Has asset and data management been reviewed in the last 12 months?

This question asks: do you know what data and systems your business actually owns, where they are stored, and who can access them? And have you checked this list in the last 12 months to make sure nothing has been forgotten or abandoned?

⚡

Why This Matters to Your Business

Without knowing what data you have, you cannot protect it, and attackers or dishonest employees can steal it without anyone noticing. A manufacturing business in Bangalore discovered after a ransomware attack that they had customer payment data on an old server in a closet that nobody remembered—they could not even tell customers what was compromised, leading to reputation damage and lost contracts. If you cannot show regulators (CERT-In, tax authorities) that you know and control your data, you face fines and legal action. Unmanaged data also means compliance failures: you may be storing PAN numbers, Aadhaar details, or health records illegally without knowing it.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no list of what systems or data you own. When someone asks where customer data is stored, different people give different answers or nobody knows.

Level 1
Initial

You have made one quick list of servers and files, but it is on someone's laptop and nobody has looked at it since it was written. New data stores added in the past six months are not on the list.

Level 2
Developing

You maintain a list of systems and data locations that is updated when IT requests it, but there is no formal schedule for review. You know where most customer and financial data sits, but personal devices and small backup drives are sometimes forgotten.

Level 3
Defined

You have a documented register of all data stores and assets reviewed formally every six months. The list includes servers, databases, backups, external hard drives, and cloud storage, with owner names and sensitivity levels marked.

Level 4
Managed

Your asset and data register is maintained in a tracking tool or spreadsheet, reviewed every quarter with sign-off from IT and business heads. Entries include data type, location, owner, access controls, and retention period. New assets are added within one week of acquisition.

Level 5
Optimised

You have an automated inventory system that discovers and tracks assets continuously. The register is reviewed and certified every quarter, integrated with your access control system, and validated during third-party audits. Changes trigger automatic alerts to relevant stakeholders.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Call an urgent meeting with the IT person, finance lead, and operations manager. Walk around the office and server room together. Write down on paper or in a simple spreadsheet every device, server, external drive, and cloud account you find. List what data each one holds.	IT person or owner	1 day
1 → 2	Create a formal Asset Register spreadsheet with columns: Asset Name, Type (Server/Database/Cloud/Drive), Location, Owner, Data Type (Customer/Financial/HR/Other), Sensitivity Level (High/Medium/Low), Last Reviewed Date. Ask all department heads to confirm what they own. Set a calendar reminder for six-month reviews.	IT person with input from all departments	1 week
2 → 3	Document a formal Data Asset Management Policy: define who adds new assets (with approval), who reviews the register (every 6 months), what information must be recorded for each asset, and consequences of not reporting new data stores. Have the policy signed by the owner and IT lead. Conduct the first formal review meeting and document attendance and sign-off.	IT person with legal/compliance input	2-4 weeks
3 → 4	Move the Asset Register into a simple tracking tool (Google Sheets with access controls, Excel with password protection, or a free asset management tool). Add workflows: new asset form → IT approval → added to register → quarterly review cycle. Send reminders to department heads 30 days before each review. Document all changes with dates and approver names.	IT person	1-2 months
4 → 5	Implement automated asset discovery using network scanning tools. Integrate the asset register with your access control system so that user access is linked to known assets. Conduct a third-party audit of the register annually. Create dashboards showing asset count, age, and review status. Establish automated alerts when new devices connect to the network.	IT person with external IT consultant support	Ongoing

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Formal Asset and Data Register spreadsheet or database with at least: Asset name, type, location, owner, data classification, last review date, and sign-off
Written Data Asset Management Policy approved and signed by the business owner or director
Minutes or meeting notes from at least one formal asset review meeting in the past 12 months, showing who attended and what was reviewed
Record of quarterly or semi-annual review cycles (calendar invites, review checklists, or email confirmations)
Evidence of asset discovery and validation (e.g., IT network scan reports, server audit logs, cloud account inventory report from your cloud provider)

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Show me your complete list of data assets and systems. When was it last reviewed and by whom?"
"How do you ensure that new servers, databases, or cloud storage are added to your inventory? Give me an example from the past year."
"What is your process for reviewing this list? How often does it happen and who is responsible?"
"I will now scan your network for devices. Will every device that appears in my scan also appear in your asset register?"
"Do you know where all customer data is stored? Can you point me to each location and confirm the access controls?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Create and maintain the Asset Register in a secure, organized way	Google Sheets (with view/edit restrictions), LibreOffice Calc (offline spreadsheet), or Nextcloud (self-hosted cloud spreadsheet). Free for small teams.	Microsoft Excel 365 (₹6,000–8,000/year per user), Airtable (₹3,000–10,000/year for small base), Zoho Inventory (₹2,500–6,000/month)
Automatically discover what devices and systems are connected to your network	Angry IP Scanner (free network discovery), Zenmap/Nmap (free port scanning, command-line), PRTG Network Monitor Community Edition (up to 100 sensors free)	SolarWinds Orion (₹4,00,000+/year), ManageEngine OpManager (₹1,50,000–5,00,000/year), Tenable Nessus Professional (₹2,00,000/year)
Track and manage asset lifecycle and maintenance schedules	Snipe-IT (open-source asset management, self-hosted), OCS Inventory NG (free asset inventory management)	Ivanti (₹5,00,000+/year), ServiceNow (₹8,00,000+/year), Jira Service Management (₹5,000–50,000/month depending on users)

🛡

How This Makes You More Resilient

When you know exactly what data you own and where it is, you can respond faster to a breach because you know what was at risk and can notify affected customers and regulators without confusion or delays. You reduce the risk of ransomware spreading silently across unknown systems, and you can implement security controls (encryption, access limits, backups) on all your actual data—not just what you remember. Your insurance, audit, and customer trust all improve because you can prove you are in control.

⚠️

Common Pitfalls in India

Creating a list once and never updating it: Indian businesses often do an audit exercise once and then forget about it. New servers, cloud accounts, and personal devices are added without being recorded. Set a calendar reminder—put it in your phone.
Forgetting about old backups and shadow data: Many MSME owners keep backups on personal laptops, old servers in a closet, or USB drives given to employees. These are forgotten in the asset list but still contain sensitive data that nobody is protecting.
Not including personal devices and BYOD data: Employees work from home, store files on their phones and personal laptops, and use WhatsApp or personal email for business. These are not in the IT inventory but may contain customer data, making them a compliance and security risk you do not even know about.
Keeping the list only on the IT person's computer: If your one IT person leaves, retires, or falls ill, the list disappears. Store it in a shared, secure location (cloud, shared drive) with backup copies.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 8 (Purpose and lawfulness of processing) and Schedule II (Reasonable security practices). You must know what personal data you hold and where it is to comply with data subject rights and security obligations.
CERT-In 2022 Directions	Direction 4 (Inventory of IT Assets) and Direction 5 (Baseline Security Practices). Entities must maintain and review an inventory of all IT assets and data.
ISO 27001:2022	Annex A.5.9 (Access control) and A.8.1 (Asset management). Organizations must identify, classify, and manage information assets.
NIST CSF 2.0	Govern > GV.RO.01 (Review organizational context, critical objectives, and dependencies). Asset management is foundational to governance and risk identification.

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →