalk applied to your control matrix?
Two-week scoped engagement: we map your existing CSCRF evidence onto the advisory directives, identify gaps, and produce an IT-committee evidence pack. Pricing on request.