Without backups, a ransomware attack (where criminals lock your files and demand money) can shut down your entire business for weeks—you cannot invoice customers, access inventory, or retrieve financial records. An Indian export business hit by ransomware in 2023 lost ₹40 lakhs because they had no backups and paid the ransom; they could have recovered for free. If you're audited by a bank or large customer and cannot prove your data is protected, you may lose contracts or credit lines. Accidental deletion by an employee, a hard disk failure, or a fire in your office becomes a total business loss if backups don't exist elsewhere.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that important files live only on one computer or server, with no copies anywhere else. The business owner keeps some old spreadsheets on their personal laptop and hopes they don't lose them.
Initial
You find that someone occasionally copies files to an external hard drive kept in the same office, but there is no schedule, no log of what was backed up, and no one has ever tested if the backup actually works.
Developing
You find that backups are done weekly using an external hard drive or USB drive, files are being copied regularly, but the backup device is still kept in the office building and no one documents what was backed up or when.
Defined
You find that backups run automatically every day or weekly to an external drive and also to a cloud service (like Google Drive or AWS), backups are stored in a different physical location, and the IT person has tested recovery once in the past year.
Managed
You find that backups are automated daily, stored in multiple locations (on-premise and cloud), tested for recovery every quarter, a backup log is maintained showing what succeeded and what failed, and critical databases are backed up hourly.
Optimised
You find that backups are real-time or continuous, stored across three or more geographic locations, tested for recovery monthly with documented results, encryption is verified, retention policies match your recovery time and recovery point objectives, and backup restoration is part of your disaster recovery plan that is reviewed annually.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Buy one external hard drive (₹3,000–5,000), connect it to your main server or file storage, and manually copy all important folders (accounting, customer data, product files) to it once a week on Friday afternoon. | Business owner or office manager | 1 day (setup) + 1 hour per week ongoing |
| 1 → 2 | Set up automatic daily backups using built-in Windows/Mac backup tools or free software like Duplicati or Veeam Agent (free version), keep a log in a simple spreadsheet noting backup date and size, and store the external drive at home or a trusted location outside the office. | IT person or technical employee | 3–5 days (configuration and testing) |
| 2 → 3 | Add a cloud backup service (Google One, Dropbox, or AWS S3 at ₹500–2,000/month) for critical files, test restoring one file from backup to confirm it works, document the backup schedule and retention policy in writing, and store backup device in a different building or at home. | IT person with approval from business owner | 2–4 weeks (setup, testing, documentation) |
| 3 → 4 | Upgrade to a dedicated backup software solution like Veeam Backup & Replication or Acronis (₹30,000–60,000/year), configure hourly backups for databases, set up automated backup verification and alerts, create a backup policy document showing retention periods (how long backups are kept), and log all backup results. | IT manager or external IT consultant | 1–2 months (evaluation, deployment, staff training) |
| 4 → 5 | Implement a multi-site backup strategy (local + cloud + offsite copy), set recovery time objective (RTO) and recovery point objective (RPO) targets in writing, conduct quarterly disaster recovery drills with full data restoration tests, encrypt all backups, document and review the entire backup and recovery process annually. | IT manager with involvement from department heads | Ongoing (quarterly testing + annual review + monthly monitoring) |
Documents and records that prove your maturity level.
- Backup schedule document or policy showing what data is backed up, how often, and where it is stored
- Backup log or report (weekly or daily) showing successful backup completion dates and sizes
- Record of at least one successful backup restoration test with date, time, and files verified
- Backup device inventory list showing location of external drives, cloud accounts used, and access credentials stored securely
- Disaster recovery or business continuity plan mentioning backup strategy, recovery time targets, and roles/responsibilities
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your backup schedule and confirm how often backups are currently being taken?"
- "How do you verify that backups are actually working? When did you last test restoring data from a backup?"
- "Where are your backups stored? Are they kept in a different location from your main office?"
- "What happens to old backups? How long do you keep them, and can you restore data from 3 months ago if needed?"
- "If your office burned down tomorrow, could you restore your customer database and accounting files within 24 hours? How would you do it?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Automatic file and folder backup to external drive or cloud | Windows File History (built-in) or Duplicati (Windows/Mac/Linux) | Veeam Backup & Replication Community Edition (free for up to 10 sockets) or Acronis True Image (₹6,000–8,000/year) |
| Cloud backup for offsite storage and easy file recovery | Google One free tier (15 GB) or Microsoft OneDrive free (5 GB) | Google One (₹130/month for 100 GB), Dropbox (₹500/month for 2 TB), or AWS S3 (₹500–2,000/month depending on data size) |
| Backup verification and reporting to confirm backups are working | Veeam Agent Free Edition or Bacula (Linux-based, open source) | Veeam Backup & Replication Standard (₹60,000–80,000/year) or Commvault (₹100,000+/year for enterprise) |
- Backup device kept in the same office—if there is a fire, flood, or theft, both your original data and backup are lost; always keep backups in a different physical location
- Backup is taken but never tested for restoration—the backup file may be corrupted or incomplete, and you only discover this when you need it in an emergency
- Backup software configured once but forgotten—no one checks if the backup is actually running, and after a few months it silently fails without anyone noticing until disaster strikes
- No log or documentation of what was backed up or when—when auditors or large customers ask for proof of backups, you cannot provide it, and you lose business or face regulatory action
- Using the same password or access method for backup as for regular data—if a hacker gets into your system, they can delete backups too; backups should have separate, strong access controls
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2) and Schedule 2 (Technical and Organizational Measures) require data controllers to implement backup and recovery controls to protect personal data |
| CERT-In 2022 Directions | Direction 4 requires organizations to maintain backups of critical data and systems for disaster recovery and business continuity |
| ISO 27001:2022 | Annex A 10.1.1 (Information backup) requires backups of information, software, and configurations to be taken and tested regularly |
| NIST CSF 2.0 | Govern function (GV.RR-03) and Protect function (PR.IP-04) require maintaining and protecting backup copies of critical data and systems |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →