If you don't spot a data breach quickly, hackers can steal more data, your customers lose trust and may switch to competitors, regulators like CERT-In can fine you or take legal action, and your business reputation gets damaged. For example, a Delhi IT services company lost 500 customer records when a server was hacked, but didn't notice for 3 weeks—by then the data was already sold online, customers filed complaints with the Cyber Crime Helpline, and the company lost 7 major contracts worth ₹2.5 crores. Under the Digital Personal Data Protection (DPDP) Act 2023, you must notify the Data Protection Board and affected individuals without unreasonable delay, and delays invite penalties up to ₹5 crores.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no process for handling breaches—if someone tells you data leaked, you don't know what to do. There's no breach response plan written down anywhere and no one's assigned to handle it.
Initial
You have a rough idea that breaches are bad and someone (usually the IT person) would handle it if it happened, but there's no documented plan. When a breach happens, you scramble and don't know whom to notify or what records to keep.
Developing
You have a written breach response plan that covers who to notify (like CERT-In) and basic steps like isolating the affected system. Your IT person knows what to do when a breach happens, but notifications are delayed because there's no clear timeline.
Defined
You have a documented breach response plan with clear timelines (e.g., identify within 24 hours, notify within 72 hours) and a list of who to contact including the DPB, customers, and authorities. You run a test drill once a year to check if the plan actually works.
Managed
Your breach response plan is regularly tested (at least twice per year), includes roles and responsibilities documented in writing, logs every suspected incident, and you notify affected parties within 24-48 hours as required by law. You also maintain a breach register and track lessons learned.
Optimised
You have an automated monitoring system that detects anomalies in real time, a documented response plan tested quarterly with external simulation, immediate escalation protocols, and you maintain metrics showing how quickly breaches are contained. You review and improve the process based on industry trends and regulatory updates.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Assign one person (usually IT owner) as the breach response lead and have them document a simple 1-page breach response checklist covering: who to call first, what to preserve, who to notify externally. | Business owner or IT person | 1 day |
| 1 → 2 | Write a formal Breach Response Plan (2-3 pages) that includes: detection methods, containment steps, notification timelines (within 72 hours for authorities per DPDP), list of regulators and customers to notify, and escalation matrix with phone numbers and emails. | IT person with input from business owner | 1 week |
| 2 → 3 | Add specific timelines to the plan (e.g., 'isolate system within 2 hours', 'notify CERT-In/DPB within 24 hours'), conduct a tabletop drill with staff to walk through a mock breach scenario, document what worked and what didn't, and update the plan based on findings. | IT person and business owner | 2-4 weeks |
| 3 → 4 | Implement breach detection tools (e.g., log monitoring, file integrity checks), maintain a formal Incident Log to record every suspected breach with dates and actions taken, and run a full breach simulation drill twice per year with external participation if possible. | IT person with budget approval from owner | 1-2 months |
| 4 → 5 | Deploy automated monitoring and alerting systems, integrate breach response with your broader security operations, measure and track breach detection and response times monthly, benchmark against industry standards, and update the plan quarterly based on new threats and regulatory changes. | IT/Security team with executive oversight | Ongoing |
Documents and records that prove your maturity level.
- A written Breach Response Plan document with version number, approval date, and last review date
- A Breach Detection and Escalation Matrix showing who to contact (with phone/email) and in what order
- A Breach Incident Log or register with columns for: Date detected, Nature of breach, Data affected, Actions taken, Date notified to authorities, Outcome
- Evidence of at least one breach response drill or tabletop exercise (meeting notes, attendees list, scenario description, and findings/improvements documented)
- Records of notifications sent to CERT-In, Data Protection Board, or customers (email evidence, certified letters, or acknowledgment receipts) with timestamps showing response was within 72 hours
Prepare for these questions from customers or third-party reviewers.
- "Walk me through your breach response plan. If a customer called today saying their data was leaked from your systems, what would you do in the next hour, next 24 hours, and next 72 hours?"
- "Show me your incident log for the last 2 years. How many suspected breaches or security incidents have you logged and what happened in each case?"
- "How do you detect that a breach has occurred? Do you have automated monitoring, and who checks logs regularly?"
- "Have you tested your breach response plan? Show me evidence of a drill or real incident where you responded, and how long did it take from detection to notifying authorities?"
- "Who is responsible for deciding whether a breach needs to be reported to the Data Protection Board, CERT-In, or customers? Is that person trained and available?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Monitor system logs and files for unauthorized changes or suspicious activity to detect breaches early | ELK Stack (Elasticsearch, Logstash, Kibana) - requires setup skills; Wazuh - open-source host/network monitoring | Splunk (₹8-15 lakhs/year for small setup), Microsoft Azure Sentinel (₹2-5 lakhs/year) |
| Track and document all security incidents and breaches in one place for audit and response reference | Google Sheets or LibreOffice Calc with simple template; Jira (free tier up to 10 users) | ServiceNow (₹3-8 lakhs/year), Atlassian Jira Service Management (₹1.5-3 lakhs/year) |
| Automatically send alerts when suspicious activity is detected so you can respond faster | Osquery (endpoint visibility) or Graylog (log aggregation with basic alerting) | Rapid7 InsightIDR (₹10-20 lakhs/year), CrowdStrike Falcon (₹15-30 lakhs/year) |
| Help organize and run a breach response drill or tabletop exercise to test your plan | NIST Cybersecurity Framework templates available free online; Create a simple Word document scenario | Immersive Labs breach simulations (₹5-10 lakhs/year) |
- Assuming 'we will notice if something happens' without any actual monitoring tools or processes in place—most Indian SMEs discover breaches only when a customer complains or they see data on the dark web
- Waiting too long to notify authorities because you're trying to 'investigate quietly' or hoping to fix it without telling anyone—the law requires notification within 72 hours, and delays incur penalties and legal action
- Having a breach plan that exists only in the owner's head or on an old shared drive that no one reads—when a breach actually happens, team members don't know what to do and waste critical time
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 4(11) and Section 6(2) require data fiduciary to notify Data Protection Board without unreasonable delay if personal data is breached |
| CERT-In 2022 | Clause 5.1 requires organizations to report cybersecurity incidents to CERT-In within 6 hours of identification |
| ISO 27001:2022 | Annex A 5.25 (Incident response) and A 5.26 (Incident response planning) require procedures for identifying, responding to, and reporting security incidents |
| NIST CSF 2.0 | Detect (DE) function: DE.AE-3 (detection and analysis), Respond (RS) function: RS.RP-1 (response planning) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →