HomeGuidesIncident Readiness › IR-12
IR-12 Incident Readiness 4% of OML score

Has the business tested or discussed its response to a realistic incident scenario?

Have you and your team actually practiced what you would do if your business suffered a cyber attack or data breach? This means running through a realistic scenario—like a ransomware attack or customer data leak—to see if your response plan actually works and if everyone knows what to do.

Why This Matters to Your Business

Without practicing, your team will waste critical time figuring out who does what during an actual incident, potentially losing customer trust and regulatory standing. For example, if a hacker steals customer payment data from your e-commerce platform, you need to know immediately whether to shut down the website, notify customers, contact the police, or call your bank—and if no one has practiced this, you'll fumble while damage spreads. The DPDP Act 2023 requires you to report data breaches to authorities within 72 hours; if your team hasn't rehearsed this, you'll miss the deadline. Customers and banks may drop you if they discover you were unprepared, and you could face regulatory penalties or loss of certifications needed for B2B contracts.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no incident response plan and have never discussed what would happen if you were hacked. Your team doesn't know who to contact or what steps to take if something goes wrong.

Level 1
Initial

You have a basic written response plan, but you've never actually tested it or walked through a scenario with your team. Most people don't know the plan exists.

Level 2
Developing

You've had a meeting or informal discussion where you talked through what you'd do in a breach scenario, but no structured walkthrough or written report of what you learned. A few key people participated.

Level 3
Defined

You conducted a formal table-top exercise (a structured discussion) with your IT person, manager, and key staff, working through a realistic breach scenario step by step, and you documented what happened and what gaps you found. The team now knows the basic steps.

Level 4
Managed

You run a realistic incident drill at least once a year where your team actually simulates responding (e.g., isolating a system, collecting evidence, notifying stakeholders) and you document results, measure response time, identify gaps, and fix them. Multiple people are trained.

Level 5
Optimised

You conduct multiple realistic drills per year (including unannounced simulations), measure your response performance against metrics, continuously update your plan based on lessons learned, and maintain detailed logs showing your team's readiness. New staff receive incident response training automatically.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Write a simple one-page incident response plan listing: (1) who to contact (IT person, manager, bank, police), (2) what to do first (isolate affected systems, preserve evidence), (3) customer and regulator notification steps. Have your IT person or manager draft it. IT person or Operations Manager 1 day
1 → 2 Schedule a 1-2 hour meeting with your IT person, manager, and 1-2 other staff. Walk through your plan using a realistic scenario (e.g., 'What if our server gets ransomware tomorrow?') and discuss what each person would do. Take notes on what's unclear or missing. Manager or Business Owner 1 day (including meeting prep)
2 → 3 Conduct a formal table-top exercise: prepare a realistic incident scenario on paper, invite 4-6 key people (owner, IT, finance, customer service, legal if available), walk through the scenario step-by-step discussing decisions and actions, record outcomes and gaps, and produce a 1-2 page report with lessons learned and improvements to your plan. Manager or external consultant (if budget allows) 2-4 weeks (including scenario design, scheduling, running exercise, and reporting)
3 → 4 Run a realistic 'simulation drill' where your IT person actually practices isolating a test system, collecting logs, and simulating notification steps (e.g., drafting a customer breach notification email). Time how long each step takes, compare to your plan, update procedures, and train any new staff on the revised plan. IT person with Manager oversight 1-2 months (design + execution + documentation)
4 → 5 Schedule at least two drills per year (one announced, one unannounced), measure response time and compliance with your plan, collect feedback from all participants, update training materials for new hires, and maintain a log of all drills with metrics (e.g., time to isolate, time to notify). Integrate incident response into onboarding for all new IT/operational staff. IT person and Manager, with Business Owner oversight Ongoing (2-3 days per drill, plus quarterly review)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written incident response plan document (even if one page) with roles, contact numbers, and step-by-step response procedures
  • Notes or minutes from your incident response planning/discussion meeting, signed and dated, showing who attended and what was discussed
  • Table-top exercise scenario document (describing the incident being simulated) and a report or notes showing what your team decided to do and what gaps were identified
  • Logs or records of drill execution (dates, participants, time taken for each step, issues found, and corrective actions taken)
  • Updated or revised incident response plan reflecting lessons learned from testing, with version number and date of last update
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you walk me through your incident response plan? What would your team do in the first hour if your customer database was compromised?"
  • "When was the last time you actually tested or practiced your response plan? Show me the evidence (notes, drill report, meeting minutes)."
  • "Who is responsible for notifying customers and regulators in case of a breach? How quickly can you notify them, and have you actually timed this?"
  • "What gaps or problems did you find when you tested your plan? How did you fix them?"
  • "How do you ensure new employees understand the incident response plan? Is this covered in their onboarding?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Document and manage your incident response plan Google Docs or LibreOffice (write and share your plan easily) Microsoft 365 (₹5,000-15,000/year for small teams; includes OneDrive for version control and collaboration)
Tabletop exercise or drill template and facilitation guidance NIST Cybersecurity Framework templates (available at nist.gov), or CERT-In guidelines from cert-in.org.in Incident response consulting firms in India (₹50,000-2,00,000+ for designing and running a formal exercise)
Simulate a breach and collect evidence safely without harming live systems VirtualBox (create a test environment) or GNS3 (network simulation) to practice in a sandbox AWS or Google Cloud free tier (limited testing); commercial SIEM tools like Splunk (₹3,00,000+/year) or open-source ELK Stack (free but requires setup)
🛡
How This Makes You More Resilient
When your team has practiced your response, you'll respond to a real incident in hours instead of days, dramatically reducing the damage (fewer stolen records, less downtime, faster system recovery). Your team will stay calm and focused because they've already been through the steps, and you'll meet regulatory deadlines—avoiding penalties and customer loss. You'll also discover missing tools or contacts before a crisis, giving you time to fix them cheaply.
⚠️
Common Pitfalls in India
  • Writing a plan but never testing it: Many Indian MSMEs create a document and file it away, believing they're 'compliant.' When a real incident happens, the plan is outdated or people don't understand it. Practice reveals gaps that paperwork alone will not.
  • Only involving IT staff in drills: Your IT person may know what to do technically, but if your finance team doesn't know when to freeze accounts or your management doesn't know when to notify the board, your response will be chaotic. Include multiple departments.
  • Confusing 'discussion' with 'testing': Talking informally about an incident is not the same as practicing. You need a structured scenario, documented decisions, measured outcomes, and a follow-up report. Auditors and regulators expect evidence of actual testing, not casual conversation.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 4(6) (reasonable security practices), Section 6 (consent, transparency, and grievance), Section 8 (notice and consent before processing), and Section 7 (data breach notification to authority within 72 hours and to affected individuals)
CERT-In 2022 Directions Direction 4 (incident reporting to CERT-In within 6 hours of discovery) and Direction 5 (maintaining incident response capability)
ISO 27001:2022 Clause 5.2 (information security policies), Clause 6.1 (risk assessment), Annex A 5.20 (incident response), and Annex A 5.23 (incident management planning and improvement)
NIST CSF 2.0 Respond (RS) function: RS.RP-1 (response plan establishment), RS.CO-1 (incident communication), RS.MI-1 (incident mitigation)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →