HomeGuidesApplication & Product Security › AD-02
AD-02 Application & Product Security 6% of OML score

Is there a simple list or understanding of where important business data is stored?

Do you know where all your important business data lives—in which computers, servers, phones, cloud accounts, or filing cabinets? This question asks if you have a simple written list or document that shows where your customer data, financial records, and other sensitive information are actually stored.

Why This Matters to Your Business

If you don't know where your data is stored, you cannot protect it, and hackers or careless employees can steal or delete it without you even noticing. A real example: a Delhi manufacturing company lost 2 years of customer invoices when an employee's laptop was stolen, and they had no backup because they didn't know that laptop contained their only copy. If a customer asks 'where is my data stored?' and you cannot answer, you may fail audit requirements under DPDP Act and lose that customer's business. Without a data map, you cannot comply with data protection laws that require you to report breaches—regulators may fine you for negligence.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no idea where important data is stored across your organisation. When someone asks you where customer records are kept, you point vaguely at different people and say 'Raj has some on his laptop, Excel sheets are on the server maybe, and some stuff is in cloud but I don't remember which cloud.'

Level 1
Initial

You have a rough verbal understanding that data exists in a few places (one person's laptop, one shared drive, maybe Gmail), but nothing is written down. If that one person leaves or their device fails, you would struggle to find the data.

Level 2
Developing

You have created a simple one-page list or spreadsheet that names the main locations where data is stored (e.g. 'Customer database on Server A', 'Invoices in Google Drive', 'Accounts in Tally on Accounts PC'). The list exists but is not regularly updated and some data locations may be missing.

Level 3
Defined

You maintain a current data inventory document that covers all major data types (customer, financial, operational, employee records) and where each is stored, including cloud services. The list is updated at least twice a year and reviewed by the business owner or IT manager.

Level 4
Managed

You have a detailed, maintained data inventory that includes data classification (what is sensitive vs. non-sensitive), ownership (who is responsible for each dataset), backup locations, and retention periods. This inventory is reviewed and updated quarterly and shared with relevant team members.

Level 5
Optimised

Your data inventory is automated and continuously updated, integrated with your asset management system, includes data flows and transfers between systems, and is regularly audited for completeness. Team members are trained to report new data storage locations, and the inventory is reviewed during security assessments and before any system changes.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Gather all staff for a 30-minute meeting and ask: Where do we store customer data, financial records, employee information, and business documents? Write down every location mentioned (laptops, phones, drives, cloud accounts, filing cabinets, USB drives, etc.) Business owner or IT person 1 day
1 → 2 Create a simple spreadsheet or document with three columns: Data Type (e.g. customer names, invoices, employee records), Where It Is Stored (specific device/service/location), and Who Manages It (person's name). Save this document in a safe, accessible place. IT person or business owner 1 week
2 → 3 Add two more columns to your list: Backup Location (where is this data backed up?) and Sensitivity Level (is this data confidential/sensitive or general?). Schedule a quarterly review meeting (every 3 months) with your IT person and department heads to confirm the list is still accurate. IT person with business owner sign-off 2-4 weeks
3 → 4 Expand your inventory to include retention period (how long must this data be kept?), access controls (who is allowed to see this data?), and encryption status (is sensitive data encrypted?). Create a policy document that defines data classification rules (what makes data sensitive vs. non-sensitive). IT manager or consultant with HR and compliance input 1-2 months
4 → 5 Integrate your data inventory with your IT asset management system so that whenever new software, cloud services, or storage is added, it automatically triggers a review and update of the data inventory. Conduct annual audits of the inventory and require team members to confirm data locations during onboarding and offboarding. IT manager with executive oversight Ongoing
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • A data inventory spreadsheet or document (at minimum Level 2) listing data types, storage locations, and responsible persons
  • A copy of or link to your data classification policy that explains what data is sensitive and what is not sensitive
  • Documentation showing when the data inventory was last reviewed and updated (date and who reviewed it)
  • Minutes or records from data inventory review meetings with staff confirming locations are correct
  • A backup and disaster recovery log showing where critical data is backed up and how often backups are tested
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your data inventory. Where is all your important business data stored, and how do you keep track of it?"
  • "If I ask you right now, can you tell me where your customer personal data is stored and who has access to it?"
  • "How often do you review and update your data inventory? Show me evidence of the last update."
  • "What would happen if one of your servers or a key employee's laptop failed today? How quickly could you recover that data, and from where?"
  • "Do you have a written policy that defines what data your organisation considers sensitive or confidential, and where that data must be stored?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and maintain your data inventory spreadsheet Microsoft Excel (if you have Office 365), Google Sheets (free with Gmail account), LibreOffice Calc (free, open-source) Microsoft Excel standalone ~4,000 INR/year
Map and visualize where data flows between systems and storage locations Draw.io (free web-based diagram tool), Lucidchart free tier (basic diagrams) Lucidchart Professional ~8,000-12,000 INR/year; Microsoft Visio ~15,000 INR/year
Scan your network and devices to discover where data is actually stored (help find hidden data you may have forgotten about) Nessus Essentials (free vulnerability and asset discovery, limited to 16 IPs), OpenVAS (free open-source scanner) Nessus Professional ~1,40,000 INR/year; Qualys VMDR ~3,00,000+ INR/year
🛡
How This Makes You More Resilient
When you know where your critical business data is stored, you can backup and protect it properly, which means if a laptop is stolen or a server fails, you can recover quickly instead of losing months of work. You'll also spot when data is stored in risky places (like a single personal phone) and move it to safer locations. Finally, when a security incident happens, you know exactly what was at risk and can notify customers and regulators quickly, avoiding panic and larger fines.
⚠️
Common Pitfalls in India
  • Creating a data inventory once and then never updating it—within 6 months it becomes inaccurate and useless. Plan to review it every quarter, especially after hiring new staff or adopting new tools.
  • Forgetting about cloud storage and SaaS applications—many Indian businesses use WhatsApp, Google Drive, Dropbox, or Zoho without realizing sensitive data is stored there. Audit all subscriptions and apps your team uses.
  • Not asking employees about data they store locally—an accountant may keep 5 years of invoices on their personal laptop backup drive that no one else knows about. You must explicitly ask staff to report data they maintain.
  • Assuming 'the server' holds all data—in reality, data is scattered: some in Tally, some in Excel on desktops, some in email, some in filing cabinets, some in WhatsApp chats. You must search everywhere.
  • Not documenting backup locations—knowing data is 'backed up somewhere' is not enough. You must know exactly where, how often, and whether backups have actually been tested. Test a restore at least once a year.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6 (data protection obligations) and Section 8 (consent requirements) — you must know where personal data is stored to ensure it is protected and to respond to data subject requests
CERT-In 2022 Direction 4 (incident reporting) — you must be able to identify what data was compromised in a breach; Section 9 (data backup) — maintain regular backups of critical data at identified locations
ISO 27001:2022 Clause 5.23 (Information Security Incident Management) and Annex A 8.1 (Asset Inventory) — maintain an inventory of information assets and their locations
NIST CSF 2.0 Govern function (GV.RM-02: Information and Data Assets) — the organisation identifies and manages information and data assets

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →