When employees fear punishment for mistakes, they hide security problems instead of reporting them. A common Indian MSME scenario: an accountant clicks a phishing email link and realises it looks suspicious, but stays silent because the owner has a reputation for blaming people. Three weeks later, that same link lets a hacker access your customer payment data, and now you face a regulatory fine under DPDP Act plus loss of client contracts. Without a culture of learning from near-misses, small security gaps become expensive breaches. Your business also fails security audits when customers ask 'show us how you handle mistakes'—because you have no documented process.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that employees caught making security mistakes are fired or publicly humiliated, and incidents are not reported to leadership at all. People who nearly fell for a phishing scam stay quiet because they fear losing their job.
Initial
You have identified that mistakes happen and are occasionally discussed, but usually only after someone gets caught or blamed. There is no formal process for reviewing what went wrong or how to prevent it next time.
Developing
You have a basic written rule that mistakes should be reported without fear of punishment, and managers know they should ask 'what happened' instead of 'who did this'. Occasionally incidents are reviewed in team meetings, but there is no consistency or documentation.
Defined
You have a clear no-blame incident review process documented in your security or HR policy, and all managers are trained to use it. When mistakes happen, your team documents what occurred and discusses lessons learned in a recorded meeting.
Managed
Your incident review process is followed consistently, tracked in a log, and results in documented lessons that are shared across teams and used to improve training. Employees actively report near-misses because they trust the process, and improvement actions are followed up.
Optimised
Your no-blame culture is embedded in daily operations, auditors can see a rich history of reported incidents and near-misses being reviewed and acted upon. Employee surveys show high confidence in reporting, and you measure whether this culture reduces undetected security gaps.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Hold one meeting with leadership to agree that punishment-based responses to mistakes will stop, and document this decision as a verbal commitment or email memo | Business owner or senior manager | 2 hours |
| 1 → 2 | Write a one-page 'Incident Reporting and Learning' policy stating that security mistakes should be reported without fear, and that the focus is on fixing the problem and learning, not blaming. Share it with all staff. | IT manager or HR lead | 1 day |
| 2 → 3 | Train all managers on how to conduct a simple incident review: ask what happened, why it happened, and what should change. Create a simple template (Google Doc or Excel sheet) to record each incident and what was learned. | IT manager or external trainer | 2-4 weeks (including scheduling and completion) |
| 3 → 4 | Start logging all reported incidents and near-misses in a tracking sheet or simple issue-tracking tool, review trends monthly, and ensure lessons learned lead to actual changes (training updates, process changes, new controls) | IT manager with support from team leads | 1-2 months (establish routine) |
| 4 → 5 | Run quarterly reviews with staff to share anonymised incident patterns and lessons, measure reporting rates and employee confidence through surveys, and tie incidents and prevention outcomes to business outcomes like audit pass rates | Business owner, IT manager, and HR lead | Ongoing (4 hours per quarter) |
Documents and records that prove your maturity level.
- Written 'No-Blame Incident Reporting' or 'Learning from Mistakes' policy signed by business owner and dated
- Incident log or tracker (spreadsheet or tool) with at least 5-10 recorded entries showing date, description, root cause, and lessons learned
- Training records or sign-off sheets showing all managers have received instruction on incident review process
- At least 2-3 documented incident review meeting notes with attendees, incident details, and agreed follow-up actions
- Evidence of action taken on lessons learned (e.g. updated security awareness training, changed process, new control implemented) linked back to specific incidents
Prepare for these questions from customers or third-party reviewers.
- "Walk me through a recent security incident or near-miss. How did you respond, and what did you learn? Can you show me the documentation?"
- "What happens to an employee if they report a security mistake? Is there a written policy that protects them from punishment?"
- "How many security incidents or near-misses have been reported in the last 12 months? Show me your log and tell me what you changed because of them."
- "If I interviewed your team members anonymously, would they tell me they feel safe reporting security problems without fear of being blamed or fired?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Simple incident logging and tracking | Google Sheets or Microsoft Excel with a template (date, person, incident type, root cause, lesson learned, action taken) | Jira or Monday.com (₹5,000–15,000/year for small team) or Hive (₹10,000–20,000/year) |
| Training and recording incident review process for managers | Google Drive document or shared folder with incident review template and guidelines | Notion (optional paid tier, ₹500–2,000/month) or Confluence (₹5–10 per user/month) |
| Anonymous feedback or pulse surveys to gauge employee confidence in reporting | Google Forms (basic survey, no cost) | SurveySparrow or Qualtrics (₹20,000–50,000/year for SME package) or AskNicely (₹15,000–30,000/year) |
- Owner-led blame culture: In many Indian MSMEs, the owner is feared and employees hide mistakes instead of reporting them. You must visibly change this by praising someone who reports a near-miss.
- No documentation: You discuss incidents verbally but never write them down, so you cannot show auditors what you learned or prove patterns are being addressed.
- Punishment disguised as 'training': Sending someone who made a mistake to mandatory retraining while their peers watch is still punishment. Make training mandatory for everyone, not just those who failed.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (accountability and governance) and Schedule 2 (implementation of appropriate safeguards and security measures) |
| CERT-In 2022 | Direction 4 (incident response and reporting) and Direction 7 (security awareness and training) imply organizational capacity to learn from incidents |
| ISO 27001:2022 | Clause 6.2 (people competence and awareness), Clause 8.1 (operational planning and control), and Annex A 7.2 (competence), A 7.4 (communication) |
| NIST CSF 2.0 | Govern (GV.RO Roles, Responsibilities, and Authorities), Detect (DE.CM Monitoring and Detection), and Respond (RS.RP Response Planning) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →