If you don't know where your data is stored, you cannot protect it, cannot back it up properly, and cannot answer a regulator or customer who asks 'where is my data?' A common Indian scenario: a manufacturing company loses a laptop containing customer order details and payment records, but has no inventory of what data was on it—leading to delayed breach notification, angry customers, and a potential fine under DPDP Act. Without this knowledge, auditors will fail you on compliance, customers will not trust you with contracts, and you may accidentally delete critical backups or miss data during vendor transitions.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written record of where data is stored. When asked where customer data lives, different people give different answers, and no one knows if data is backed up or on old abandoned servers.
Initial
You have a rough list written down (maybe in a spreadsheet or notebook) of systems like 'accounting software on server, email in Gmail, files on shared drive,' but it is incomplete, not updated, and missing cloud tools and vendor systems.
Developing
You have a documented data inventory (spreadsheet or document) that includes your main systems: on-premises servers, cloud accounts (Google Workspace, Microsoft 365), backups, and a few key vendor systems. It was created once and mostly reflects reality, though some details may be outdated.
Defined
You have a maintained data location register updated at least quarterly that covers all systems (servers, laptops, cloud, backups, vendors, phones). Each entry notes what data type is stored there, who owns it, and where backups live. It is reviewed when new tools are added.
Managed
You maintain a live, role-based data inventory system (tool-based or detailed spreadsheet) showing all data stores, data classifications, ownership, access controls, backup status, and vendor details. It is updated within 2 weeks of any system change and reviewed monthly by IT and business leads.
Optimised
You operate a continuous, automated data location discovery system integrated with your IT asset management that identifies and maps all data repositories in real time, maintains detailed lineage (where data flows between systems), flags unauthorized storage locations, and feeds into your incident response and compliance reporting.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Gather IT person and business leads in a meeting; walk through all departments and create a first-draft list of systems where data is stored (servers, cloud logins, external drives, vendor systems) and write it down in a shared document or simple spreadsheet | IT person or manager with business lead input | 1 day |
| 1 → 2 | Formalize the list into a Data Location Inventory spreadsheet with columns: System Name, Data Type, Location (on-premises/cloud/vendor), Owner, Backup Location; review with department heads to fill gaps and confirm accuracy; sign off and store in a shared, secure location | IT person with department heads | 1 week |
| 2 → 3 | Establish a quarterly review schedule; add columns for Access Control, Retention Period, and Last Updated; assign a Data Steward role; conduct a full audit of systems to verify nothing is missing; document vendor data-handling terms; store the register in a version-controlled system | Designated Data Steward (can be IT person) with compliance/business owner sign-off | 2-4 weeks |
| 3 → 4 | Migrate the inventory to a lightweight tool (spreadsheet with access controls or simple asset management tool); establish change management process requiring IT to update the register within 2 weeks of any new system; conduct monthly review meetings; integrate with incident response and disaster recovery planning | IT person and Data Steward | 1-2 months |
| 4 → 5 | Implement automated discovery tooling (cloud asset discovery, network scanning) that identifies data stores continuously; build alerting for unauthorized or rogue data storage; maintain real-time data lineage and flow mapping; integrate findings into security dashboards and compliance reporting; conduct quarterly strategic reviews | IT leader or outsourced security consultant | Ongoing (2-3 hours per week maintenance) |
Documents and records that prove your maturity level.
- Data Location Inventory document (spreadsheet or table) listing all systems, their locations (on-prem/cloud/vendor), data types, and owners
- Backup location documentation showing where backups of each critical system are stored and who manages them
- Vendor data-handling agreement summaries or checklist confirming where each vendor stores and processes your data
- Change log or version history of the inventory showing updates whenever a new system, cloud tool, or vendor is added
- Signed Data Inventory Review record (annual or quarterly) showing business and IT leadership acknowledgment of the current state
Prepare for these questions from customers or third-party reviewers.
- "Show me your complete list of systems and locations where customer or sensitive business data is stored. How do you keep this list current?"
- "Where are backups of your critical systems stored, and who has access to them? How do you verify backups are complete?"
- "Which vendors or third parties have access to your data, and where do they store it? Can you show me the data processing agreements?"
- "What happens when you deploy a new cloud tool or hire a vendor? How is the data location inventory updated, and who is responsible?"
- "In the last 12 months, what data storage locations were added or removed? How did you manage that transition?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a simple, shared data inventory list | Google Sheets or Microsoft Excel (built-in to Microsoft 365); Airtable free tier for up to 1,200 records | Monday.com or Asana (₹2,000–5,000/year for small team) for structured asset tracking |
| Discover and map cloud data repositories automatically | CloudMapper (open-source for AWS visualization); Google Cloud Asset Inventory (free tier for GCP) | Cloudphish or similar cloud discovery tools (₹50,000–2,00,000/year); Azure native tools included with Enterprise subscriptions |
| Scan internal network and systems for unauthorized data storage or rogue devices | Nessus Essentials (free vulnerability scanner); Shodan (limited free queries) | Qualys VMDR (₹3,00,000–10,00,000/year); Rapid7 Insight Platform (₹5,00,000+/year for enterprise) |
- Forgetting cloud tools and SaaS subscriptions: Many Indian MSMEs subscribe to cloud services (Zoho, Google Workspace, quickbooks) but do not document them in the data inventory, leaving a blind spot when a tool is compromised or when an employee leaves with access credentials.
- Assuming vendor-managed data is 'their problem': Businesses often fail to document or audit where vendors (logistics partners, payment processors, outsourced accountants) store sensitive data, leading to surprise data leaks when a vendor is breached and regulators ask 'where was your data?'
- Treating inventory as a one-time exercise: Many businesses create an inventory once and never update it, so within 6 months it is outdated and useless; new servers, cloud accounts, and backups are added without being recorded.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Consent and Purpose), Section 15 (Accountability of Data Fiduciary); Article 35 (Data audit and inventory mandatory for organizations) |
| CERT-In Directions 2022 | Para 3.3 and 3.4 (Organizations must maintain a comprehensive log and inventory of IT assets, including storage locations and data flow) |
| ISO 27001:2022 | Annex A 5.1 (Inventory of Assets); Clause 8.1 (Operational planning and control, including data location governance) |
| NIST CSF 2.0 | Asset Management (AM): Subcategory AM-1 'Inventory and Control of Physical Assets' and AM-2 'Information and Data Assets'; Govern Function |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →