HomeGuidesIncident Readiness › IR-01
IR-01 Incident Readiness 4% of OML score

Does the business have a basic understanding of what a cybersecurity or data incident looks like?

Does your team know what a cybersecurity incident actually looks like when it happens? Can they spot signs like unusual account activity, missing files, ransomware messages, or stolen customer data before it becomes a major crisis? This question checks whether your people would actually recognize a problem and raise the alarm instead of ignoring it.

Why This Matters to Your Business

If your staff cannot recognize an incident, precious hours or days get wasted before you discover the damage—by which time a hacker may have stolen customer payment data, encrypted your files for ransom, or copied your trade secrets. A manufacturing business in Bangalore lost ₹45 lakhs when employees ignored strange login attempts for three days, thinking it was a system glitch, until ransomware locked all production schedules. Regulatory bodies like CERT-In expect you to report incidents within a timeframe; delayed discovery means delayed reporting, leading to penalties. Customers and suppliers will lose trust if breaches happen repeatedly because your team didn't spot the warning signs.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk into the office and find no one has ever discussed what a cyber incident is or how to spot one. If something suspicious happens, staff shrug and assume "the IT person will handle it" or ignore it entirely.

Level 1
Initial

You find that the IT person or owner has a rough mental checklist of what an incident might look like (passwords not working, strange emails, slow computer), but nothing is written down or shared with the team.

Level 2
Developing

You find a simple one-page list or email that describes common incidents like suspicious logins, ransomware messages, or data theft, and staff have been told to report these to the IT person or manager.

Level 3
Defined

You find a formal incident recognition checklist covering ransomware, phishing, account compromise, data exfiltration, and system outages; staff have received basic training; there is a clear reporting procedure posted in the office.

Level 4
Managed

You find detailed incident response scenarios with real examples relevant to your industry, regular training logs showing all staff were trained, a documented escalation path, and evidence that incidents have been correctly identified and reported in the past.

Level 5
Optimised

You find continuous incident awareness through monthly newsletters, regular tabletop exercises where staff practice spotting and reporting incidents, updated training based on new threats, and a logged history of correctly identified incidents with root cause analysis.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Owner or IT person writes down a simple list of 5–6 signs of a cyber incident (e.g., 'files renamed with .locked extension', 'employee gets email from boss asking for urgent payment', 'unable to log in', 'antivirus alerts', 'customer calls saying they received strange emails from our domain') Owner or IT person 2–3 hours
1 → 2 Convert the list into a simple printed poster or email template with real-world examples; share it in team meetings or WhatsApp group; add a single phone number or email where staff should report suspicious activity immediately Owner or IT person with HR/manager 4–6 hours
2 → 3 Create a formal one-page incident checklist covering six incident types (phishing, ransomware, account compromise, data theft, system crash, website defacement); conduct a 30-minute classroom or video training session for all staff; post the checklist in the office and in email signature IT person (or external trainer) and manager 1–2 weeks including scheduling and training delivery
3 → 4 Develop detailed incident scenarios specific to your industry (e.g., 'accounting software suddenly shows all invoices deleted' or 'logistics system logs show access from an unknown location'); create a simple incident report form; run a mock incident exercise where staff role-play spotting and reporting; log results IT person with manager and external consultant if available 3–6 weeks including scenario writing, form creation, and exercise planning
4 → 5 Establish a quarterly incident awareness program: monthly security tip emails, annual refresher training, post-incident reviews of any real incidents discovered, updates to scenarios based on new threats in your sector, and documented evidence of all training and drills IT person or security coordinator, manager, and executive sponsor Ongoing (2–4 hours per month)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written incident definition or recognition checklist (even a simple one-pager) that lists at least 5 types of incidents your business should watch for
  • Training records or attendance log showing all staff (including part-time and new hires) have received incident recognition training at least once
  • Incident reporting procedure document with a clear phone number, email, or contact person employees should use to report suspicious activity
  • Example incident scenarios relevant to your business (e.g., 'What to do if you see a ransom message on your screen', 'What to do if you receive an urgent payment request email from someone claiming to be the director')
  • Evidence that the incident recognition materials are actually used (e.g., posted posters, included in onboarding, referenced in past incident reports)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you describe what a cybersecurity incident looks like? Give me three examples your staff should recognize."
  • "How do your employees know to report a suspicious event? Who do they contact and how quickly?"
  • "Have all staff members received any training on recognizing incidents? Show me the training records or materials."
  • "Has your business ever identified and reported a cyber incident? Walk me through the incident and how it was discovered."
  • "If an employee suspected ransomware on their computer today, what would they do? Can you show me a written procedure?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create simple visual incident recognition posters and checklists Canva (free tier), Google Docs templates, Microsoft Word
Track and log incident awareness training attendance and completion Google Forms, Microsoft Excel, simple spreadsheet Coursera, Udemy (₹500–2,000 per course per person), LinkedIn Learning (₹3,000–5,000/year)
Simulate and test whether staff can recognize a phishing or incident scenario Gophish (open source), manual email simulation with IT person KnowBe4 (₹80,000–150,000/year), Proofpoint (₹100,000–300,000/year)
Maintain a centralized log of incidents identified and reported Google Sheets, Microsoft Excel, simple notepad in shared drive
Provide online incident awareness training content CERT-In advisory documents (free), YouTube cybersecurity education channels, Indian startup guides Pluralsight (₹5,000–10,000/month), ACI Learning (₹2,000–5,000/month)
🛡
How This Makes You More Resilient
When your team can recognize an incident quickly, you detect and respond to threats before they cause massive damage—this cuts recovery time from weeks to hours and minimizes data loss or financial harm. Early detection also means you can notify affected customers and regulators on time, protecting your reputation and avoiding legal penalties. Staff become your first line of defense instead of a liability, turning everyday observations into valuable early warning signals.
⚠️
Common Pitfalls in India
  • Writing an incident checklist but never sharing it or training staff on it—the document sits in a folder and no one knows it exists or what to do when they spot something suspicious.
  • Assuming only the IT person needs to understand incidents, when in reality receptionists, accountants, and shop-floor staff often see the first warning signs (strange emails, unusual access requests, system slowdowns).
  • Confusing incident recognition with incident response—you might train staff on what to do after an incident is confirmed, but not on how to spot it in the first place.
  • Relying entirely on automated alerts (antivirus warnings, email filters) without teaching people to recognize incidents that tools may miss, such as subtle social engineering or insider threats.
  • Not updating incident recognition materials after a real incident occurs—if your business suffered a breach, the lessons learned should be incorporated into training so the same mistake is not repeated.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6 (Accountability), Section 7 (Data Protection Impact Assessment and Data Protection by Design)
CERT-In 2022 Direction 4 (Security incident reporting and timeline), Direction 6 (Baseline cybersecurity practices)
ISO 27001:2022 Annex A.5.1 (Policies for information security), A.7.2 (User awareness and training), A.8.1 (User endpoint devices)
NIST CSF 2.0 Detect (DE) function, specifically DE.AE-1 (Detect anomalies and indicators of compromise)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →