SEBI CSCRF: computing your Cyber Capability Index before the auditor does
All 23 weighted parameters explained, with the evidence each demands.
12 May 2026 · 12 min read · Dataspace Research
The Cyber Capability Index is where SEBI's CSCRF stops being a policy document and becomes arithmetic. Qualified REs must compute it; MIIs must have it third-party audited. Yet most first-time computations we review overstate maturity by one full band — because the workbook was filled from intention rather than evidence.
How the index actually scores
The CCI is a weighted average across 23 parameters spanning the framework's goals — Govern, Identify, Protect, Detect, Respond, Recover. Each parameter is scored from measured values: MFA coverage as a percentage of privileged accounts, VAPT closure within timelines, security-budget ratio, log-retention conformance. 'We have a policy' scores nothing; the measurement does.
The parameters that sink first-time scores
Three parameters consistently drag first computations down: security operations metrics (no measured MTTD/MTTR), third-party risk (vendor assessments exist but aren't current), and cyber-resilience testing (DR drills documented, recovery objectives unmeasured). All three are measurement problems before they are control problems.
Compute it continuously, not annually
The GovernanceOps SEBI CSCRF Suite computes the CCI from live register data — every VAPT closure, drill record and exception updates the index. The filing becomes an export of numbers your team has watched all year, which is precisely the posture an auditor rewards.
This research comes from real engagements.
The consultants who wrote it run the assessments and the platform behind it. Bring us the question your board is asking.
