Without alternative work arrangements, any office disruption (monsoon flooding in Mumbai/Bangalore, internet provider failure, local lockdown, or even a fire) completely stops your business—you lose revenue, miss customer deadlines, and may breach service level agreements (SLAs) with clients. For example, a manufacturing export company in Surat lost ₹40 lakhs in orders when floods blocked office access for 5 days and staff couldn't access inventory records stored only on desktop computers. Customers expecting shipments canceled orders, and the company couldn't even communicate status updates because phone numbers and email contact lists were only in the office. Regulatory bodies like CERT-In now expect critical infrastructure and data handlers to have continuity plans, and auditors reviewing your security posture will note the absence of this as a significant gap.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that no one in the office has discussed working remotely, and there is no policy or plan in place. If staff came to the office and it was locked or flooded, they would simply not know what to do or where to work.
Initial
You find that a few senior staff members have informal permission to work from home occasionally, but there is no documented policy, no VPN or remote access system set up, and most team members have never tried it. If the office became unavailable, only one or two people could work remotely.
Developing
You find a written work-from-home policy exists and some staff have laptops or remote access capability, but it has not been tested, security controls like VPN are not enforced, and critical files may not be accessible remotely. The policy is used only for casual sick days, not for actual disaster scenarios.
Defined
You find a tested remote work setup where most staff can access essential systems and files via VPN or cloud storage, a documented work-from-home policy is in place, and a basic business continuity plan mentions remote work as an option. However, the setup is not regularly tested under stress, and some older staff or processes are still dependent on being in the office.
Managed
You find that remote work infrastructure is well-established and regularly tested (at least twice yearly), most business-critical functions have been mapped to remote-capable processes, staff are trained, and a formal business continuity plan includes detailed remote work scenarios with clear escalation paths. However, there is no continuous monitoring of remote work effectiveness or data protection during remote access.
Optimised
You find that remote work capability is continuously monitored and improved, all critical functions have documented remote work procedures that are tested quarterly, staff receive annual training, remote access security is regularly audited, and the business continuity plan is actively maintained with lessons learned from real disruptions or drills. Alternative locations (like a co-working space or partner office) are also pre-arranged and tested.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Hold a 2-hour meeting with the owner/director and IT person (or external IT consultant at ₹2,000–5,000 per hour) to discuss what would happen if the office was unavailable for 3 days. Identify 2–3 critical roles that could work remotely and assign them laptops or access to personal devices. Write a simple one-page 'Remote Work During Emergency' memo and share it with staff. | Business owner + IT person | 1 day |
| 1 → 2 | Set up a free VPN (WireGuard or OpenVPN) or a low-cost cloud file-sharing service (Google Workspace or Microsoft 365 Basic at ₹500–1,000/month for small teams). Create a formal Remote Work Policy (use NIRMATA template or Indian government DSCI guidelines). Test that 3–5 staff can log in and access one critical file. Document the test results. | IT person or external consultant | 1 week |
| 2 → 3 | Conduct a Business Impact Analysis (BIA)—list all critical business functions (e.g., customer orders, invoicing, payroll, technical support) and map which can and cannot be done remotely. Document the gaps (e.g., 'signature authority requires physical presence'). Create a 2–3 page Business Continuity Plan that includes remote work as a specific scenario with clear responsibilities, communication tree, and estimated recovery time objectives (RTO: target time to resume each function). | Business owner + IT person + Operations manager | 2–4 weeks |
| 3 → 4 | Implement a half-day or full-day 'remote work simulation drill' (e.g., announce that the office will be closed tomorrow; staff must work from home using the remote setup). Document what failed, what worked, and update the plan. Upgrade remote access security: enforce multi-factor authentication (MFA) on VPN and cloud accounts. Create a Remote Work Security Checklist (e.g., 'use HTTPS only,' 'lock screen when away from device,' 'no sensitive data on personal devices'). Train all staff on this checklist in a 30-minute session. | IT person + HR/Operations | 1–2 months (including training and remediation) |
| 4 → 5 | Run quarterly remote work drills with different scenarios (e.g., 'office flooded,' 'internet down at HQ,' 'key staff member unavailable'). After each drill, conduct a retrospective and update the plan. Monitor remote access logs monthly for anomalies; use a SIEM tool (free option: Wazuh; paid: Splunk or similar at ₹3–10 lakhs/year for small deployments) to track login attempts, failed authentications, and data transfers. Identify and pre-arrange an alternative physical location (co-working space, partner office, or rented space) as a backup if multiple staff need to work together during a major disruption. Update the plan annually based on staff feedback and changing business needs. | IT person + Business continuity lead + External auditor (annual review) | Ongoing (4–6 hours/quarter for drills; 2–3 hours/month for monitoring and updates) |
Documents and records that prove your maturity level.
- Signed, dated Remote Work Policy document that lists eligible staff, approved devices, security requirements (VPN, MFA, encryption), and approval process
- Business Continuity Plan (BCP) with a section on 'Alternative Work Arrangements' including recovery time objectives (RTOs) for critical functions, contact tree, and remote work procedures for at least 5 critical roles
- Test results document or email from the last remote work drill (date, staff who participated, functions tested, issues encountered, resolution)
- List of staff with remote access capability, including the date their accounts were set up, devices assigned, and last MFA verification
- Remote Work Security Checklist, staff training attendance record, and any incident logs related to remote work (e.g., 'failed login from unusual location,' 'data protection breach during remote access')
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your Remote Work Policy and walk me through how staff would be authorized to work from home during an emergency?"
- "If your office became unavailable right now, which business functions could continue within 24 hours, and which would be delayed? Show me the documented business continuity plan."
- "Demonstrate to me that remote access (VPN or cloud file-sharing) is actually set up and working. Can you log in from a remote location and access a customer file?"
- "When was the last time you tested remote work at scale, and what problems were discovered and fixed?"
- "What security controls are in place to protect data when staff work remotely (e.g., VPN encryption, multi-factor authentication, endpoint protection)?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Remote access and file sharing—allows staff to securely log in and access files from home | Google Workspace (1 user free; ₹600/month for business), Nextcloud (self-hosted, free but requires IT setup), WireGuard VPN (free, open-source, requires technical setup) | Microsoft 365 Business Basic (₹600–800/month/user), Cisco AnyConnect VPN (₹2–5 lakhs/year for 20 users) |
| Multi-factor authentication—adds a second verification step so only authorized staff can access remote systems even if a password is compromised | Microsoft Authenticator app (free with Microsoft 365), Google Authenticator (free), Authy (free) | Okta or Azure AD Premium (₹1–3 lakhs/year for small business) |
| Business continuity planning and drill scheduling—templates and tools to document and test remote work procedures | NIRMATA BCP template (from MeitY website), Google Docs or LibreOffice Writer (free), Lucidchart free tier (basic flowcharts) | BC Continuity software like Stratus or Plan (₹50k–2 lakhs/year for SMEs) |
- Assuming remote work means staff can use personal email accounts or unsecured devices—this creates data leakage and compliance violations. Always enforce company email, VPN, and device encryption mandates.
- Setting up remote access but never testing it—the first real disruption will reveal that passwords don't work, files are inaccessible, or VPN is too slow, causing panic. Test at least twice yearly under 'real' conditions (actually close the office for a day).
- Creating a Business Continuity Plan and filing it away without updating or sharing it—plans become outdated when staff leave, systems change, or roles shift. Review and drill the plan every 6 months and update it within 2 weeks of any major change.
- Focusing remote work policy only on senior staff—if only the director can work remotely and they get sick, operations still stop. Map remote work capability to critical functions, not just seniority.
- Ignoring internet and power backup during remote work—in India, internet shutdowns, load-shedding, and power cuts are common. Consider offline data synchronization tools (e.g., Syncthing) and backup connectivity (4G mobile hotspot or second ISP) for critical staff.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) (Data Fiduciary must implement technical and organizational measures including business continuity) and Schedule 1 (data principal rights include ensuring data is available) |
| CERT-In 2022 | Directions 3 (shall create an information security policy) and 4 (shall create a business continuity and disaster recovery plan) for all data centers and intermediaries |
| ISO 27001:2022 | A.5.10 Information security in supplier relationships, A.5.16 Information security in project management, A.8.31 Responsibility and authority for information security, and A.6.5 Information security incident management |
| NIST CSF 2.0 | GOVERN function (GV.RO-02: Establish and communicate roles, responsibilities, and accountabilities), PROTECT function (PR.DS-02: Data is protected at rest and in transit), and RECOVER function (RC.CO-01: Recovery plan(s) and recovery procedures are executed and maintained) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →