HomeGuidesGovernance & Leadership › GL-07
GL-07 Governance & Leadership 10% of OML score

Is cybersecurity considered during business planning, expansion, or digital initiatives?

When your business plans to grow, open a new office, buy new software, or hire a vendor—do you check if these changes are secure before you do them, or do you discover security problems after? This question asks whether you think about cybersecurity risks early in your planning, not just after things go wrong.

Why This Matters to Your Business

If you add security later, it costs 5-10 times more money and disrupts your business. For example, a Delhi manufacturing business expanded to e-commerce, built the website first, then discovered their payment gateway wasn't PCI-compliant after taking customer credit cards—costing ₹15 lakhs in emergency fixes and losing customer trust. A financial services firm in Bangalore onboarded a new vendor without checking their security, leading to a breach that exposed client data and triggered RBI penalties. Without early security planning, you also fail customer audits (banks and large companies won't work with you), miss regulatory deadlines (DPDP compliance), and experience operational shutdowns when problems are discovered mid-project.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You discover security problems only when something breaks or a customer complains. Your business plans are written without any mention of security, and IT finds out about major changes when implementation has already started.

Level 1
Initial

You sometimes mention security in conversations before a big project, but there's no formal process. Your one IT person is asked to review plans last-minute, often finding problems too late to fix properly.

Level 2
Developing

You have a basic checklist of security questions asked before new projects start. Your IT lead sits in planning meetings for major initiatives and flags obvious risks like 'do we need a password?' but analysis is not documented.

Level 3
Defined

Before any major business decision (new software, office, vendor), someone formally reviews security risks and documents the findings. Your business plans include a security section, and this review happens early enough to influence decisions without major delays.

Level 4
Managed

Security reviews are a standard part of your approval process, with clear ownership and documented sign-offs. Your business case templates include security costs and risk statements, and you track whether recommended security controls were actually implemented.

Level 5
Optimised

Security is built into every stage of planning—business case, design, procurement, testing, and launch. You regularly review and update your security standards, learn from past incidents, and continuously improve how security and business decisions connect.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Schedule a 30-minute conversation between your managing director and IT lead to list all major business changes planned in the next 6 months, then discuss basic security concerns for each (data involved, external access needed, regulatory impact). Managing Director + IT Lead 1 day
1 → 2 Create a one-page 'Security Check' form with 8-10 questions (What data will this handle? Who has access? Is customer/employee data involved? What's the budget for security?) and make IT fill it out for every project approval. IT Lead + Senior Manager 3-5 days
2 → 3 Establish a monthly governance meeting where business leads present planned initiatives 4-6 weeks before launch, IT formally documents security findings and recommendations, and decisions are recorded in meeting minutes signed by stakeholders. IT Lead + Finance Manager + Department Heads 2-4 weeks
3 → 4 Build security requirements into your business case template (mandatory section on cybersecurity risks, costs, and controls), track implementation of security controls separately from main project, and audit 2-3 completed projects annually to verify security was actually delivered. IT Lead + Finance Manager + Compliance Officer 6-8 weeks
4 → 5 Conduct quarterly reviews of past business decisions and security incidents to identify gaps in your planning process, update your security standards based on lessons learned, and share anonymized case studies internally to build business leader awareness of security impact. IT Lead + Managing Director + Finance Manager Ongoing quarterly reviews
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written business case or project charter for the last 3 major initiatives showing a documented security section or risk assessment signed by IT and a business owner
  • Security checklist or form used before project approval, filled out with questions asked and answers recorded, for at least 2 recent projects
  • Meeting minutes or governance log showing IT lead participated in planning meetings for new software, office expansion, or vendor onboarding in the last 6 months
  • Email trail or project notes showing security concerns were identified early in planning (before budgets were finalized) for at least one major initiative
  • Sign-off document or approval form indicating that security recommendations were reviewed and either implemented, accepted as risk, or formally waived by business leadership
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Walk me through your most recent software implementation or expansion—at what stage did security get involved in the planning, and do you have evidence that happened?"
  • "Show me your process for evaluating security risks before a major business decision. Is this written down and followed consistently?"
  • "Can you give me an example of a security concern that was identified early enough to actually change how a project was designed or budgeted?"
  • "Who is responsible for making sure security happens in new business initiatives, and how do they know what's happening across the company?"
  • "Have there been situations where you discovered security problems late in a project or after go-live? What changed to prevent it happening again?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Simple project planning and tracking where you can embed security checklist as part of each project Google Sheets + Google Forms (create a reusable security checklist form linked to each project) Monday.com (₹5,000-15,000/year), Asana (₹5,000-10,000/year) – both allow security workflow templates
Document templates and governance workflows for business cases, approval chains, and audit trails Google Docs + Google Drive (create and share templates for business planning documents with security sections) Microsoft 365 with Teams (₹3,000-6,000/user/year for SMB, includes document management and governance)
Risk assessment and security impact analysis for new initiatives before they launch NIST Cybersecurity Framework Preliminary Worksheets (downloadable Excel spreadsheets, available free from NIST website) Qualitrics + Risk Assessment Software or ThreatModeler (₹8,000-25,000/year for SMB, overkill for many MSMEs)
🛡
How This Makes You More Resilient
When you embed security thinking early in business planning, you avoid expensive emergency fixes and maintain customer trust—your new ventures stay on budget and on schedule. You reduce the risk of compliance failures, data breaches during growth phases, and vendor-caused security incidents that could shut down operations. Your business can expand faster because you're not discovering critical security gaps mid-project that delay launches or force costly rework.
⚠️
Common Pitfalls in India
  • Treating security as an IT-only responsibility—business leaders assume 'IT will handle it' and don't include security thinking in budget or timeline decisions, then blame IT when fixes are expensive.
  • Conducting security reviews too late—asking 'is this secure?' after the vendor is already chosen or the software is being installed, when major changes cost months and extra money.
  • No documented evidence of planning—security might be discussed verbally in meetings but nobody writes down what was checked, what risks were found, or what was decided. When auditors ask 'show me your process,' you have nothing to show.
  • Focusing only on compliance checkboxes—a business leader approves a new vendor because they have an ISO certificate, without anyone actually reviewing what data they'll access or how they'll protect it.
  • Expanding without updating security—opening a new branch or hiring remote workers without updating access controls, network design, or vendor management processes.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Data Principal rights) and Section 6 (consent and lawfulness) – security by design required for new data processing initiatives
CERT-In Guidelines 2022 Directions 4 and 7 – baseline security controls and incident management must be planned before new systems go live
ISO 27001:2022 Clause 6.1 (planning to address information security) and Annex A 5.1 (management direction for information security)
NIST CSF 2.0 Govern Function GV.RO (risk management oversight) and GV.PO (organizational context)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →