If a salesman's laptop with client lists is stolen at Delhi airport, or a field worker loses a phone containing GST invoices and bank details, unencrypted data can be sold or misused within hours. A breach like this can cost you customer trust, regulatory fines under DPDP Act (up to ₹5 crore for sensitive data), and forced audits by clients like banks or e-commerce platforms who will pause or cancel contracts. Many Indian MSMEs have lost contracts because a client audit found unencrypted devices and classified them as non-compliant; some have also faced customer lawsuits for data leaks.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk into the office and see laptops, phones, and USB drives being used with no mention of encryption. Employees can log in with just a simple password and there is no policy requiring any data protection on removable devices.
Initial
You find that a few laptops have some form of encryption enabled, but it was set up accidentally when the OS was installed. Phones and USB drives are not encrypted, and there is no documented list of which devices should have encryption.
Developing
You see that most company laptops have BitLocker or FileVault turned on, and there is a written policy stating encryption should be used. However, USB drives are still used without encryption, and enforcement is spotty—some employees have disabled encryption or use personal unencrypted devices.
Defined
You find that all company laptops and phones have encryption enforced and working. A documented device inventory lists which devices must be encrypted, and IT conducts quarterly checks to ensure compliance. USB drives are restricted or encrypted via policy, and any removable storage requires pre-approval.
Managed
All devices have encryption enabled automatically and IT remotely verifies compliance every month. The company uses Mobile Device Management (MDM) software to enforce encryption on phones and laptops. Encryption key management is documented, and lost/stolen devices are remotely wiped within hours.
Optimised
Encryption is mandatory, monitored in real-time, and IT has automated systems that prevent unencrypted devices from accessing company networks. All encryption keys are securely managed with audit logs. When a device is reported lost, it is wiped remotely within minutes and the incident is logged for compliance review.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Audit all laptops, phones, and USB drives currently in use; document which ones have any form of encryption and which do not. | IT person or Business Owner (if no dedicated IT) | 2-3 days |
| 1 → 2 | Enable encryption on all company laptops (Windows BitLocker, macOS FileVault, or Linux LUKS) and create a written Device Encryption Policy stating which devices must be encrypted and how to enable it. | IT Person | 1-2 weeks |
| 2 → 3 | Enforce encryption on mobile devices via an MDM solution (like Microsoft Intune free tier, or Zoho MDM); restrict or ban unencrypted USB drives; conduct a monthly encryption compliance audit. | IT Person with support from Business Owner to communicate policy to staff | 3-4 weeks |
| 3 → 4 | Implement automated encryption verification and remote device wipe capability via MDM; set up a secure encryption key management system (e.g., using Zoho Vault or similar) and document the process. | IT Person, possibly with external IT consultant | 4-6 weeks |
| 4 → 5 | Establish real-time monitoring dashboards for encryption compliance, conduct quarterly security drills (test remote wipe), and train all staff on device loss reporting; update encryption policy annually based on new threats. | IT Person with oversight from Management | Ongoing (4-6 hours per month) |
Documents and records that prove your maturity level.
- Written Device Encryption Policy document signed by management, stating which devices must be encrypted and how
- Device Inventory List showing all laptops, phones, and USB drives with encryption status (encrypted or not) and date last checked
- Encryption Compliance Audit Report from the last 90 days showing percentage of devices compliant
- Screenshot or report from MDM/encryption software (e.g., BitLocker status, FileVault status, or MDM dashboard) showing encryption enabled on company devices
- Incident Log or Record of any lost/stolen devices and actions taken (e.g., remote wipe confirmation, date of wipe)
Prepare for these questions from customers or third-party reviewers.
- "Can you show me a list of all laptops, phones, and USB drives your company owns, and confirm which ones have encryption enabled right now?"
- "What is your policy on encryption for company devices, and how do you ensure employees follow it?"
- "If an employee's phone is lost today, can you remotely wipe it immediately and how would you verify it was wiped?"
- "Have you tested your encryption or remote wipe process in the last 12 months? Can you share the test results?"
- "What types of encryption do you use (for example, BitLocker, FileVault, or something else), and where are encryption keys stored and who has access?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Encrypt Windows laptops and prevent unauthorized access to hard drives | BitLocker (built into Windows Pro, Enterprise; included free in Windows) | — |
| Encrypt macOS laptops and prevent unauthorized access to hard drives | FileVault (built into macOS; included free) | — |
| Manage and enforce encryption on all company phones and laptops from a central dashboard | Zoho MDM (free tier for up to 25 devices) | Microsoft Intune (₹500–1000/user/month or bundled in Microsoft 365), Zoho MDM Pro (₹2000–5000/month) |
| Encrypt USB drives and portable storage devices | VeraCrypt (free, open-source encryption tool for USB drives) | BitDefender Total Security (includes USB encryption, ₹4000–6000/year), IronKey or SanDisk Secure USB drives (hardware-encrypted, ₹1500–3000 per device) |
| Securely store and manage encryption keys and passwords | Zoho Vault free tier (up to 10 logins) | Zoho Vault Pro (₹500/month), 1Password (₹1500–2500/month), LastPass Enterprise (₹600–800/user/month) |
- Encryption is enabled but the password is written on a sticky note or shared in an unprotected email—this defeats the purpose because anyone with the device and the password can read the data.
- Only laptops are encrypted while phones (which often contain customer call logs, messages, and payment details) are left unencrypted; in India, field sales and delivery staff often use phones to handle sensitive data.
- Encryption is turned on but never verified—IT assumes it is working and does not check monthly, so some devices silently disable encryption due to software updates or user action.
- USB drives are banned by policy but employees use personal unencrypted USB drives anyway because they find them convenient for backups, and management does not enforce the rule.
- When a device is lost or stolen, there is no procedure to remotely wipe it, so the company does not know whether the data was accessed; this looks very bad in a customer audit.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Security of Personal Data) requires reasonable safeguards including encryption of sensitive personal data at rest and in transit |
| CERT-In 2022 | Direction 4 recommends encryption of sensitive data on portable and removable media; Direction 5 recommends device access controls |
| ISO 27001:2022 | Annex A, Control 10.1.1 (Cryptography) and Control 8.3.4 (Removal of access rights) require encryption of sensitive information and protection of devices |
| NIST CSF 2.0 | Protect Function, Asset Management category: devices and data should be protected with encryption; Detect Function supports incident response for device loss |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →