Without knowing your critical applications, you won't prioritize protection correctly, and recovery will be chaotic and expensive. For example, a textile exporter in Tiruppur lost 3 days of production when their ERP system was hit by ransomware—they didn't have backups because they didn't realize it was critical. A Delhi IT services firm failed a bank audit because they couldn't prove which applications handled customer data. When you don't know what's critical, you also can't plan backup systems, test disaster recovery, or comply with customer security requirements, which costs you contracts.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You don't have a documented list of critical applications. When someone asks what would shut down the business if it failed, people give different answers or guess.
Initial
You have a rough list of critical apps (maybe in someone's head or an old spreadsheet), but it's not organized, hasn't been updated in months, and no one regularly refers to it.
Developing
You have a written list of critical applications with basic information (name, owner, what it does), and you review it once a year. Some applications are marked by priority level.
Defined
You maintain an updated inventory of all critical applications with owner names, recovery time targets, and backup/disaster recovery plans documented. The list is reviewed quarterly and kept current.
Managed
Your critical application inventory is integrated with your risk assessments, monitoring, and backup systems. You test recovery procedures annually and update the list based on business changes within 30 days.
Optimised
Critical applications are continuously monitored and validated against business requirements. You conduct scenario-based testing twice yearly, automatically update the inventory when systems change, and share recovery priorities with vendors and key customers.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Call a meeting with the owner, finance head, and IT person (if you have one). Ask: 'If this application went down right now, how long could we operate without it?' Write down 5-10 applications people mention. Email this list to everyone and ask them to add anything missing. | Business owner or office manager | 2-3 hours (one half-day meeting plus email follow-up) |
| 1 → 2 | Create a simple Excel spreadsheet or Google Sheet with columns: Application Name, Owner Name, What It Does, Time Before Business Stops (hours/days), and Current Backup Status. Fill it in for each application on your list. Get the IT person or vendor to confirm the information is correct. | IT person or external IT support | 3-5 days (research and interviews) |
| 2 → 3 | Add columns to your spreadsheet: Recovery Time Objective (RTO, e.g., 4 hours), Recovery Point Objective (RPO, e.g., 1 hour of data loss is acceptable), and Disaster Recovery Plan (Y/N with notes). Assign someone to review and update this list every quarter. Document the review in a meeting minutes log. | IT person with business owner approval | 2-3 weeks (planning, documenting, setting up quarterly reminder) |
| 3 → 4 | Link your critical application list to your backup and monitoring systems. For each critical app, ensure automated daily backups are running and set up simple alerts (email or SMS) if the app goes down. Test recovery from backup for at least 3 critical applications and document the results. Schedule this testing quarterly. | IT person or hired consultant | 1-2 months (implementation and first round of testing) |
| 4 → 5 | Integrate critical application inventory with your overall risk management. Conduct tabletop exercises (simulated disaster scenarios) twice per year with key staff. Automate inventory updates by having IT flag new applications or changes in business processes monthly. Share criticality information with key software vendors and include recovery requirements in vendor contracts. | IT manager or consultant with business owner involvement | Ongoing (monthly and twice-yearly activities) |
Documents and records that prove your maturity level.
- Written or spreadsheet inventory of critical applications with application name, owner/administrator, and business function
- Document showing Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each critical application
- Backup and disaster recovery plan for each critical application (can be simple: 'Daily backup to external drive' or 'Vendor maintains daily cloud backup')
- Quarterly review records or meeting minutes showing the critical application list has been reviewed and updated
- Test results from recovering a critical application from backup, with date and outcome documented
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your list of critical applications? How do you decide which apps are 'critical'?"
- "If your [application name] went down today, how long could you operate without it? How long would recovery take?"
- "Tell me about your backup plan for your critical applications. When was the last time you tested recovering from that backup?"
- "How often do you update your critical application list? Has anything changed in the last 3 months?"
- "If a critical application was hacked or corrupted, what is your plan to restore it? How quickly could you do it?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain inventory of critical applications and backup status | Google Sheets or Excel (free with Microsoft 365 subscription if you have it); LibreOffice Calc (open source, free download) | ServiceNow IT Asset Management (₹50,000+/year) or Atlassian Jira (₹15,000-30,000/year) |
| Automated daily backups of critical applications and files | Synology NAS with free backup software (requires hardware purchase, ₹15,000-40,000 one-time); Windows built-in File History (free); AOMEI Backupper Free (free download) | Vembu Backup (₹20,000-60,000/year); Acronis Cyber Protect (₹8,000-30,000/year) |
| Monitor if critical applications are running and send alerts when they go down | Uptime Kuma (free, open source, self-hosted); Grafana (free tier available) | Site24x7 by Zoho (₹3,000-25,000/year); New Relic (₹10,000+/year) |
- Assuming one person (usually the IT person) knows everything. When that person leaves or is absent, no one else knows which backups exist or where to find critical information.
- Creating a list once and never updating it, so it becomes useless when new applications are added or the business changes (e.g., moving order processing online, starting a new product line).
- Identifying applications as 'critical' without also planning their backup or recovery, so you have a nice list but no actual protection, and recovery is still chaotic when needed.
- Focusing only on software and forgetting about critical hardware (the server, internet connection, power supply), databases, or cloud services that support your applications.
- Not involving business department heads (sales, finance, operations) in deciding what's critical—only the IT person's view can miss what actually stops the business from making money.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2) requires security measures appropriate to processing of personal data; knowing critical systems that process data is foundational |
| CERT-In 2022 Guidelines | Direction 6 (System Hardening) and Direction 8 (Backup and Disaster Recovery) require organizations to identify and protect critical systems |
| ISO 27001:2022 | Clause A.8.2.3 (Information security roles and responsibilities) and Annex A 8.2.4 (asset responsibility) require knowing which systems are critical |
| NIST CSF 2.0 | Govern (GV.RO.01): Organizations identify and prioritize critical assets and services |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →