When management doesn't know about security incidents, the same problems happen repeatedly, costs spiral, and the business can't make smart decisions about protection. For example, a textile exporter in Tamil Nadu suffered a ransomware attack that locked their export documentation system for 3 days—but their IT person never told the owner, who kept promising deliveries he couldn't meet, losing a major customer contract worth ₹50 lakh. Without leadership awareness, you also can't pass customer audits (many buyers now demand proof that your company takes security seriously), and regulatory fines under DPDP Act will hurt harder because you'll look negligent. Your insurance claim may also be rejected if you can't prove management was informed and took action.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find no record of any security incident being communicated to the owner or senior staff. When something breaks, only the IT person knows, fixes it quietly, and nobody else ever hears about it.
Initial
The IT person occasionally tells the owner something went wrong, usually in a casual chat or WhatsApp message. There's no formal record or follow-up, and most staff don't know it happened.
Developing
Security incidents are reported to the owner in writing (email or notebook), and the owner is aware something happened. However, there's no set schedule or format, and sometimes incidents are forgotten or buried in long email chains.
Defined
You have a simple written incident report form that's filled out whenever something goes wrong, and it's always shared with the owner and one other senior person. Reports are kept in a folder and reviewed monthly in a brief meeting.
Managed
Incidents are formally logged in a tracker (even a simple spreadsheet), reviewed with the owner and management team every two weeks, and each incident has a documented follow-up action. You can show a 6-month history of incidents, decisions made, and resolution status.
Optimised
Incidents are tracked in a system, reviewed in scheduled management meetings with documented minutes, trends are analyzed quarterly, lessons are shared across the team, and management decisions on risk tolerance are formally recorded and communicated to all staff.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Schedule a 30-minute meeting with the owner and IT person. Agree that from today, any security incident (data loss, virus, ransomware attempt, suspicious email, breach attempt, etc.) will be reported to the owner within 24 hours via email or message. | Owner / Managing Director | 1 day |
| 1 → 2 | Create a one-page Incident Reporting Template (incident date, what happened, impact on business, who was affected, action taken, when resolved). Ask IT person to fill this out for every incident and send to owner. Keep copies in a folder. | IT person / HR | 3 days |
| 2 → 3 | Set up a simple incident log (spreadsheet or notebook) with columns: Date, Incident, Impact, Resolved By, Status, Owner Action Taken. Schedule a 15-minute monthly review meeting between owner, IT person, and one other manager. Document meeting notes. | Owner / IT person | 1 week |
| 3 → 4 | Move incident tracking to a simple online tool (Google Sheets or free form) that can be accessed by owner and senior team. Add a 'Priority' column. Review incidents every two weeks in a formal meeting with documented agenda and minutes. Track what decisions were made. | IT person / Manager | 2-4 weeks |
| 4 → 5 | Conduct quarterly trend analysis (which types of incidents repeat, what's the average resolution time, what's the cost impact). Share trends with all staff in a town hall or email. Document management's formal risk tolerance statement (what level of risk is acceptable, what investments are approved). Refresh the incident response plan based on lessons learned. | Owner / Senior Management | Ongoing (4 hours per quarter) |
Documents and records that prove your maturity level.
- Incident log or tracker covering the last 6-12 months with at least 5-10 recorded incidents, each with date, description, and status
- Completed incident report forms or templates signed by IT person and acknowledged by owner
- Meeting minutes from at least 3 management review meetings discussing security incidents, decisions made, and follow-up actions
- Email trail or message history showing owner or senior manager was notified of at least 3 recent incidents within 24-48 hours of occurrence
- A written Incident Reporting Policy or Procedure document that says who must report what, to whom, and by when
Prepare for these questions from customers or third-party reviewers.
- "Show me your incident log for the past 12 months. How many security incidents have been recorded and escalated to management?"
- "Can you walk me through a recent incident—when it happened, how the owner found out, what decision was made, and how it was resolved?"
- "Do you have a formal process or policy that requires security issues to be reported upward? Show me the document."
- "In the last 6 months, how often did the management team meet to discuss security? What incidents were discussed and what actions were taken as a result?"
- "What security incidents have been identified by your business but NOT reported to management? Why were they not escalated?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Log and track all security incidents in one place with dates, impact, and status | Google Sheets or Microsoft Excel (use a simple template with columns: Date, Incident, Department, Impact, Owner Action, Resolved) | Freshservice (₹4,500-15,000/year for small teams), Zendesk (₹5,000-20,000/year) |
| Send automated reminders to the owner when an incident is reported so it doesn't get forgotten | WhatsApp, Gmail filters with automatic notifications, Google Calendar reminders | Zapier or Make.com (₹2,000-10,000/year) to auto-notify when new incident is logged |
| Document and store incident reports and management meeting minutes securely | Google Drive or OneDrive (with password protection and limited access) | Microsoft 365 Business Basic (₹3,000-5,000/user/year) |
- Owner assumes 'no news is good news'—IT person doesn't report incidents because they think they'll get blamed, so the owner never learns about repeat problems. Fix: Make it clear reporting is encouraged, not punished.
- Incidents are reported verbally over chai or at year-end—nothing is documented, so when an auditor or customer asks 'show me your incidents,' you have nothing. Fix: Write it down every single time, same day.
- IT person logs incidents in their personal notebook or hidden folder that nobody else can access. When they leave the job, all history is lost and the new IT person doesn't know what went wrong before. Fix: Keep incident log in a shared, accessible place (spreadsheet, shared folder).
- Owner gets an incident report but doesn't do anything about it—no decision, no follow-up, no budget allocated. After 5th ransomware attempt, owner finally acts but it's too late. Fix: Always document what decision management made (even if 'do nothing' or 'wait and see').
- Only big incidents (ransomware, data theft) are reported; small ones like forgotten passwords, accidental file shares, or phishing attempts are ignored. These small incidents are the warning signs. Fix: Report everything, even small stuff.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 5 (Principle: Transparency & Accountability) and Section 24 (Data Breach notification must be reported to individuals and regulators; internal escalation required) |
| CERT-In 2022 | Direction 4: Organizations must report 'Significant Security Incidents' to CERT-In; internal escalation to leadership is prerequisite |
| ISO 27001:2022 | Clause 8.4.1 (Detection & Analysis of Information Security Events), Annex A 5.23 (Information Security Incident Management & Escalation) |
| NIST CSF 2.0 | GOVERN (GV.RO-01: Organizational Context & Risk Management), MANAGE (MA.PO-01: Incident Response & Escalation Planning) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →