Without backups, a ransomware attack, hard drive failure, or accidental deletion can shut down your entire business for weeks—costing you lost sales, angry customers, and permanent damage to your reputation. A manufacturing unit in Bengaluru lost ₹12 lakhs in a single week after a ransomware attack because they had no backups and could not fulfill orders. Banks and large customers now ask for proof of backup capability before signing contracts with you, and insurance claims may be rejected if you cannot show backups were in place. Regulatory bodies like CERT-In expect critical sectors to have backup and recovery plans in writing.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no backup process in place. Your team stores files only on individual computers or a shared folder, and if the system fails, there is no copy to restore from.
Initial
You manually copy files to an external hard drive once or twice a month, but there is no written schedule and no one checks if the backups are actually working or readable.
Developing
You have a basic backup schedule using an external hard drive or a simple cloud service like Google Drive, backups happen weekly, and you have tested restoration at least once.
Defined
You use automated backup software (cloud-based or local) that runs daily, backups are stored both locally and offsite, and you test restores quarterly with a documented checklist.
Managed
You have a documented Backup and Disaster Recovery Plan that covers all critical systems, backups run automatically multiple times daily with encryption, offsite redundancy is in place, and monthly restore drills are conducted with sign-offs.
Optimised
Your backup infrastructure includes geographically redundant offsite storage, real-time replication for critical systems, automated backup validation and integrity checks run daily, and quarterly full recovery exercises are documented with lessons learned reviewed by leadership.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Purchase a 2TB external hard drive, designate one person to manually copy all shared folders and critical databases to it every Sunday evening, and write this down as a simple one-page checklist. | Business owner or accountant | 1 day |
| 1 → 2 | Sign up for a low-cost cloud backup service (Google Workspace, OneDrive, or Acronis), configure automatic daily backups of file servers and databases, test a full restore of a sample folder to a clean computer, and document the steps in a simple one-page guide. | IT person or designated employee | 1 week |
| 2 → 3 | Evaluate and implement automated backup software (Acronis, Veeam Backup Free, or similar), set up dual backup destinations (local NAS and cloud), create a quarterly backup restoration test schedule with a sign-off sheet, and document the Backup Procedure in a one-page reference guide. | IT person or external consultant | 2-4 weeks |
| 3 → 4 | Write a formal Backup and Disaster Recovery Plan document that includes: critical systems list, backup frequency per system, offsite storage location, retention policy, recovery time objectives (RTO), and monthly restore drills with sign-offs. Train all relevant staff on the plan. | IT person with management review | 1-2 months |
| 4 → 5 | Implement geographically distributed backup storage (e.g., cloud region in different city), set up automated backup integrity checks and monitoring alerts, conduct quarterly full recovery exercises with different scenarios, and review lessons learned in monthly management meetings. | IT person and leadership | Ongoing |
Documents and records that prove your maturity level.
- Written Backup Policy or Procedure document that lists what gets backed up, how often, and where it is stored
- Backup Schedule showing which systems are backed up and at what frequency (daily, weekly, monthly)
- Backup Log or monitoring report showing when each backup ran, size, and success/failure status for the last 90 days
- Documented Backup Restore Test Results with date, systems tested, time taken to restore, and sign-off from the person who performed the test
- Disaster Recovery or Business Continuity Plan that includes Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical systems
Prepare for these questions from customers or third-party reviewers.
- "Show me your backup procedure and tell me how often backups are taken. Can you show me the last month of backup logs?"
- "When was the last time you actually tested whether a backup could be restored? Show me the test results and the date."
- "Where are your backups stored? Are they kept in a different location from your office in case there is a fire or flood?"
- "What critical business data or systems are included in your backup plan? Do you know your Recovery Time Objective (how long you can afford to be down)?"
- "If your main server failed today, how long would it take to restore operations, and how much data would you lose?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Automatic daily backups of files and folders to cloud storage | Google Drive (15 GB free), Microsoft OneDrive (5 GB free), or Nextcloud (self-hosted, no cost) | Google Workspace (₹480–1,200/user/month), Microsoft 365 (₹600–2,500/user/month), or Acronis Cyber Protect (₹5,000–15,000/year) |
| Full system and database backup with encryption and scheduling | Veeam Backup Free (limited to 30 VMs), AOMEI Backupper Standard, or Bacula (open-source) | Acronis Cyber Protect (₹8,000–20,000/year), Veeam Backup & Replication (₹100,000+/year), or Commvault (custom pricing) |
| Cloud storage for offsite backup copies with version history | Wasabi (first bucket free), AWS S3 (limited free tier, then ₹1,200+/month), or Backblaze B2 (₹6/month per 100 GB) | AWS S3 (₹1,200–5,000/month depending on storage), Microsoft Azure (₹3,000–10,000/month), or Google Cloud Storage (₹2,400–8,000/month) |
- Backing up only to a local external hard drive kept in the same office—if there is a fire, flood, or theft, both the original and backup are lost. Always keep at least one copy offsite (cloud or another location).
- Never testing backups until disaster strikes—backups can become corrupted or incomplete over time without anyone noticing. Set a calendar reminder to restore a sample file every three months just to verify it works.
- Keeping backups for only 2–3 weeks—if a ransomware infection goes undetected for a month, your recent backups will also be encrypted and useless. Maintain at least 30 days of daily backups or 12 months of weekly backups depending on your business risk.
- Assuming the IT person 'knows' about backups without documentation—if that person leaves or is sick, no one else will know how to restore. Write a simple one-page backup guide and keep it in a shared folder or printed copy.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Storage and Processing) and Schedule 2 (Security Requirements) require that personal data be stored securely with protections against loss or damage |
| CERT-In 2022 Guidelines | Direction 5 (Backup Policy) requires organisations to maintain offsite backups and test recovery procedures at least annually |
| ISO 27001:2022 | Annex A 10.1.1 (Information backup) requires procedures to back up information, software, and configurations regularly, tested for integrity |
| NIST CSF 2.0 | Govern (GV.RR-01: Backup and Recovery Planning) and Protect (PR.DS-01: Data Backup) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →