When changes happen without clear explanation, employees either ignore security steps or do things wrong—both create data leak risks. For example, a Bangalore IT services firm switched to a cloud file system without explaining who could access what; three employees shared client credentials in Slack, exposing customer data and costing the company a major contract. Without clear communication, staff confusion also causes IT helpdesk overload, slows operations, and during audits you cannot prove compliance because nobody followed the new rules consistently.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You roll out new tools or process changes without any formal notification or training. Staff find out by accident or complain they don't know how to use the new system, and security settings get misconfigured because nobody explained the rules.
Initial
When changes happen, someone sends an email or message about it, but the message is vague or technical and doesn't explain what staff should actually do differently or why. Some people follow it, others don't, and confusion remains.
Developing
Before rolling out a change, you write down the new security rules and steps in a simple document and share it with affected teams. You send a notification with a deadline, but you don't check whether people actually read it or understood it.
Defined
You create a documented change process where security expectations are written clearly in plain language, shared with staff before the change, and you hold a brief meeting or Q&A session to answer questions. You document who was trained and keep records.
Managed
Your change process includes clear written guidance for each tool or process change, tailored to different roles (e.g., admin steps vs. user steps). You provide training before the change takes effect, confirm understanding through a simple quiz or sign-off, and monitor the first week for issues.
Optimised
Every change goes through a formal change management process that includes risk assessment, clear role-based security guidance, mandatory training with sign-off, post-implementation monitoring, and a feedback loop to address problems. You also periodically audit whether staff are actually following the new security practices.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple one-page template for communicating tool or process changes that includes: what is changing, why (including security reasons in plain language), when it happens, and one contact for questions. Distribute this template to your IT or Operations owner and commit to using it for the next change. | IT Manager or Operations Lead | 1 day |
| 1 → 2 | Write a 'Change Communication Standard' that requires: clear explanation of what staff must do (step-by-step), what security rules apply, why it matters, and a deadline. Draft it for your most commonly changed tool (email, VPN, or file system), test it with 3-5 staff, and refine based on feedback. | IT Manager with input from a front-line user | 1 week |
| 2 → 3 | Build a change notification and sign-off process: write security expectations in simple language for your next planned change, send it to affected teams 1 week in advance, hold a 30-minute online or in-person Q&A, and collect names of attendees. Store records in a shared folder (Google Drive or OneDrive). | IT Manager with support from Department Heads | 2-4 weeks |
| 3 → 4 | Create role-based change guidance documents (one version for admins, one for regular users). For each quarterly change, include a 10-minute recorded walkthrough, a one-page checklist, and a mandatory acknowledgment form that staff sign digitally (even a Google Form works). Maintain a log of who acknowledged what and when. | IT Manager with help from HR for sign-off process | 1-2 months |
| 4 → 5 | Implement a formal change management framework: document all changes in a register, require a security impact assessment before rollout, provide tiered training, issue weekly compliance reminders for 2 weeks post-change, conduct spot audits to confirm staff are following new rules, and gather feedback via a brief survey. Review quarterly and adjust guidance based on what isn't working. | IT Manager (or IT team in larger firms) with CEO/Board awareness | Ongoing |
Documents and records that prove your maturity level.
- Change communication log or register documenting: date of change, what changed, how it was communicated (email, meeting, training), security rules explained, and who was informed
- Sample change announcement or notification email (or message) showing clear plain-language explanation of security expectations for a recent tool or process change
- Training attendance record or sign-off sheet showing staff names, date of training, and confirmation of understanding for at least one recent change
- Role-specific guidance documents (even a simple one-page PDF) explaining what admins vs. users must do with the new tool or process
- Follow-up evidence such as a post-change survey, spot-check records, or helpdesk ticket log showing questions were answered or issues were resolved
Prepare for these questions from customers or third-party reviewers.
- "Walk me through how you communicated the last major change (e.g., new email system, VPN rollout, or access control tool). What did staff receive, and how did you confirm they understood the security rules?"
- "Show me your change communication process or template. How do you ensure security expectations are included in every change notification?"
- "Can you provide evidence that staff received training or acknowledgment before a recent change took effect? Do you have records of who was trained and when?"
- "Describe a recent change and tell me what happened if a staff member didn't follow the new security rules. How did you find out, and what did you do about it?"
- "How do you tailor security messages for different roles (e.g., IT admin vs. regular employee) when a tool changes? Show me an example."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and distribute change notifications and collect staff acknowledgments | Google Forms (for sign-off), Gmail templates, or Microsoft Forms (if you use Office 365) | Jira Service Management (Change module) approx. ₹30,000–60,000/year; or Freshservice (change management add-on) approx. ₹25,000–50,000/year |
| Document and store change communication records and staff sign-offs | Google Drive, OneDrive, or Nextcloud (self-hosted); simple spreadsheet to log changes and acknowledgments | Confluence (Atlassian, approx. ₹30,000/year for a team); or SharePoint (included in Microsoft 365) |
| Create and share easy-to-follow step-by-step guides or video walkthroughs for new tools or processes | Loom (free tier for short videos), Canva (free templates for guides), or OBS Studio (for screen recordings) | Camtasia (approx. ₹10,000–15,000 one-time); or Snagit (approx. ₹8,000 one-time) |
| Send broadcast notifications and reminders about security changes across email, SMS, or chat | Gmail, WhatsApp Business, or Slack (if already in use) | Freshworks (SMS and email campaigns, approx. ₹20,000/year); or Twillio (pay-per-message, typically ₹0.50–₹2 per SMS for India) |
| Track and audit staff compliance with new security rules post-change | Simple spreadsheet or Google Sheets checklist; or Airtable (free tier for basic tracking) | ManageEngine ServiceDesk Plus (approx. ₹80,000–120,000/year); or Microsoft Intune (for device compliance, included in some 365 plans) |
- Sending change announcements only via email or Slack, assuming everyone reads them. Many Indian MSMEs skip the face-to-face or live Q&A step, leaving staff confused about why the change matters or how to do it.
- Using overly technical language in change notifications. Your IT person writes the message, but frontline staff (receptionists, accountants, warehouse staff) don't understand terms like 'MFA,' 'VPN,' or 'zero-trust access,' and they skip the step entirely.
- Announcing changes the day before or the day of rollout. Staff have no time to ask questions, read guides, or mentally prepare, so on day one many don't follow the new rules and you get flooded with helpdesk complaints.
- Not keeping records of who was trained or acknowledged the change. When an audit happens or a breach occurs, you cannot prove you communicated security expectations, which makes you look negligent and can cost you client contracts or regulatory fines.
- Treating all staff the same. Your admin needs to know deep technical steps, but your finance team only needs to know 'use this new password manager'—one generic message confuses both groups.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (accountability and reasonable security) and Section 8 (consent and transparency) require clear communication about how personal data is protected; security changes affect this directly |
| CERT-In 2022 | Direction 6 (awareness and training) and Direction 4 (vulnerability management and patching) implicitly require staff to understand security changes |
| ISO 27001:2022 | Annex A.6.3 (segregation of duties) and Annex A.8.1 (user endpoint devices) require clear user awareness; also A.5.2 (information and other assets) requires documented policies |
| NIST CSF 2.0 | Govern (GV.RO-02: Roles and responsibilities including awareness); Protect (PR.AT-01: Awareness and training programs); Detect (DE.CM-04: Security event monitoring and logging) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →