If your main business computer or server fails and you have no backup, you lose all your customer records, invoices, inventory data—everything stops. An export company in Mumbai lost 6 months of shipping documents when their single server died; they couldn't fulfill orders for 3 weeks and lost ₹40 lakhs in business. Without backups, a ransomware attack forces you to pay criminals, lose data permanently, or shut down. Customers and banks will lose trust in you if you cannot prove you protect their data.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no backup system at all. When someone asks where your backups are stored, no one has a clear answer.
Initial
You occasionally copy files to an external hard drive that sits on someone's desk, but there's no written plan for when or how often this happens. You don't test whether the backups actually work.
Developing
You have a regular backup schedule (weekly or monthly) to an external drive or cloud storage, and you've tested it once to confirm data can be restored. You have a basic list of which applications and data need backing up.
Defined
You back up critical data at least weekly, store backups in two different locations (one offsite), test restoration quarterly, and have a documented backup and recovery plan that everyone knows about. You track which backups succeeded or failed.
Managed
You use automated daily backups to both cloud and local storage, test full recovery every month, have a tested disaster recovery plan with a maximum downtime target (e.g., 4 hours), and monitor backup health in real time. Your backups are encrypted and access is logged.
Optimised
Backups are fully automated across multiple cloud regions, tested monthly with actual recovery scenarios, integrated into your disaster recovery plan with real-time monitoring and alerts, and you can recover any data from any point in time in under 1 hour. Backup compliance is audited quarterly and documented.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Identify which 5-10 files and applications are most critical to your business (customer database, invoices, product designs, etc.). Buy a 1TB external hard drive (₹2,500–₹4,000). Copy those files manually to the drive once a week on a fixed day. | Business owner or IT person | 1 day |
| 1 → 2 | Document which data needs backing up and create a simple one-page backup checklist (day, time, person responsible). Test restoring one file from your backup to confirm it works. Set a phone reminder for backup day each week. | IT person or owner | 3 days |
| 2 → 3 | Sign up for a cloud backup service (Google Drive, Microsoft OneDrive, or Acronis). Set up automatic daily backups of critical folders. Keep the external hard drive but move it to a different office or home location. Write a one-page 'What to do if data is lost' procedure and share it with your team. | IT person | 1 week |
| 3 → 4 | Set up automated backup software (Veeam, Acronis, or Backblaze) that backs up your computers and servers daily without manual work. Enable encryption for all backups. Schedule monthly restoration drills (practice recovering a file or full system). Create a Disaster Recovery Plan document with recovery time targets. | IT consultant or IT person | 2–4 weeks |
| 4 → 5 | Implement multi-region cloud backup with automatic failover, set up real-time backup monitoring with email alerts, conduct quarterly full recovery drills with business team participation, maintain detailed backup audit logs, and review backup strategy with an external auditor annually. | IT manager or external consultant | Ongoing (monthly reviews, quarterly drills) |
Documents and records that prove your maturity level.
- Written Backup Policy document listing which applications and data are backed up, how often, and where backups are stored
- Backup Schedule log or calendar showing dates backups were taken (manual or automated log from backup software)
- Backup Test Report dated within the last 6 months confirming successful restoration of at least one critical file or database
- Disaster Recovery Plan (even 2–3 pages) with steps to restore business operations, assigned roles, and target recovery time
- Backup Inventory list identifying all critical systems (accounting software, CRM, inventory database, etc.) and their backup status
Prepare for these questions from customers or third-party reviewers.
- "What is your current backup frequency, and where are backups stored? Can you show me a backup log or report from the last 30 days?"
- "When did you last test whether your backups actually work? Can you show me evidence of a successful restore test?"
- "If your main server failed today, how long would it take you to get back to work, and what is your procedure to restore from backup?"
- "Are your backups stored in more than one location? If your office burns down, can you still access your data?"
- "Who is responsible for backups in your organization, and how do you verify backups are completed successfully?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Cloud backup and file sync for small teams | Google Drive (15 GB free), Microsoft OneDrive (5 GB free); adequate for startups with limited data | Acronis Cyber Protect (₹3,500–₹8,000/year), Backblaze (₹4,000–₹6,000/year) |
| Automated server and computer backup | Bacula (open-source, requires technical setup), rsync (Linux command-line tool) | Veeam Backup & Replication (₹1,50,000–₹5,00,000/year depending on scale), Carbonite (₹8,000–₹15,000/year) |
| Local external storage and network-attached storage (NAS) | None (hardware purchase required) | External Hard Drive 2TB (₹4,000–₹7,000), Synology NAS (₹30,000–₹80,000), QNAP NAS (₹25,000–₹70,000) |
| Backup monitoring and reporting | Nagios Core (open-source, requires IT skills) | Acronis Cyber Cloud (includes monitoring, ₹5,000–₹20,000/year), Veeam Backup & Replication (included) |
| Disaster recovery and business continuity planning software | SimpleRisk (open-source risk framework) | Datto BCDR (₹2,00,000+/year), Zerto (₹1,50,000+/year) |
- Backup stored in the same office or on the same desk as the main computer—if there's a fire, flood, or theft, both are lost together. Move backups offsite (home, another office, or cloud).
- No one tests backups, so when disaster strikes, the backups don't work or are corrupted. Test at least once every 6 months by actually restoring a file.
- Backups happen manually and inconsistently because there's no schedule or assigned person. Automate backups or set a strict calendar reminder that someone must follow.
- Using only one backup method (only external drive, or only cloud). If that one method fails, you have nothing. Use at least two: local external drive + cloud storage.
- No encryption on backups, so if a backup device is stolen or cloud account is hacked, sensitive customer data is exposed. Always encrypt backups.
- Keeping backups forever without a retention plan, leading to massive storage costs and confusion about which version to restore from. Keep backups for at least 6 months; older backups can be deleted.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data security) requires organizations to implement technical and organizational measures including backup and recovery mechanisms to protect personal data |
| CERT-In Directions 2022 | Clause 4.3 mandates maintaining regular backups in geographically separate locations for critical data and systems |
| ISO 27001:2022 | Annex A.12.3.1 (Data backup) and Section 8.14 (backup of information) |
| NIST CSF 2.0 | Govern (GV.RR-1 Backup and Recovery Procedures), Protect (PR.DS-1 Data Security Management) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →