Without a reporting channel, small security problems get hidden until they become big breaches. For example, if an employee notices suspicious login activity on a customer database but has no way to report it quickly, a hacker could steal customer payment information worth lakhs before anyone notices. An e-commerce business in Delhi suffered a ₹15 lakh fraud loss because staff saw strange transactions but didn't know who to tell, and by the time management found out, months of data had been copied. You'll also fail compliance audits when CERT-In investigators ask how you respond to security alerts, and customers will lose trust if breaches happen that could have been caught early.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal way for people to report security issues. When someone sees a problem, they either stay quiet or mention it casually to the office manager, and nothing gets documented or fixed.
Initial
You have told employees verbally to report problems to the IT person or manager, but there is no written process, no email address, no phone line, and no record of what gets reported.
Developing
You have a documented reporting process (email address or WhatsApp group) that employees can use, and the IT manager keeps a basic list of issues reported, but there is no follow-up timeline or confirmation back to the reporter.
Defined
You have a formal reporting channel (dedicated email, helpdesk form, or shared document), a written procedure that all staff know about, and a log showing who reported what and what action was taken, with a target to respond within 24 hours.
Managed
You have multiple reporting channels (email, phone, in-person, anonymous option), a tracked ticketing system, staff receive acknowledgment within hours, regular updates to reporters on progress, and monthly review of all reports to find patterns.
Optimised
You have a documented incident response program with clear escalation paths, staff trained quarterly on how to report, multiple channels including anonymous reporting, real-time alerts for critical issues, automated tracking with SLAs, management dashboard showing metrics, and evidence of incidents caught early through this process preventing major incidents.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Call an all-hands meeting and announce verbally that employees should report security concerns to the IT person or manager; have someone take notes on what you announce | Business owner or manager | 2 hours |
| 1 → 2 | Create a one-page written procedure document in English and local language (Hindi/regional) with the IT person's email and phone number, and a simple Google Sheet or Excel file to log all reports received | Manager + IT person | 3-5 days |
| 2 → 3 | Design a form (online or printed) for reporting issues, define a 24-hour response time target, train all staff in a 30-minute meeting, post the reporting procedure on the office notice board and send via email, and commit to monthly review of the log | Manager + HR + IT person | 2-3 weeks |
| 3 → 4 | Set up a simple helpdesk tool (like Zoho Desk free tier or Google Forms with automatic logging), create escalation rules for critical issues, establish a dashboard showing open and closed tickets, and send monthly summary reports to management | IT person with manager oversight | 4-6 weeks |
| 4 → 5 | Add anonymous reporting option (via third-party email or internal anonymous form), integrate with incident response plan, train all staff annually on what to report and how, conduct quarterly tabletop exercises using real reports, maintain metrics on time-to-detection improvement, and document proof of early incident prevention | IT person + Security lead + Manager | Ongoing (quarterly training, monthly reviews) |
Documents and records that prove your maturity level.
- Written security incident reporting procedure document signed by management with distribution date
- List of designated contacts (email, phone, names) for reporting issues, posted in office and in employee handbook
- Log or register of all reported issues with date, reporter name (or anonymous), description, assigned person, action taken, and resolution date
- Email templates or form templates used for reporting, showing clear instructions and what information is needed
- Evidence of staff communication (email, meeting notes, training attendance sheet) showing all employees were made aware of the reporting process
Prepare for these questions from customers or third-party reviewers.
- "If I report a security problem today, what exact steps would happen and who would I contact?"
- "Show me the log of security or system issues reported in the last 6 months and what action was taken on each one"
- "Can an employee report an issue anonymously without fear of retaliation, and how do you ensure that?"
- "What is your target time to acknowledge a reported issue, and do you meet that target? Show me evidence for recent reports."
- "If a critical security issue is reported, who escalates it immediately and how do you ensure senior management is informed?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Simple form to collect security issue reports and track them | Google Forms (create form, responses auto-log to Sheet) - no cost, works on phone | Zoho Desk (helpdesk ticketing) - ₹2,000-4,000/year for 1-2 users |
| Shared log to track and organize all reported issues | Google Sheets (shared document, all can view, IT person manages) - no cost, offline accessible | Microsoft Excel Online (OneDrive) - included in Microsoft 365 at ₹3,000-6,000/year |
| Communication platform for employees to report to IT quickly | Email with dedicated address (security@company.com) or WhatsApp business group - no cost | Slack free tier (basic messaging with log history) or Freshdesk - ₹1,000-3,000/month for small team |
- Setting up a reporting channel but never checking it—employees report issues to an email that no one reads, so nothing gets fixed and staff stop reporting
- Making the process too complicated or only available to technical staff—field staff or non-IT employees don't know how to report, so frontline problems are missed
- Not protecting reporters from blame—employees fear reporting means they get in trouble, so they hide problems instead of reporting them early
- No follow-up communication—reporter submits issue but hears nothing back, so they feel ignored and stop reporting future problems
- Mixing incident reporting with performance complaints—if security reporting goes to HR, employees confuse it with appraisal systems and avoid reporting
- Keeping reports only in IT person's personal notes—when that person leaves, all history of issues and patterns is lost, and compliance auditors find no evidence
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Purpose and Principles) requires accountability and transparent processes for handling personal data; reporting procedure demonstrates accountability to regulators |
| CERT-In Directions 2022 | Para 2.4 requires organizations to have a response team and process to report incidents; documented reporting process is evidence of compliance |
| ISO 27001:2022 | Annex A.5.7 (Threat intelligence) and A.5.29 (Information security event evaluation) require processes to collect, evaluate and respond to security-related information |
| NIST CSF 2.0 | Function RESPOND (Category RS.CO-1) - communicate and share cybersecurity event information with stakeholders and support teams |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →