Is external help (IT vendor, security provider, legal support) identified in advance?

Do you already know who to call for help when a cyber attack, data theft, or IT emergency happens? This question asks whether you have written down the names, phone numbers, and email addresses of IT support, cybersecurity experts, lawyers, and other helpers before disaster strikes, so you don't waste hours searching for them while under attack.

⚡

Why This Matters to Your Business

When a ransomware attack locks your files or a customer database gets stolen, every minute counts—but if you don't have your vendor's contact number or don't know which lawyer handles data breach cases, you'll spend critical hours searching instead of responding. A real example: an e-commerce company in Delhi lost ₹18 lakhs in fraudulent transactions because they couldn't reach their payment gateway vendor quickly when the breach was detected, and the vendor took 4 hours to respond due to no pre-arranged escalation path. If regulators later find out you delayed notification to customers because you couldn't locate your legal counsel, you could face DPDP Act penalties. Customers and auditors expect you to have a crisis contact list ready—if you don't, they lose confidence in your preparedness.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no written list of emergency contacts anywhere, and people call each other's personal mobile numbers when something breaks. You have no idea who your cybersecurity vendor is or whether you even have one.

Level 1
Initial

You have your regular IT vendor's landline and email in an email thread somewhere, and maybe a lawyer's WhatsApp contact saved from a past query. There is no formal document or updated contact list.

Level 2
Developing

You keep a simple contact list in Excel or Google Sheets with IT vendor, your accountant's lawyer contact, and your bank's grievance number. Nobody has shared or reviewed this list in over a year.

Level 3
Defined

You have a written Incident Response Contacts document with IT vendor, security provider, legal counsel, bank, insurance company, and CERT-In details. The list is reviewed and updated every 6 months, and key staff have copies.

Level 4
Managed

You have a detailed contact list with primary and backup contacts for each vendor, escalation procedures, and their expected response times documented. The list is tested quarterly by simulating an incident call and confirming people answer.

Level 5
Optimised

You have a comprehensive, tested contact matrix with primary/backup contacts, SLAs, on-call schedules, and pre-signed incident response agreements with all vendors. You conduct tabletop drills quarterly that include actually calling these contacts to verify they respond, and feedback is documented.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Gather contact details for your current IT vendor and any consultant or lawyer you've used before. Write them down in one place (email, document, or phone notes). Ask your vendor for their 24/7 emergency number if they have one.	Business owner or IT person	2-3 hours
1 → 2	Create a simple one-page Incident Contact List in Excel or Google Sheets with columns: Role (IT Vendor, Lawyer, Bank, etc.), Primary Contact, Phone, Email, Available Hours. Add at least 5-6 key contacts. Share it with your manager and keep it in a shared folder and printed at the desk.	IT person or business owner	1 day
2 → 3	Upgrade the contact list to a formal policy document. Add backup contacts for each role, expected response times (e.g., 'IT vendor responds within 1 hour'), and a brief description of when to call each person. Have your manager sign off. Share with all staff who touch IT or customer data.	IT person with manager approval	3-5 days
3 → 4	Add SLA (Service Level Agreement) details from each vendor: their incident response time, escalation numbers, support hours, and contact person names. Test the list by calling each vendor's emergency number and confirming they have your company in their system and know how to reach your decision-maker. Document the test results.	IT person or compliance owner	2-3 weeks
4 → 5	Create signed incident response agreements with key vendors (IT, security, legal) that spell out response times and responsibilities during a breach. Conduct a quarterly tabletop drill where you simulate an incident and actually call vendors from the list to confirm they respond. Update the contact list after every drill based on feedback.	Compliance owner with CEO/business owner sign-off	1-2 months initial, then ongoing quarterly drills

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Written Incident Contact List document or spreadsheet with at least IT vendor, cybersecurity provider (if any), legal counsel, bank/payment processor, and insurance company contacts, including phone and email
Evidence of vendor contacts being verified in the last 6 months (email confirmation, call log, or signed acknowledgment from vendor that they received your incident contact request)
Incident Response Plan or Security Policy document that references and updates the contact list at least annually
Log or record showing the contact list was shared with relevant staff (IT, management, finance) and that they acknowledge receipt
Test or drill record showing that emergency contacts were actually called and responded (email, call notes, or signed confirmation from vendor)

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Show me your incident contact list. Who do you call first if you suspect a ransomware attack right now?"
"How often do you update this list and verify these contacts still work? When was it last updated?"
"Do your vendors know they are your incident response contacts? Do you have any agreement with them about response times?"
"If your regular IT person is unreachable, who is the backup contact for incident response in your organization?"
"Walk me through what happens when you detect a data breach. Who do you call and in what order?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Create and manage a simple incident contact list document	Google Sheets or Microsoft Excel (free web version). Create a shared document with phone numbers, emails, and roles.	Dedicated incident management tools like Everbridge (₹2-5 lakhs/year) or OnSolve (₹1.5-3 lakhs/year) if you have multiple locations, but overkill for most MSMEs
Store contact list securely and ensure it's accessible during an outage	Google Drive or OneDrive with offline copies. Print a laminated copy and keep at reception and with the IT person.	Password manager like 1Password (₹4,500/year) or LastPass (₹2,500/year) for secure sharing of credentials and contact info with team
Test and simulate incident response procedures including calling vendors	Use your own phone or schedule video calls to conduct tabletop drills. Document results in a simple form.	Incident response simulation tools like Gremlin (₹3-8 lakhs/year) or AttackIQ (₹5+ lakhs/year), but not necessary at level 4 or 5 for small teams

🛡

How This Makes You More Resilient

With pre-identified external help, your response time during a real breach drops from hours of searching to minutes of action—meaning less data stolen, less customer impact, and faster recovery. You'll also avoid costly mistakes like hiring the wrong vendor or legal firm in a panic, and regulators will see you took the threat seriously by planning ahead. This single step significantly reduces the damage and cost of any incident.

⚠️

Common Pitfalls in India

Keeping contact numbers only on the phone of one IT person who then goes on leave or leaves the company—the whole list walks out the door. Always maintain a physical copy and a shared digital copy.
Adding vendor contacts but never verifying they still work or that the vendor actually knows you are their customer—during a real incident, you call and the number is disconnected or they have no record of you.
Creating a fancy contact list document but never sharing it with staff or keeping it updated—the list becomes stale within 6 months as vendors change numbers, people move roles, or you change vendors.
Forgetting to include regulatory and legal contacts (CERT-In, your sector regulator, data protection officer, legal counsel), so you end up making notifications without expert advice and face penalties.
Assuming your IT vendor is your incident response vendor—many IT support vendors have slow response times and no 24/7 coverage, so you also need a specialized cybersecurity provider on the list.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 6 and Schedule 1 (Personal Data Protection Committee must be informed without undue delay; pre-identified response team satisfies this). Section 7 (Data Protection Impact Assessment requirements)
CERT-In 2022	Directions 4 and 5 (incident reporting timeline and handling procedures; having pre-identified contacts ensures you meet the 6-hour reporting timeline)
ISO 27001:2022	Clause 7.4 (Communication and awareness). Annex A, Control A.16.1 (Planning and preparation for information security incident handling)
NIST CSF 2.0	Respond Function (RS.PL-1: Incident response plan approved and communicated; RS.CO-1: Incident handling and reporting)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →