If you’re unsure where to begin with your SEBI CSCRF SBOM compliance reporting, this article is for you.
Here, I’ll walk you through the essential data required to prepare an audit-ready SBOM report in line with SEBI’s Cybersecurity & Cyber Resilience Framework (CSCRF). You’ll also learn how OpsMx simplifies this process by automatically generating and organizing the necessary compliance data. If you’d like an Excel template to get started, feel free to reach out.
I’ll also explain what data is required to prepare the report and how OpsMx helps you gather it efficiently.
Email at shashank.srivastava@opsmx.io or DM me in case you need a template for compliance reporting in an XLS sheet format.
Key Components of the Compliance Report
The structure for the document / report can be obtained from the SEBI-CSCRF annexures and this is what the structure looks like:
- Cover Page and Metadata
- Component Inventory
- Security & Vulnerability Info
- Risk & Lifecycle Details
- Change Log
- Audit Declaration
Cover Page & Metadata
The content of the cover page
SBOM Component Inventory
The number of rows will depend on the number of dependencies an application or a service might be having.
The information needed for this report is generated by OpsMx Delivery Shield, and can be downloaded from the Artifact / SBOM dashboard.
Security & Vulnerability Details
The information in the first two columns is provided by OpsMx Delivery shield from the SBOM tab. The Patch / Status details are also available from OpsMx Delivery Shield from the Vulnerability Management section. The user is supposed to mention the remediation due date, which is also available in OpsMx in case it has been fixed and updated / closed in Jira (as an example). Otherwise you can mention the due date from the best of your knowledge.
While this can be downloaded, a drill down capability is also available to get insights into specific CVEs for the reporting purposes.
Risk & Lifecycle Information
The tool helps you to provide insights into the dependencies however in case there are any unknowns (highly unlikely), then you may put them in this table.
- Known unknowns: e.g., “libX transitive dependencies not fully inventoried.”
- Vendor risk assessment: Completed on April 20, 2025 – no high/critical risks.
- Business Impact (RTO/RPO): RTO = 2 hours, RPO = 15 minutes.
Change & Update Log
This section mainly includes information related to the changes / fixes applied. This is also available from the reports generated by OpsMx Delivery Shield.
Audit Declaration & Findings
- Compliance declaration: “Certified that the above SBOM is accurate and audit‑ready.”
- Audit summary: Only hash mismatch for component ‘X’ (now corrected).
- Corrective actions: Hash recomputed, re‑signed; CCIO/CEO declaration attached.
And, finally…
Annexures (Attach as PDFs)
- Signed Annexure‑X SBOM sheet.
- MD/CEO sign‑off declaration.
- Supporting audit logs, VCAs, and vendor attestations.
Key Notes
- Align format exactly with SEBI’s Annexure‑X (SBOM template) as referenced in the FAQ.
- Ensure complete dependency capture and hash verification (SHA‑256, etc.).
- Include explicit CVE references, patch status, and remediation deadlines per CSCRF guidance.
- Provide business impact metrics (RTO/RPO) required in the risk section.
- Maintain audit traceability: change logs + MD/CEO declaration + annexures.
Happy to answer any questions. Book a quick 15 minute call to understand how this will work in your enterprise.
0 Comments