Dr Shekhar Pawar explains how the BDSLCCI framework helps in enhancing implementation of cybersecurity programs.
On 1-September-2025, Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology, Government of India released ‘15 Elemental Cyber Defense Controls for Micro, Small, and Medium Enterprises (MSMEs)’.
URL: https://www.cert-in.org.in/PDF/Elemental_Cyber_Defense_Controls_for_MSME.pdf
Purpose
In the context of an increasingly digital economy, cybersecurity has become a foundational necessity for Micro, Small, and Medium Enterprises (MSMEs) in India. It plays a critical role in safeguarding cyber infrastructure and sensitive data, ensuring compliance with statutory and regulatory obligations, mitigating financial and reputational risks, preserving customer trust, maintaining operational resilience, enabling digital transformation initiatives, and fostering sustainable business growth and competitive advantage.
To support this imperative, the Indian Computer Emergency Response Team (CERT-In) has issued a comprehensive document outlining 15 Elemental Controls of Cyber Defense, specifically tailored for MSMEs. This guidance is applicable to enterprises classified under the criteria defined by the Ministry of Micro, Small & Medium Enterprises, Government of India, as per Notification No. S.O. 1702(E) dated 1st June 2020, issued under the authority of sub-section (1) read with sub-section (9) of Section 7 of the Micro, Small and Medium Enterprises Development Act, 2006.
By implementing these Cyber Defense Controls, organisations can effectively protect themselves against the most common and pervasive cyber threats originating from the Internet. These controls serve as a baseline cybersecurity framework, enabling enterprises to benchmark their current posture, identify gaps, and prioritise actions. They offer a structured starting point for MSMEs to progressively build and adopt a robust cybersecurity program aligned with best practices and national standards.
Why MSMEs should implement Cybersecurity?:
Micro, Small, and Medium Enterprises (MSMEs) constitute a vital pillar of the Indian economy, contributing significantly to employment generation, technological innovation, and national GDP. As integral participants in both domestic and international supply chains, MSMEs are increasingly dependent on digital infrastructure - rendering them particularly vulnerable to evolving cyber threats. Enhancing their cybersecurity posture is therefore imperative to ensure the resilience, integrity, and security of digital ecosystems across sectors.
Which control domains are outlined by CERT-In to strengthen cybersecurity for MSMEs?
1. Effective Asset Management (EAM): Establish and maintain an efficient asset management framework and enhance ability to track, monitor, and optimise the utilisation of both physical and digital assets.
2. Network and Email Security (NES): To safeguard networks and email systems against unauthorised access, data breaches, and cyber threats through secure communication.
3. Endpoint & Mobile Security (EMS): To safeguard end-user devices by enforcing security policies and practices that ensure secure access, data protection, and resilience against threats.
4. Secure Configurations (SC): Implement and manage secure configuration of hardware and software installed within the network. Implement strict configuration rules and change the control/approval process.
Depth (DiD) Layers, and List of Controls
5. Patch Management (PM): To reduce security vulnerabilities by systematically identifying, testing, and applying patches and updates to software, systems, and devices in a timely manner.
6. Incident Management (IM): To ensure timely detection, reporting, response, and recovery from cybersecurity incidents through a structured and coordinated incident management process.
7. Logging and Monitoring (LM): Implementing continuous logging and monitoring of systems, networks, and user activities, ensuring timely alerts and auditability.
8. Awareness and Training (AT): To enhance cybersecurity posture by educating personnel on security policies, risks, and best practices through regular awareness programs and role-based training.
9. Third Party Risk Management (TPRM): To protect organisations from potential vulnerabilities introduced by external service providers.
10. Data Protection, Backup and Recovery (DPBP): To ensure the confidentiality, integrity, and availability of data by implementing robust protection measures, maintaining regular and secure backups, and establishing effective recovery mechanisms to restore data and services in the event of loss, corruption, or cyber incidents.
11. Governance and Compliance (GC): To ensure accountability and compliance with cybersecurity policies, regulations, and standards through defined responsibilities, oversight, and regular reviews.
12. Robust Password Policy (RPP): Strengthen passwords to protect sensitive data from unauthorised access.
13. Access Control and Identity Management (ACIM): To ensure that only authorised users and systems can access resources based on defined roles and privileges.
14. Physical Security (PS): To prevent unauthorised physical access to critical infrastructure, systems, and data.
15. Vulnerability Audits and Assessments (VAA): To evaluate an organisation’s security posture, policies, and practices to ensure they effectively protect against threats and vulnerabilities.
CERT-In acknowledged Dr Shekhar Pawar as an Inventor of the BDSLCCI Framework for MSMEs:
In recognition of this strategic importance, the Indian Computer Emergency Response Team (CERT-In) formally acknowledges the valuable expertise and contributions of Dr Shekhar Pawar, Founder of SecureClaw and Inventor of the Business Domain Specific Least Cybersecurity Controls Implementation (BDSLCCI) Framework. Dr Pawar served as one of the subject matter experts during the review and formulation of the official document titled Cyber Defense Controls and Recommendations for Micro, Small, and Medium Enterprises (MSMEs), issued to strengthen cybersecurity readiness across this critical sector.
How BDSLCCI Framework can help MSMEs?
Dr Shekhar Ashok Pawar, along with his team at SecureClaw, has developed the Business Domain Specific Least Cybersecurity Controls Implementation (BDSLCCI) framework—an outcome of an international research initiative led by Dr Pawar. This framework was conceived to address the unique cybersecurity challenges faced by Micro, Small, and Medium Enterprises (MSMEs) across diverse sectors and geographies.
Globally, there are approximately 400 million MSMEs, representing nearly 90% of all businesses. These enterprises form the foundation of the economic pyramid, generating 60–70% of global employment opportunities and contributing approximately 55% of GDP in developed economies. In certain countries, entities classified as Micro, Small, and Medium Enterprises (MSMEs) are alternatively referred to as Small and Medium Enterprises (SMEs) or Small and Medium Businesses (SMBs). Despite their critical economic role, MSMEs remain disproportionately vulnerable to cyber threats—43% of cyberattacks target small businesses, and statistically, one in two MSMEs is likely to experience a cyber breach. Without adequate cybersecurity protection, the stability and growth of the global economy itself may be at risk.
Dr Pawar’s international research engaged senior leadership from MSMEs across 19 countries, revealing three pervasive challenges: -
1. Insufficient financial resources or budget allocations to implement the extensive controls mandated by conventional cybersecurity standards.
2. Lack of skilled personnel and operational capacity to deploy and sustain cybersecurity measures.
3. Limited visibility into return on investment (RoI), as existing frameworks often fail to align with the core priorities and operational realities of MSMEs.
with BDSLCCI Framework Defense-in-Depth (DiD) Controls
The research further established that each MSME operates within a distinct business domain and possesses mission-critical assets (MCAs)—such as data, information systems, or infrastructure—that are essential to its core operations. For example, MCAs in the healthcare sector may include Electronic Medical Record (EMR) systems, while those in banking, financial services, and insurance (BFSI) may center around financial databases. These assets vary in their emphasis on confidentiality, integrity, and availability, depending on the sector and business function.
To address these nuances, the BDSLCCI framework introduces a tailored approach to cybersecurity, recommending Defense-in-Depth (DiD) controls that span people, processes, and technology, implemented in alignment with each organisation’s MCA. This pragmatic and scalable model empowers MSMEs to initiate cybersecurity programs that are both resource-conscious and strategically aligned with their operational priorities.
Diagram 1 illustrates the mapping of Defense-in-Depth (DiD) controls within the BDSLCCI framework to various cybersecurity control domains. The BDSLCCI model offers three progressive levels of certification, each corresponding to an incremental implementation of cybersecurity controls tailored to organisational maturity and resource availability. Following the implementation of the BDSLCCI framework, Micro, Small, and Medium Enterprises (MSMEs) are eligible to undergo a formal audit and assessment—conducted either through online or offline modalities. Upon successful completion of this evaluation, the enterprise is awarded a certificate of compliance, an official transcript, and a comprehensive assessment report detailing the effectiveness, scope, and alignment of the implemented controls with the BDSLCCI-recommended cybersecurity guidelines. This documentation serves as a credible validation of the organisation's cybersecurity posture and its adherence to structured defense-in-depth principles.
Diagram 2 demonstrates how the Defense-in-Depth (DiD) controls prescribed by the BDSLCCI framework can systematically support the fulfilment of control areas recommended by the Indian Computer Emergency Response Team (CERT-In), thereby enabling structured and scalable cybersecurity adoption across Micro, Small, and Medium Enterprises (MSMEs).
MSMEs across India are encouraged to visit www.BDSLCCI.in for detailed information and to leverage the BDSLCCI framework for strengthening their cybersecurity posture. Cybersecurity is a fundamental necessity for every business—irrespective of its size, geographic location, or revenue profile. Dr Pawar strongly recommends that small and medium-sized enterprises adopt the BDSLCCI framework to initiate or enhance their cybersecurity programs in a practical, cost-effective, and mission-aligned manner.
Dr Shekhar Pawar is a DBA in the cybersecurity domain at SSBM Geneva, Switzerland. He has completed his executive management degree from SJMSOM, IIT Bombay, and engineering in electronics and telecommunications from Mumbai University. Some of his skills and certifications include Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), ISO 27001 – Lead Auditor, PCI DSS Implementer, Certified HIPAA Compliance Professional, Sarbanes Oxley (SOX) Certified Professional, Diploma in Cyber Laws, Microsoft Certified Professional (MCP), Certified Blockchain Developer, Certified ATM for CMMi Assessment, DSP & Applications – IIT Madras, and Diploma in Industrial Electronics. He is also the author of the nonfiction book ‘Air Team Theory: Understanding 10 Types of Teammates and Best Practices to Succeed’. Currently he is working as Founder and CEO of SecureClaw Inc., Delaware, USA and SecureClaw IT and Cybersecurity Private Limited. Contact: [email protected]
