HomeGuidesApplication & Product Security › AD-13
AD-13 Application & Product Security 6% of OML score

Is data backed up according to its importance to the business?

Do you have a plan for backing up your most important business data, and are you actually doing those backups regularly? Not every file matters equally—your customer list and financial records need more protection than old emails or temporary files.

Why This Matters to Your Business

If a ransomware attack hits your business (like the ones that struck Indian manufacturing units in 2023), or your server fails, you lose access to customer orders, invoices, and payment records. Without backups, a small Delhi export company could lose months of financial data and be unable to invoice customers or process refunds, costing lakhs in lost business and customer trust. Auditors and banks now ask for backup proof before approving credit. Your GST records are legally required to be recoverable—if the tax office finds you cannot restore transaction data, you face penalties under Section 138 of the CGST Act.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no backup system in place. When hard drives fail or data gets deleted, you lose it permanently.

Level 1
Initial

You manually copy some important files to a USB drive or email them to yourself occasionally, but there is no schedule or list of what needs backing up.

Level 2
Developing

You have identified which data is critical (customer list, invoices, bank statements) and back these up to an external hard drive or cloud storage once a month, but you have never tested if the backup actually works.

Level 3
Defined

You back up all critical data weekly to both a local external drive and a cloud service, you have documented which data is critical and why, and you test restoring a sample file twice a year to confirm it works.

Level 4
Managed

You back up critical data daily to multiple locations (on-site and cloud), you classify all business data by importance, backups are encrypted and monitored for success, and you perform full recovery drills quarterly with documented results.

Level 5
Optimised

Your backup and recovery process is fully automated, continuously monitored with real-time alerts, all backups are encrypted and stored geographically apart, you test recovery monthly, and you have a formal disaster recovery plan that is reviewed and updated annually with board sign-off.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 List all data your business cannot operate without (e.g., customer contact list, invoices, bank statements, product designs, employee records) and write it down; buy a 1TB external hard drive and manually copy these files to it this week Business owner or office manager 2 days
1 → 2 Create a one-page 'Data Criticality Matrix' labeling each type of data as Critical (business stops without it), Important (delays work), or Nice-to-Have; set a monthly calendar reminder to back up Critical and Important data; store the external drive in a separate locked cabinet Business owner with IT support 1 week
2 → 3 Open a free account with Google Drive, OneDrive, or Dropbox; set up automatic sync of your Critical data folder; perform a test recovery by deleting a non-essential file, recovering it from backup, and documenting the steps taken; repeat test in 6 months IT person or designated staff member 2-3 weeks
3 → 4 Purchase and configure backup software (Vembu or Acronis with 1-2 year license) to automate daily backups of servers and key PCs; enable encryption; set up email alerts when backups fail; run a full recovery drill on one non-critical system and document the time taken and any issues IT manager or hired consultant 4-6 weeks
4 → 5 Implement automated backup orchestration with real-time monitoring dashboard, define Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets for each data class, schedule and execute documented recovery drills quarterly, update Disaster Recovery Plan annually based on drill results and business changes, obtain management sign-off IT director with external audit support Ongoing quarterly and annual reviews
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Documented Data Criticality Matrix or Classification document listing which data is Critical, Important, and Nice-to-Have with business justification
  • Backup Schedule document or calendar showing frequency (daily, weekly, monthly) for each data class
  • Backup Verification Log with dates, times, and results of backup completion checks over the last 12 months
  • Test Recovery Report documenting at least two successful test restorations in the past 12 months, including files recovered, time taken, and any issues found
  • Backup System Configuration document or screenshot showing backup software settings, encryption status, storage locations (on-site and cloud), and retention policies
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Walk me through your backup schedule—which data gets backed up, how often, and where is it stored? Show me evidence of backups from the last three months."
  • "How do you decide which data is important enough to back up? Can you show me your data classification or backup priority list?"
  • "Have you ever tested whether your backups actually work? Show me documentation of at least one successful recovery test in the past year."
  • "Where do you store your backups, and are they kept separate from your main systems so that if your office burns down or is hit by ransomware, you still have them?"
  • "If your main server failed tomorrow, how long would it take to be back in business? What is your Recovery Time Objective (RTO)?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Automatic backup of files and folders to cloud with version history and recovery options Google Drive, OneDrive, Dropbox (free tiers offer 5-15 GB; sufficient for many MSMEs) Dropbox Business (₹15,000–20,000/year per user); Google Workspace (₹500–2,000/user/month including backup)
Full system and incremental backup for servers and PCs with encryption and scheduling Bacula, Duplicati (open-source; requires technical setup) Vembu Backup (₹30,000–80,000/year for SMB); Acronis True Image (₹8,000–15,000/year); Nakivo (₹40,000–120,000/year for business)
Monitoring and alerting when backups succeed or fail Zabbix (open-source monitoring; requires setup) Backup monitoring built into Vembu or Acronis; or standalone Nagios XI (₹25,000–50,000/year)
Secure offsite cloud backup with compliance certifications suitable for Indian businesses AWS S3 free tier (5 GB/month for 12 months, then paid) AWS S3 (₹500–2,000/month depending on storage and transfer); Microsoft Azure Backup (₹2,000–10,000/month); CloudSigma India (₹5,000–15,000/month)
Documentation and checklist template for backup and recovery procedures Google Docs or LibreOffice templates (create your own) Drata or Vanta provide compliance and backup documentation templates (₹50,000+/year)
🛡
How This Makes You More Resilient
When backups are properly tiered by business importance, a ransomware attack, hardware failure, or accidental deletion no longer means permanent loss of critical customer and financial data. Your business can recover operations in hours or days instead of weeks, preventing massive revenue loss and damage to customer trust. You also meet statutory requirements for data retention (GST, labor records, income tax) and pass customer and bank security audits without panic.
⚠️
Common Pitfalls in India
  • Backing up everything equally instead of prioritizing: Many Indian MSMEs back up gigabytes of email attachments and temporary files but skip customer databases because they assume 'it's always there.' When the database server crashes, months of customer order data is lost.
  • Storing backups in the same physical location as the main systems: A Delhi office backs up servers to an external drive kept in the same server room. A fire, flood, or theft wipes out both the live system and backup together.
  • Never testing if backups actually work before disaster strikes: A Bangalore IT service company backs up data weekly but discovers during a real incident that the backup software was misconfigured and restoring takes 48 hours instead of 2 hours, causing massive SLA violations and customer contracts canceled.
  • Relying on a single person who leaves or gets ill: The IT manager is the only one who knows the backup passwords, recovery procedure, and where offsite backups are stored. When he resigns, the company cannot restore data during an emergency.
  • Using personal cloud accounts (Gmail, personal Dropbox) instead of business accounts: A founder backs up customer lists to their personal Google Drive. When the account is locked due to suspicious activity, the business cannot access critical data for a week.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (data processor obligation to maintain security); Schedule 2 (principles of security and accountability); reasonable security measures include redundancy and disaster recovery
CERT-In Guidelines 2022 Appendix B (backup and recovery procedures); Direction 4 (critical systems must have backup and recovery plan)
ISO 27001:2022 Annex A.12.3.1 (information backup); Annex A.17.1.1 (business continuity planning and testing)
NIST CSF 2.0 Govern (GV) – Information Risk Management; Protect (PR.IP) – Processes and Procedures; Detect (DE) – Anomalies and Events

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →