With the release of new ISO 27001 version 2022, CRISIL is now aligning its security policies to comply with the new standard. The IT and cyber risk framework have considerably progressed into an objective scoreboard, reviewed by the management on a monthly basis. The cyberthreat landscape is evolving with emerging trends and techniques used by attackers and CRISIL therefore is constantly working towards making all CRISILites ‘Cyber SMART’.
Personal trading policy
CRISIL has a robust personal trading framework in place in compliance with the SEBI (Prohibition of Insider Trading) Regulations, 2015 and covers client requirements. The personal trading policy and procedures are annually reviewed. Trades are monitored using a dedicated IT tool. Several enhancements were made in the tool during the year to further strengthen our controls, such as automating the restricted list of securities, modules for submission of transaction statements, automated reconciliation of transaction feeds etc.
The focus on rigorous messaging continues through several education sessions and compliance drives conducted during 2023, as below:
• Orientation sessions for new joiners on a regular basis
• 19 refresher sessions during the year (both in person/ online), including business-specific and location- specific sessions
• Compliance slots in business Townhalls to drive the culture
 In 2023, CRISIL successfully completed its Information Security certification - ISO 27001:2013.
SOC 2 Type 2 certification is a widely recognised standard that demonstrates an organisation’s commitment to ensuring the security, availability, processing integrity, confidentiality, and privacy of customer data. CRISIL’s flagship products and two business units are SOC 2 certified.
2023 saw considerable efforts in reducing the CRISIL attack surface area by closing known issues and vulnerabilities, thereby improving the security posture of our applications, systems and platform. We encourage employees to report any digital misbehaviours and issues.
To improve business efficiency and scale, CRISIL availed cloud services for various applications. As compared to on-premise servers, cloud service providers have mature and secure infrastructure management capability which is an added benefit. At the same time, service and device protection becomes a shared responsibility with the cloud service provider. CRISIL has a robust cloud security governance including automated cloud security policies, vulnerability assessment scanning framework and tools for remediating cloud-related vulnerabilities.
 26 ESG Report 2023
 Corporate governance