If you cannot restore data quickly, your business stops working—customers cannot place orders, you cannot access invoices or employee records, and revenue stops. A manufacturing company in Bangalore lost ₹45 lakhs in one week because their backup took 10 days to restore after a ransomware attack; customers switched to competitors. Small e-commerce businesses have lost their entire customer database to corruption with no backup, forcing shutdown. Regulatory bodies like CERT-In now expect businesses to demonstrate recovery capability, and customers (especially large ones) audit your backup plan before giving you contracts.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no backups at all, or backups exist but no one knows how to restore them or if they even work. You are running on hope that your server never fails.
Initial
You take backups occasionally (maybe weekly) to an external drive or cloud, but you have never actually tested whether the data can be restored, and you do not know how long restoration would take.
Developing
You take regular backups (daily or weekly) to a separate location, you have tested restoration once or twice, and you think it would take 24-48 hours to get systems back online.
Defined
You take daily backups to at least two different locations (one offsite), you test restoration quarterly, and you have documented procedures that show recovery would take 4-12 hours; staff know what to do.
Managed
You take automated backups multiple times daily to geographically separate locations with encryption, you test restoration monthly with realistic scenarios, and your documented RTO (Recovery Time Objective) is under 4 hours; staff are trained annually.
Optimised
You have continuous backup replication, automated failover to backup systems, monthly full restoration drills with documented results, recovery time under 1 hour, and a backup vendor on retainer to guarantee support during crisis.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Purchase a 2 TB external hard drive or sign up for a cloud backup service (Google Drive, OneDrive, or AWS); configure automatic daily backups of all critical files and databases; store external drive in a locked cabinet or cabinet away from main server. | IT person or designated business owner | 2-3 days |
| 1 → 2 | Perform a full restoration test: restore data from your backup to a separate computer or folder, verify that all files are intact and readable, document the time taken, and write down the exact steps followed; repeat this test every 6 months. | IT person | 1-2 days (including test execution) |
| 2 → 3 | Set up a second backup location (e.g., if using external drive, add cloud backup; if using one cloud, add a second cloud service); automate both backups to run daily during off-peak hours; create a one-page 'Recovery Playbook' listing step-by-step restoration instructions and contact information for all staff. | IT person | 1-2 weeks (including configuration, testing, and documentation) |
| 3 → 4 | Upgrade to a backup solution with encryption (e.g., Backblaze, Carbonite, or AWS Backup); implement automated backup scheduling (3-4 times daily for databases); conduct a quarterly 'disaster recovery drill' with all team members, measure actual recovery time, document results, and conduct a 30-minute training session with staff on recovery procedures. | IT person with business owner approval | 1-2 months (including tool setup, encryption configuration, and quarterly drill execution) |
| 4 → 5 | Implement continuous replication (e.g., AWS DMS, Azure Site Recovery, or Veeam Backup & Replication) where backup is always synchronized; configure automated failover testing; establish a quarterly review meeting with a backup vendor representative to review RTO/RPO metrics and incident response updates; document all disaster recovery metrics in a Board-level report. | IT person with external backup consultant and business owner | Ongoing (quarterly reviews, monthly failover tests, continuous monitoring) |
Documents and records that prove your maturity level.
- Backup Schedule Document: written record showing what is backed up, how often, and where backups are stored (e.g., 'Daily backups at 2 AM to NAS drive in office safe + AWS cloud backup')
- Last 3 Months of Backup Logs: automated reports or email confirmations showing that each scheduled backup actually completed successfully (from your backup software or cloud service)
- Restoration Test Report: document from your last backup test showing the date, time taken to restore, which files were tested, whether they opened correctly, and the technician's signature
- Recovery Playbook or Procedure Document: a one-to-two page instruction manual with exact steps to restore data, names and phone numbers of technical contacts, and identified backup locations
- RTO/RPO Definition Document: written statement of your Recovery Time Objective (how fast you need to be back online) and Recovery Point Objective (how much data loss is acceptable), and confirmation that your backups can meet these targets
Prepare for these questions from customers or third-party reviewers.
- "Show me your last successful backup. How do I know it actually worked and was not corrupted?"
- "If your main server fails today, how long would it take you to restore all customer data, and can you prove this by walking me through a recent test you performed?"
- "Where are your backups stored? Are they kept separate from your main server location, and are they encrypted?"
- "Who is responsible for backups, and what happens if that person is on leave and the server crashes—does someone else know how to restore?"
- "Do you have a documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? If yes, how do you verify your backup strategy actually meets these targets?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Automatic backup of files to cloud storage with version history | Google Drive (15 GB free), Microsoft OneDrive (5 GB free), or Nextcloud (self-hosted, free software) | AWS S3 (₹500-2,000/month depending on storage), Google One (₹99/month for 100 GB), Microsoft 365 (₹4,499-8,999/year with 1 TB cloud storage) |
| Automated backup of databases and servers to multiple locations with encryption | Bacula (open-source, requires technical setup), Duplicati (user-friendly, open-source), or rsync (command-line tool for file sync) | Backblaze (₹6,000-8,000/year per computer), Carbonite (₹8,000/year), Acronis True Image (₹5,000-7,000 one-time), Veeam Backup & Replication (₹1-3 lakhs/year depending on environment) |
| External hard drive for local offline backup storage away from server | Seagate Barracuda or WD Blue 2-4 TB external drive (₹4,000-8,000 one-time purchase) | |
| Backup testing and documentation software to automate restore drills and record results | Google Sheets or Excel for manual test logging | Veeam Backup & Replication (includes built-in restore testing), AWS Backup (hourly restore points, ₹2,000-5,000/month), or SolarWinds Backup (₹50,000+/year) |
| Database-specific backup with point-in-time recovery for business applications | MySQL backup utilities (mysqldump), PostgreSQL backup tools (pg_dump), or built-in SQL Server Community backup features | AWS RDS automated backups (₹1,000-5,000/month), Azure SQL Database backup (₹2,000-8,000/month), or Percona Xtrabackup with support (₹20,000-50,000/year) |
- Backups stored in the same physical location as main server: If there is a fire, flood, or theft, both the server and backup are lost. Always keep at least one backup offsite (cloud or separate building).
- Backups never tested until an actual crisis occurs: You discover the backup is corrupted, encrypted with a forgotten password, or the restoration process takes 48 hours when you need 4 hours. Test every 3-6 months, document the time, and involve staff who may need to perform actual recovery.
- No one knows who manages backups or how to restore them: The one person who set up backups leaves the company, and no one else can restore data. Document the process in simple steps, train at least two staff members, and keep contact information for a backup vendor in your playbook.
- Backups automated but never monitored: The backup software 'thinks' it is working but fails silently (network disconnected, permissions denied, disk full). Review backup logs weekly, set up email alerts for failed backups, and have a senior staff member verify monthly that backups are actually completing.
- Recovery time objectives not defined or unrealistic: You assume 'fast backup' without defining what 'fast' means for your business. A retail company losing 12 hours of sales data is a crisis; a government archive losing weekly data may be acceptable. Write down your RTO (time to restore) and RPO (acceptable data loss) in hours, and verify your backup solution meets these targets.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2) - Controller must implement security measures including backup and recovery of personal data; Section 6 requires processing of personal data to be lawful, which includes availability of data when needed |
| CERT-In 2022 | Guideline (d) - 'Implement policies and procedures for backup and business continuity planning'; Guideline (e) - Organizations must test restoration capability at least annually |
| ISO 27001:2022 | Annex A.12.3.1 (Information backup) - Requirement to establish and test backup procedures; A.17.1.1 (Business continuity planning) - Recovery procedures must be tested and documented |
| NIST CSF 2.0 | Recover (RC) Function - Category RC.1: 'Recovery Planning' and RC.2: 'Improvements' require organizations to establish and test recovery procedures with defined time objectives |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →