HomeGuidesGovernance & Leadership › GL-06
GL-06 Governance & Leadership 10% of OML score

Are security decisions reviewed when the business adopts new technology or services?

Before your business starts using a new tool, software, or service���whether it's cloud storage, accounting software, or a vendor system—do you check for security risks and get approval from the right person? This question asks if you're actively thinking about safety before bringing new technology in, not after something goes wrong.

Why This Matters to Your Business

If you don't review security before adopting new tools, you risk exposing customer data, employee information, or business secrets. For example, a Delhi manufacturing firm switched to a cheap cloud accounting service without checking data location or encryption, only to discover later their GST records were stored on servers outside India—violating compliance rules and risking a 5 lakh rupee fine. Without this review step, vendors may collect more data than needed, have weak passwords, lack backups, or store data in non-compliant countries. Your customers and regulators now expect you to prove you vetted tools before use.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You find that your team downloads and uses new software whenever someone thinks it will help, with no discussion or documentation of what was chosen or why. IT decisions are made by whoever is loudest or most insistent at that moment.

Level 1
Initial

You have a vague understanding that tools should be safe, but there is no formal process; the owner or IT person asks basic questions like 'Is it free?' or 'Do others use it?' without any written checklist or approval record.

Level 2
Developing

You have a simple written checklist for new tools that asks about basic security (password strength, backup, data location) and someone must sign off before purchase, though the checklist is rarely updated and vendors sometimes bypass this step.

Level 3
Defined

You have a documented technology review process that includes security questions, a vendor assessment form, and documented approval; most new tools go through this process, though enforcement is inconsistent and there is no formal risk scoring.

Level 4
Managed

You have a formal security assessment process for all new technology that evaluates data sensitivity, vendor reputation, compliance requirements, and integration risks; reviews are documented and tracked, and exceptions require senior management approval.

Level 5
Optimised

You maintain an approved tools register, conduct periodic re-assessments of in-use vendors, maintain vendor contracts with clear security clauses, and integrate security reviews into procurement workflows with automated tracking and quarterly audits.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Create a one-page written policy stating that any new software or service must be approved by the owner or designated IT person before use, and keep a list of all tools currently in use. Business owner or IT manager 2 days
1 → 2 Develop a simple security checklist (10 questions: Is data encrypted? Where is it stored? Who can access it? Does the vendor have a privacy policy? Can you export your data? Is backup available?) and require anyone requesting a new tool to complete it before purchase. IT manager with owner input 1 week
2 → 3 Expand the checklist into a formal vendor assessment form that includes regulatory compliance (DPDP, GST, sector rules), assign a risk score (low/medium/high), require written approval from owner/manager, and store all assessments in a folder with dates and decisions. IT manager, possibly with external consultant review 2-3 weeks
3 → 4 Integrate security reviews into your procurement process so that every tool request triggers an automated assessment workflow; maintain a master register of approved tools with renewal dates, create vendor scorecards tracking security incidents, and require annual re-assessment of high-risk tools. IT manager and procurement lead, possibly with legal review 4-8 weeks
4 → 5 Establish a formal vendor management program with contracts that include security clauses (data location, breach notification, audit rights, data deletion), conduct quarterly reviews of all active vendors against a risk matrix, and maintain documented evidence of compliance checks for audit purposes. IT manager, compliance officer, and legal team Ongoing (2-4 hours per month)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • A written policy or procedure document that states security review is required before adopting new technology, with approval authority named
  • A security assessment checklist or form template used for evaluating new tools, with at least 8-10 questions covering data sensitivity, vendor credibility, and compliance
  • A completed assessment form for each new tool or service adopted in the last 12 months, showing who assessed it, what risks were identified, and who approved it
  • A current register or spreadsheet listing all active software tools, cloud services, and vendors in use, showing assessment date and renewal dates
  • Evidence of at least one security-related decision made during a tool evaluation (e.g., email approving or rejecting a tool, or a note explaining why a cheaper option was not chosen due to security concerns)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Walk me through how you decided to adopt [a recent tool they notice in your systems]. Who was involved, what security questions were asked, and where is the documentation?"
  • "Show me your tool approval process. Do you have a checklist, a form, or a policy document? Who decides whether a tool is secure enough?"
  • "Tell me about a time you rejected or delayed a tool purchase because of security concerns. What was the issue, and how did you resolve it?"
  • "How do you ensure vendors handling customer data meet compliance requirements like DPDP Act or sector regulations? Can you show me vendor assessment records?"
  • "What happens when someone uses a tool that was never formally assessed or approved? How do you prevent this?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and store security assessment checklist and vendor forms Google Forms or Microsoft Forms (collect responses in spreadsheet) Jotform (₹500–2,000/year) or Typeform (₹5,000–10,000/year)
Maintain a register of approved tools and track renewals, assessments, and risk scores Google Sheets or Excel (manual but workable for small teams) Airtable (₹2,000–5,000/year) or Monday.com (₹8,000–15,000/year)
Check vendor security practices and reputation (background checks) LinkedIn, company website, and Google searches; CERT-In incident database Dun & Bradstreet or Experian vendor reports (₹5,000–20,000 per report)
🛡
How This Makes You More Resilient
When you review security before adopting new tools, you catch compliance issues early—such as data storage outside India or weak encryption—before you've already migrated customer records or signed a contract. This prevents costly data breaches, regulatory fines, and customer trust loss. You also reduce the risk of unplanned downtime or ransomware because you're not running unvetted software that could be backdoored or poorly maintained.
⚠️
Common Pitfalls in India
  • Trusting vendor claims without independent verification: Indian startups often skip security checks if a vendor promises 'enterprise-grade' security. Always ask for evidence (certifications, audit reports, references) and verify independently.
  • Assuming free or cheap tools are less risky: A low-cost cloud storage or video conferencing tool may have weak security or unclear data handling. Price is not an indicator of safety; assess based on features and compliance, not cost.
  • Not checking data residency and localization rules: Many Indian businesses fail to verify whether a tool stores data in India or abroad, leading to DPDP Act violations. Always confirm data location and backup location in writing.
  • Letting shadow IT bypass the review process: Business units sometimes download and use tools without IT knowledge (such as a sales team using a cheap CRM or a project manager using an unapproved collaboration tool). Regular audits of active software can catch and stop this.
  • No written vendor agreements or security clauses: Verbal approvals or handshake deals leave no evidence if something goes wrong. Always document what data is being shared, where it is stored, and what the vendor's responsibilities are.
  • Forgetting to review tools after they are approved: A tool safe at adoption may become risky if the vendor suffers a breach, changes ownership, or goes out of business. Annual re-assessments prevent obsolete or compromised tools from lingering.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Reasonable security practices); Section 6 (legitimate purposes and consent); Schedule 2 (important data localization requirements)
CERT-In 2022 Information Security Practices and Procedures guidelines; Direction 4 (information security incident management) implies prior risk assessment
ISO 27001:2022 Clause 6.2 (determine information security objectives), Clause 8.1 (operational planning and control), Annex A.5.1 (organizational policies for information security)
NIST CSF 2.0 Govern (GV) function, specifically GV.RO-01 (roles, responsibilities, and authorities), GV.RM (risk management strategy)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →