Without safe backups, a ransomware attack or hardware failure can permanently destroy your business data—customer records, invoices, designs, financial information—leaving you unable to operate or serve customers. An Indian manufacturing company with QuickBooks data stored only on a local server lost ₹40 lakhs in production when malware encrypted everything and the owner had no backup. Your customers may stop trusting you if their data is lost, auditors will flag you for non-compliance with DPDP Act requirements, and you may face regulatory action or customer compensation claims. In worst case, small businesses simply close after losing critical data because recovery is impossible.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You keep no backups at all, or backups exist only on the same computer or network as the original data. A single malware infection or server failure destroys everything permanently.
Initial
You take occasional manual backups to an external hard drive and keep it in the office desk, but there is no schedule, no verification that backups actually work, and the drive is at risk of theft or damage alongside the main system.
Developing
You perform regular backups (weekly or monthly) to an external device using built-in Windows or Mac backup tools, store the device in a separate locked cabinet in the office, and you have tested restoration once to confirm it works.
Defined
You have automated daily or weekly backups to both an external hard drive (stored offsite at a partner's location) and a cloud service (Google Drive, AWS S3, or similar). You test restoration quarterly and document the process in a written backup and recovery plan.
Managed
You use enterprise backup software (Veeam, Acronis, or equivalent) with daily automated backups to multiple locations (onsite NAS, offsite secure cloud, and encrypted external drive), perform monthly restoration tests, maintain a documented disaster recovery plan, and monitor backup success logs weekly.
Optimised
You have a fully managed backup service with real-time or hourly incremental backups, geographic redundancy (data in at least two separate regions), automatic verification of backup integrity, monthly full restoration drills, and a tested recovery time objective (RTO) of less than 4 hours. Backups are encrypted, access-controlled, and audited quarterly.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Purchase one external hard drive (₹3,000–₹5,000 for 2TB), plug it into your main computer, and use built-in backup (Windows Backup or Mac Time Machine) to create a full backup of all business data. Label the drive and store it in a locked drawer separate from the computer. | Business owner or IT person | 1 day |
| 1 → 2 | Set up a weekly automatic backup schedule using Windows Backup or Mac Time Machine; test restoration by recovering one file to confirm the backup is usable; document the backup process in a simple one-page checklist and store it near the external drive. | IT person or designated staff member | 3–5 days |
| 2 → 3 | Register for a free or low-cost cloud backup service (Google Drive, Nextcloud, or AWS S3 free tier); set up daily automated backups to the cloud; arrange to store the external backup drive at a trusted partner's office offsite; create a written backup and recovery plan with step-by-step instructions; perform a full restoration test and document the results. | IT person | 2–4 weeks |
| 3 → 4 | Deploy enterprise backup software (30-day free trials: Veeam, Acronis, or Backblaze); configure automated daily backups to multiple destinations (NAS device, cloud, external encrypted drive); set up backup job monitoring and weekly log review; establish a monthly restoration drill schedule; document RTO and RPO targets in a formal disaster recovery plan. | IT person or external consultant (₹20,000–₹50,000 setup cost) | 1–2 months |
| 4 → 5 | Engage a managed backup service provider (Acronis Cloud, Druva, or local Indian provider like Netmotion); implement real-time or hourly incremental backups with geographic redundancy; enable backup encryption and role-based access controls; schedule quarterly full restoration drills; establish audit and compliance reporting; review and update the disaster recovery plan annually. | IT manager or external managed services provider | Ongoing (₹2,000–₹10,000/month depending on data volume) |
Documents and records that prove your maturity level.
- Backup schedule or policy document stating frequency (daily/weekly/monthly), destinations, and retention period
- Backup verification log or report showing successful backups for the last 3 months (print screen or CSV export from backup software)
- Documented test restoration record with date, what was restored, and confirmation that data was usable
- List of backup storage locations (e.g., 'External drive in locked cabinet, Floor 2; Cloud account credentials stored in password manager; Offsite partner contact details')
- Disaster recovery or business continuity plan (even one page) with recovery time objective (RTO) and approved by business owner
Prepare for these questions from customers or third-party reviewers.
- "Where are your backups stored, and are they physically separated from your main systems?"
- "How often are backups taken, and can you show me proof that the last three backups completed successfully?"
- "When did you last test restoring data from a backup, and did the restored data work correctly?"
- "What would happen if your main server failed today—how long would it take you to get back online, and do you have a written plan?"
- "Are your backups encrypted, and who has access to restore them?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Automatic scheduled backups to cloud storage with version history | Google Drive (15 GB free), Nextcloud (self-hosted, free open-source), AWS S3 free tier (5 GB for 12 months) | Google One (₹130/month for 100 GB), AWS S3 (₹0.60–₹1.20 per GB/month) |
| Full-featured backup and disaster recovery software for Windows/Mac servers | Veeam Community Edition (free for 10 sockets), Bacula (free open-source), AOMEI Backupper Standard (free version limited) | Veeam Backup & Replication (₹2,50,000–₹5,00,000/year), Acronis Cyber Protect (₹50,000–₹2,00,000/year) |
| Encrypted external hard drive or NAS (network storage) for onsite/offsite backup | — | WD My Passport (encrypted, 2TB ₹4,500), Synology NAS (₹30,000–₹80,000), QNAP NAS (₹35,000–₹1,50,000) |
| Managed backup and disaster recovery service with monitoring | — | Druva inSync (₹100–₹300 per user/month), Acronis Cyber Cloud (₹2,000–₹15,000/month), Backblaze (₹200–₹500/month per device) |
| Password and access credential management for backup accounts | Bitwarden, KeePass (self-hosted), Vault Warden | 1Password (₹4,000–₹6,000/year per user), LastPass (₹3,000/year per user) |
- Storing backups in the same location as the main system (same office, same server room, same building)—if there is a fire, flood, or theft, both the original and backup are lost together
- Never testing whether backups actually work until a crisis occurs, then discovering the backup is corrupted or incomplete and data cannot be recovered
- Keeping backup hard drives plugged in or on the same network as production systems, allowing ransomware to encrypt the backups as well as the originals
- Failing to secure access credentials for backup systems, allowing employees to delete or modify backups intentionally or by mistake, or allowing a fired employee to sabotage them
- Using only cloud backups without a local offline copy, making recovery dependent on internet connectivity and vulnerable to cloud account compromise or cloud provider outage
- Forgetting about backups for months or years and assuming they still work, or changing systems (new server, new software) without migrating the backup setup, resulting in outdated or incompatible backups
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data protection by design and default) requires security measures including backup and recovery capability; Section 10 requires accountability for data storage and recovery |
| CERT-In 2022 | Direction 4 requires organizations to maintain verified, regular, and secure backups of critical information systems; Direction 5 requires business continuity and disaster recovery plans |
| ISO 27001:2022 | Annex A, A.12.3.1 (Information backup) requires backups be taken, tested, and stored securely; A.17.1.1 (Planning information security continuity) requires recovery procedures |
| NIST CSF 2.0 | Protect (PR) function, category PR.IP-4 (Data and information management) requires backups; Recover (RC) function requires recovery processes and procedures |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →