SEBI Circular HO/13/19/12(1)2026 · 50+ Assessment Prompts
SEBI AI Advisory
self-assessment checklist.
50+ prompts mapped to all 10 Annexure-A directives. RAG-status format. Pre-formatted for IT-committee submission. Use it as a working tool — fill in your evidence column, decide your colour, take it to your committee meeting.
10/10
Annexure-A Directives
50+
Self-Assessment Prompts
RAG
Status Columns
IT Committee
Submission-Ready
How to use this checklist
A working tool, not a marketing artefact.
- Print it (or "Save as PDF" via your browser's print dialog) so your team can mark it up.
- For each prompt, pick a status: GREEN (evidenced + current), AMBER (in flight or partial), RED (gap), or N/A.
- Note your evidence in the right-hand column — document name, dashboard URL, ticket ID. The IT committee will ask.
- The "Force" tag on each directive shows whether the advisory uses "shall" (binding), "should" (directional), or permissive language. Prioritise REDs against "shall" first.
- Take the completed checklist to your IT committee. Annexure-A item 10 explicitly requires this consultation.
SEBI AI Advisory — Annexure-A Self-Assessment Checklist
Circular HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026 (5 May 2026) · 43 prompts across 10 directives · Internal use
01
Patch Management + Virtual Patching
Annexure-A item 1 (immediate-patch language is directive; virtual patching is permissive — "can be considered")
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 1.1 | OS-level patches applied within stated SLA across servers, endpoints, and infrastructure | G · A · R · N/A | Patch-management dashboard, last-30-day patch compliance %, exception register |
| 1.2 | Application-level patches (in-house + third-party) applied with documented prioritisation by exploitability + business impact | G · A · R · N/A | Patch tickets, CVSS-mapped patch matrix, dependency review |
| 1.3 | Virtual-patching mechanism in place (WAF rules, ModSecurity signatures, network ACLs, IPS rules) for vulnerabilities awaiting vendor patches | G · A · R · N/A | WAF/IPS rule export, virtual-patch register with linked CVE + retirement date |
| 1.4 | Emergency patching runbook tested in the last 12 months for an out-of-band CVE scenario | G · A · R · N/A | Tabletop exercise report, RCA from a real out-of-band patch deployment |
02
Vulnerability Assessment + Security Audits
Annexure-A item 2
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 2.1 | VAPT cycle running at the cadence CSCRF mandates for your RE class (annual / half-yearly / change-driven) | G · A · R · N/A | VAPT engagement letter, CERT-In empanelled auditor evidence, last-cycle report |
| 2.2 | Conventional VA tooling (signature-based scanners) deployed across in-scope estate | G · A · R · N/A | Tool inventory, scan schedule, last-30-day scan log |
| 2.3 | AI-based VA tooling evaluated for adoption ("where possible" — Annexure-A item 2) | G · A · R · N/A | Vendor evaluation memo, IT-committee sign-off if adopted, opt-out rationale if rejected |
| 2.4 | Security audits aligned to CSCRF — minimum annual, scenario-based, third-party providers in scope | G · A · R · N/A | Audit report, audit-committee minutes recording acceptance |
03
Third-Party + COTS Vendor Risk
Annexure-A item 3 ("shall direct")
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 3.1 | Third-party vendor inventory current — including COTS application vendors and managed-service providers | G · A · R · N/A | Vendor register with risk classification, last-review date per vendor |
| 3.2 | AI-led vulnerability detection risk assessed for each empaneled COTS vendor (Exchanges + Depositories specifically) | G · A · R · N/A | Vendor risk assessment template completed, attestations on file |
| 3.3 | Vendor patch SLAs documented + monitored — including for AI-related risk patches | G · A · R · N/A | Vendor contract clauses, patch-SLA dashboard |
| 3.4 | Right-to-audit clause + VAPT obligation in active vendor contracts for in-scope COTS solutions | G · A · R · N/A | Contract excerpt, last vendor VAPT report |
04
Change Management for All Changes (Including Minor)
Annexure-A item 4
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 4.1 | Change-management policy explicitly covers minor changes — not just material ones | G · A · R · N/A | Policy document, change-classification taxonomy |
| 4.2 | Every production change has documented impact analysis + structured review evidence | G · A · R · N/A | CAB minutes, impact-analysis template completion in last 10 changes |
| 4.3 | Pre-prod regression testing for changes (including minor) wired into the SDLC | G · A · R · N/A | CI/CD pipeline config, regression-test pass logs |
| 4.4 | Post-deployment validation + rollback runbook tested | G · A · R · N/A | Last 5 changes show validation step, rollback drill in last 12 months |
05
API Security
Annexure-A item 5
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 5.1 | Comprehensive API inventory with refresh cycle (manual + automated discovery) | G · A · R · N/A | API gateway export, dark-API scan report, inventory currency check |
| 5.2 | Strong authentication + authorisation across all APIs — least privilege enforced | G · A · R · N/A | AuthN policy, sample API spec showing scope-based authZ, IAM review minutes |
| 5.3 | Rate limiting + throttling configured per-API, per-consumer | G · A · R · N/A | API gateway config snapshot, last 30-day abuse alerts |
| 5.4 | Whitelist-based connection model for API consumers — not blanket internet exposure | G · A · R · N/A | Network policy, allowlist export, exception register |
| 5.5 | API security testing in last VAPT cycle (OWASP API Top 10 explicit coverage) | G · A · R · N/A | VAPT scope letter mentioning API coverage, finding-class breakdown |
06
SOC Monitoring + SOAR/SIEM + M-SOC Onboarding
Annexure-A item 6 (6a-b are directive; 6c "shall expedite" M-SOC onboarding is binding for eligible REs; 6d MII handholding is "required"; SOAR is qualified by "wherever feasible")
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 6.1 | Day-to-day SOC monitoring covers all systems + networks; low-priority alerts examined (not just high) | G · A · R · N/A | SOC alert disposition log, sample low-priority disposition reasoning |
| 6.2 | SOAR playbooks deployed + integrated with SIEM (after thorough testing per advisory caveat) | G · A · R · N/A | Playbook inventory, integration test report, mean-time-to-respond metric |
| 6.3 | M-SOC eligibility determined for the entity | G · A · R · N/A | Determination letter or email from NSE/BSE relationship manager |
| 6.4 | M-SOC onboarding initiated (if eligible) — log-source readiness, SIEM integration plan, SOAR alignment | G · A · R · N/A | M-SOC onboarding paperwork, log-source mapping, integration milestone tracker |
| 6.5 | For MIIs: awareness + handholding programme defined to support member onboarding | G · A · R · N/A | Workshop schedule, member-engagement plan, attendance records |
07
Risk Assessment with AI-based Threat Scenarios
Annexure-A item 7 (CSCRF risk assessment is mandatory; AI-scenario inclusion is permissive — "may also be considered")
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 7.1 | CSCRF-mandated periodic risk assessment current (covers REs + third-party providers) | G · A · R · N/A | Risk register, last-assessment date, scope statement |
| 7.2 | Risk register includes AI-based model capability as a scenario (item 7 explicit invitation) | G · A · R · N/A | Risk register entry referencing AI-augmented attacker scenarios |
| 7.3 | Scenario-based testing covers both internal + external risks in REs IT environment | G · A · R · N/A | Scenario library, last red-team / tabletop scenario-coverage matrix |
| 7.4 | Risk-acceptance authority + cadence for review documented | G · A · R · N/A | Risk-committee charter, accepted-risk register with review dates |
08
System Hardening + ZTNA
Annexure-A item 8
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 8.1 | Secure-configuration baselines (CIS benchmarks or equivalent) applied + monitored | G · A · R · N/A | Baseline policy, drift-detection report |
| 8.2 | Unnecessary services + default accounts disabled | G · A · R · N/A | Hardening attestation, last hardening-scan output |
| 8.3 | Least-privilege enforced across IAM (employees + service accounts) | G · A · R · N/A | Privileged-access review, JML process, last access-recertification cycle |
| 8.4 | Zero Trust Network Access (ZTNA) implemented or roadmapped with target dates | G · A · R · N/A | ZTNA architecture document, deployment roadmap, milestone tracker |
09
Asset Inventory + SBOM
Annexure-A item 9
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 9.1 | Asset inventory current — covers servers, endpoints, network devices, cloud workloads, applications | G · A · R · N/A | CMDB export, last reconciliation date, ownership-completeness % |
| 9.2 | Software Bill of Materials (SBOM) generated for all critical applications — including open-source stack | G · A · R · N/A | SBOM artifact (CycloneDX or SPDX format), generation cadence |
| 9.3 | SBOM-driven CVE mapping + alerting wired to security operations | G · A · R · N/A | SCA tool integration, last 30-day SBOM-driven alerts |
| 9.4 | SBOM refresh cadence aligned to release cadence (every release minimum) | G · A · R · N/A | SBOM versioning policy, sample SBOMs across last 3 releases |
10
IT-Committee Guidance + Long-term AI Plan
Annexure-A item 10 (mixed: "shall seek" IT-committee guidance is binding; "need to prepare" the long-term AI plan is directory — RE owns ratification)
| # | Prompt | Status | Evidence needed |
|---|---|---|---|
| 10.1 | IT committee formally consulted on AI-led VD risk mitigation ("shall seek guidance" — binding) | G · A · R · N/A | IT-committee minutes referencing the May 2026 advisory |
| 10.2 | Long-term AI plan drafted ("need to prepare" — directory) covering detection + autonomous/agentic mitigation | G · A · R · N/A | Plan document, IT-committee ratification minutes |
| 10.3 | Risk register recalibrated for AI-accelerated threats (speed-and-scale exploitation + agentic chain abuse) | G · A · R · N/A | Updated risk register, recalibration memo |
| 10.4 | AI-augmented SOC transformation roadmap defined (alert triage, threat-intel enrichment, automated containment) | G · A · R · N/A | Roadmap document, vendor-evaluation memos if applicable |
| 10.5 | Continuous vulnerability management programme using AI tools (per item 10 explicit mention) | G · A · R · N/A | Programme charter, tool-stack list, KPI definitions |
Most REDs cluster around items 6 and 10.
If you've filled this in honestly, you probably have gaps on M-SOC onboarding (item 6c) and the long-term AI plan (item 10). Both are 90-day fixes. We can help — fixed-scope, no commitment to the full engagement cycle.