Does the business have simple written rules or guidelines for using company IT systems?

Do you have written rules that tell your employees what they can and cannot do with company computers, email, phones, and internet? These rules should cover things like password safety, what websites they can visit, and what data they can share. Without these rules, people often accidentally leak customer information, download viruses, or break laws without realizing it.

⚡

Why This Matters to Your Business

Without clear written rules, your employees don't know what is and isn't allowed, so mistakes happen—a staff member might email customer data to a personal Gmail account, install unauthorized software that crashes your network, or share confidential product information on WhatsApp. A manufacturing firm in Bangalore lost ₹12 lakhs when an employee emailed an entire customer list to a competitor by mistake because no one had told them not to. If you face a data breach or regulatory inspection, auditors will ask for these rules; if they don't exist, you look negligent and fines or customer contracts can be lost. Without rules, you also have no way to hold anyone accountable when something goes wrong.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk in and find no written IT rules anywhere. Employees do whatever feels right to them—some share passwords, some download files from unknown websites, and nobody knows what the actual policy is.

Level 1
Initial

You find a single page or email from the owner that says 'use passwords' and 'don't download stuff,' but it's vague, not formally documented, and most staff haven't actually read it or don't remember seeing it.

Level 2
Developing

You find a basic written IT policy document covering passwords, email use, and USB devices, and it's been shared with staff. However, it's not regularly updated, there's no record of who read it, and it doesn't cover newer risks like mobile devices or cloud apps.

Level 3
Defined

You find a clear, dated IT policy document that covers passwords, email, internet use, USB/removable media, and mobile devices. All new employees sign an acknowledgment form, and the policy is reviewed once a year. Some rules are enforced (like password complexity), but enforcement is spotty.

Level 4
Managed

You find a detailed IT policy document (updated annually) covering all major risks, a signed acknowledgment from every employee, training records showing staff have been trained on the policy, and evidence that violations have been documented and addressed consistently.

Level 5
Optimised

You find a comprehensive, role-specific IT policy with regular (quarterly+) updates based on new threats, full training and testing records, audit trails showing who accessed what and when, and documented corrective action for violations. The policy is reviewed with legal/compliance annually and adapted based on actual incident learnings.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Write a one-page IT policy covering: passwords (minimum 8 characters, no sharing), email (no forwarding to personal accounts), USB drives (only approved ones), and basic internet safety. Get the owner to approve and share it via email.	Owner or IT person (if you have one)	1 day
1 → 2	Expand the basic policy into a 2–3 page formal document, add sections on mobile devices, cloud storage (Google Drive, OneDrive), and acceptable use, format it professionally, date it, and ask each employee to sign a copy. File the signed copies.	IT person with owner review; use a free template from CERT-In or local industry association	3–5 days
2 → 3	Review and expand the policy to cover newer risks (remote work, VPN, video calls, SaaS tools). Add clear consequences for violations. Conduct a brief in-person or recorded training session for all staff (15–20 minutes). Maintain a sign-in sheet or digital acknowledgment record.	IT person or external consultant	2–3 weeks
3 → 4	Enforce the policy: implement password complexity checks, disable USB ports if not needed, monitor email for external forwarding, and document any violations. Conduct refresher training annually. Keep a log of who violates what and how it was handled.	IT person with owner support	1–2 months to set up; then ongoing
4 → 5	Review policy quarterly in light of new threats (e.g., AI tools, new ransomware campaigns). Conduct targeted training on emerging risks. Engage legal counsel to align policy with DPDP Act and CERT-In updates. Measure and report on compliance (e.g., percentage of employees trained, violations detected and resolved).	IT person + compliance/legal advisor	Ongoing (4–6 hours per quarter)

📁

Evidence You Should Have

Documents and records that prove your maturity level.

A dated, signed IT policy document (in Hindi and/or English) that covers passwords, email, internet, USB/removable media, mobile devices, and data handling
Signed acknowledgment forms or email confirmations from each employee confirming they have read and understood the policy
Training records (dates, attendees, topics covered) showing that staff have been trained on the policy at least once per year
A written log or register of any IT policy violations detected, actions taken (e.g., retraining, warning), and resolution
Evidence of policy review and update (e.g., version number, date, approval sign-off) at least annually

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Can you show me your written IT policy? When was it last updated, and who approved it?"
"How do you ensure employees actually read and understand the policy? Do you have signed acknowledgments?"
"What happens if an employee breaks the policy? Can you give me an example of a violation and how you handled it?"
"Does your policy cover all the main risks—passwords, email, USB drives, mobile devices, and remote work? Are there any gaps?"
"How do you keep the policy up to date when new threats or technologies emerge?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Create and manage IT policy documents with version control and easy sharing	Google Docs or Microsoft Word (free via web); OpenOffice or LibreOffice Writer	Confluence (₹15,000–25,000/year for small teams); Microsoft 365 (₹6,000–12,000/user/year)
Track employee acknowledgment signatures and training completion	Google Forms (free) to collect signed confirmations; maintain a Google Sheet register	DocuSign (₹10,000–50,000/year); AdobeSign (₹15,000+/year); local HR software like Keka or ZingHR (₹5,000–20,000/year)
Monitor and log policy violations and remediation actions	Google Sheets or Excel (free web version) to maintain a violation log	Incident management tools like Jira or Monday.com (₹5,000–50,000/year); dedicated compliance tools like Drata or Vanta (₹100,000+/year, too expensive for most MSMEs)

🛡

How This Makes You More Resilient

When you have clear written IT rules, your employees know exactly what is and isn't allowed, so accidental data leaks, malware infections, and password mishaps drop sharply. If something does go wrong, you can prove you took reasonable steps to prevent it—which protects you in customer audits, legal disputes, and regulatory investigations. And because the rules are documented, you can train new staff quickly and hold everyone to the same standard, reducing chaos and making your IT environment more stable.

⚠️

Common Pitfalls in India

Writing a policy that is too complex or in English only, so employees don't read it or don't understand it. Solution: Use plain language, translate into regional languages, and keep it to 2–3 pages.
Creating a policy document but never actually communicating it or training staff on it. Employees either don't know it exists or forget about it within weeks. Solution: Conduct at least one in-person or recorded training session per year and get signed acknowledgments.
Writing rules but not enforcing them. After a few months, everyone ignores the rules because there are no consequences. Solution: Pick 2–3 critical rules (e.g., password complexity, no sharing of credentials) and enforce them consistently using technical controls.
Forgetting to update the policy when new tools (e.g., Slack, Teams, Google Drive) or new work models (e.g., work-from-home) are introduced. The old policy becomes irrelevant, and employees make up their own rules. Solution: Schedule a policy review at least once per year, or whenever major changes happen.
Assuming a single founder or IT person can manage IT security alone without clear written delegation. When that person leaves or is unavailable, nobody knows what the actual policies are. Solution: Document rules in writing and train at least one backup person.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 6 (Processing of personal data in compliance with principles), Section 8 (Consent management), and Schedule 1 (Definition of 'sensitive personal data'). The Act requires organizations to implement reasonable security safeguards; documented policies are part of that.
CERT-In 2022	Direction 4 (Implementation of information security practices) and Direction 5 (Implementation of access control). Directives explicitly require organizations to have and communicate security policies.
ISO 27001:2022	Clause 5.1 (Policies for information security) and Annex A.5.1 (Policies for information security). Organizations must establish, document, and communicate information security policies.
NIST CSF 2.0	Govern (GV) function, specifically GV.PO (Policy, processes, and procedures). Organizations should establish and communicate policies that guide information security and risk management decisions.

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →