Sustainability Report 2024
PRINCIPLE 9: Businesses should engage with and provide value to their consumers in a responsible
manner
Essential Indicators
1. 2. 3. 4. 5. 6. Describe the mechanisms in place to receive and respond to consumer complaints and feedback.
Each business receives and addresses customer complaints regularly. Complaint redressal is tracked rigorously at
various levels of the management. The Stakeholders’ Relationship Committee of the Board regularly dedicates exclusive
time to review stakeholder complaints, including customer complaints. Additionally, refer to Q4 of Leadership indicators
of this Principle for information on customer surveys undertaken.
Turnover of products and/services as a percentage of turnover from all products/service that carry information about
social and environmental parameters, safe and responsible usage, recycling and safe disposal.
Not applicable considering the nature of Crisil’s business.
Number of consumer complaints in respect of data privacy, advertising, cyber-security, unfair trade practices, etc.
Refer to table no. 21(b) on page 64 of Sustainability Databook
Details of instances of product recalls on account of safety issues
Not applicable considering the nature of Crisil’s business.
Does the entity have a framework/policy on cyber security and risks related to data privacy? (Yes/No) If available,
provide a web-link of the policy
Yes. Crisil also has adopted “Crisil Global Corporate Privacy policy”, which can be accessed at https://www.Crisil.com/
content/Crisilcom/en/home/Crisil-privacy-notice.html
Provide details of any corrective actions taken or underway on issues relating to advertising, and delivery of essential
services; cyber security and data privacy of customers; re-occurrence of instances of product recalls; penalty/action
taken by regulatory authorities on safety of products/services.
There were no penalty/action taken by the regulatory authorities in respect to the aforesaid.
However, protection of data and ensuring security during data transmission is vital to Crisil’s business. Crisil has
implemented comprehensive measures, including strong access controls, encryption for sensitive information, and
periodic audits to ensure compliance with organisational policies. Data protection involves deployment of technical and
administrative control measures to protect against vulnerabilities and threats such as malware or data theft. Usage
of latest tools/technologies enabling multifactor authentication, data loss prevention, inbound and outbound traffic
configuration through firewall systems and proxy solutions and configuration of controls on personal devices used for
accessing work-related purposes, ensure safeguarding of data from unauthorised access, alteration and destruction.
In 2024, Crisil improved its operational maturity in Information Security posture through new initiatives and enhanced tools
for preventing data loss and ensuring Intellectual Property protection. These controls ensure adequate and proportionate
protection of Crisil’s confidential information assets. Crisil measures its cyber policies and preparedness against the NIST
framework. The company conducted comprehensive internal and external audits to validate compliance and continuously
improve its security posture, ensuring resilience against evolving cyber threats via continuously strengthening its security
protocols
To raise awareness, advisories are circulated and trainings on information security and phishing simulations are
conducted regularly to educate employees about emerging threats.
Crisil has been ISO 27001:2013 certified since 2015, demonstrating its long-standing commitment to information security
management. We are actively upgrading to the ISO 27001:2022 standard, ensuring continued alignment with the latest
global best practices.
Crisil has achieved SOC 2 Type 2 certification for key business units, along with three critical applications. This certification,
conducted by independent AICPA-accredited auditors, reflects our commitment to addressing client trust and regulatory
requirements while maintaining robust operational integrity.
110