Without a tested recovery plan, even a small ransomware attack can shut down your entire business for days or weeks—meaning lost sales, angry customers, and potential regulatory penalties. A manufacturing unit in Pune that suffered a ransomware attack in 2023 lost ₹15 lakhs in production and customer orders because they had no backup strategy. If you cannot restore customer data within 72 hours, you may face penalties under the Digital Personal Data Protection Act 2023. Your customers (especially larger enterprises) will not renew contracts if you cannot prove you can recover from incidents quickly.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented backup process and no one has tested whether data can actually be restored. Your IT person manually copies some files to an external hard drive when they remember to do so.
Initial
You take regular backups (daily or weekly) but they are stored in one location only, and you have never actually tested whether you can restore from them. No one has documented the recovery steps.
Developing
You have documented backup and recovery procedures, backups are stored in at least two locations, and you have tested recovery once in the past year. The recovery process takes several hours but is documented.
Defined
You test backups and recovery procedures quarterly, recovery time is documented and acceptable (under 4 hours for critical systems), and the steps are part of your incident response plan. Staff know their roles during recovery.
Managed
You have automated backup verification, recovery is tested monthly with different scenarios, recovery time objective is under 1 hour for critical data, and recovery procedures are integrated into your incident response playbook with clear ownership.
Optimised
You have continuous backup validation, recovery is tested monthly including disaster scenarios, recovery time is under 30 minutes for critical systems, and recovery is continuously monitored and improved based on actual incident learnings and industry changes.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Document your current backup approach (what is backed up, where, how often) and set up a simple automated daily backup to cloud storage (Google Drive, OneDrive, or AWS S3) or an external hard drive kept off-site | IT person or designated staff member | 3-5 days |
| 1 → 2 | Write down step-by-step recovery procedures for each critical system (accounting software, customer database, email), test restoration on a test machine or separate folder, and keep backups in two separate locations (one cloud, one physical) | IT person with business process owner (finance, sales, operations) | 1-2 weeks |
| 2 → 3 | Conduct quarterly recovery drills (actually restore from backup to a test environment), measure recovery time, assign specific roles to staff (who restores data, who verifies, who communicates), and add recovery steps to your incident response plan | IT person and incident response team lead | 2-4 weeks for first cycle, then 2-3 hours per quarter |
| 3 → 4 | Implement automated backup verification (tools that check backups are working without manual intervention), create recovery runbooks for different incident types (ransomware, data loss, system failure), and establish clear recovery time objectives (RTO) and recovery point objectives (RPO) approved by management | IT person with management approval | 4-8 weeks |
| 4 → 5 | Conduct monthly recovery drills including complex scenarios (corrupted backups, ransomware variants, partial data loss), maintain metrics on recovery performance, integrate learnings from actual incidents back into procedures, and stay updated on emerging threats and recovery technologies | IT person, incident response team, and external security consultant (periodic) | Ongoing monthly (4-6 hours), quarterly consultant review (1-2 days) |
Documents and records that prove your maturity level.
- Written backup and recovery procedure document (even 1-2 page document counts) that describes what data is backed up, where it is stored, how often, and step-by-step how to restore it
- Backup schedule showing daily, weekly, or monthly backup completion logs or screenshots from your backup tool showing successful backups for past 3 months
- Test recovery report documenting the date, what was restored, how long it took, and whether it was successful (sign-off by IT person and one business user)
- Incident response plan or playbook that explicitly includes recovery steps, assigned roles, and contact information for the recovery team
- List of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets for critical systems, approved by business management
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your backup schedule and proof that backups have been completed in the past 30 days?"
- "When was the last time you actually tested restoring data from backup, and what happened?"
- "If your main server failed today, how long would it take you to restore customer data and get back to work? Do you have a written plan?"
- "Where are your backups stored? If your office burns down, can you still access your data?"
- "Show me your incident response plan. Does it include recovery steps and who is responsible for executing them?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Automatic backup of files and databases to secure cloud storage | Google Drive (15GB free), OneDrive (5GB free with Microsoft account), or Nextcloud (self-hosted, free open-source) | Acronis True Image (₹3,500/year), Backblaze (₹500/month or ₹4,500/year), AWS Backup (₹0.05 per GB stored/month approximately) |
| Test and verify backups work without restoring entire system | Built-in Windows System Image Recovery, or manual verification by attempting one small file restore monthly | Veeam Backup & Replication (₹50,000+/year for small business), Nakivo (₹15,000-30,000/year) |
| Document and track incident response and recovery procedures | Google Docs, Notion, or Confluence Cloud free tier | Microsoft Visio for flowcharts (₹4,500/year), or incident management tools like PagerDuty (₹3,000+/month) |
- Backing up to only one location (same office building) – if there is a fire or flood, backups are lost too; use at least two locations (one off-site/cloud)
- Never testing recovery before an actual incident – a backup is only useful if you have proven it can be restored; test at least quarterly
- Storing backup passwords or encryption keys in the same place as backups – if an attacker compromises your backups, they can also decrypt them; keep credentials separate and secure
- Backing up only the last version of files without version history – ransomware can corrupt backups over time; keep multiple backup versions (daily or weekly snapshots for 30+ days)
- Assuming the IT person 'knows' how to recover systems without written procedures – when that person is absent or leaves, no one else can restore data; always document steps clearly
- Not backing up configuration and settings, only data files – you need to restore entire systems quickly, not just data; backup operating system, applications, and configurations together
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data security obligations) and Schedule 2 (reasonable security measures include recovery and business continuity) |
| CERT-In 2022 | Direction 4 (entities must have backup and recovery procedures as part of incident response) |
| ISO 27001:2022 | Annex A.12.3.1 (information backup) and A.17.1.3 (plan and test incident response including recovery) |
| NIST CSF 2.0 | Recover Function (RC.1 - recovery planning, RC.2 - recovery improvements) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →