Has the business identified the biggest cybersecurity or data-related risks it faces?

Do you know which cybersecurity problems would hurt your business the most if they happened? This question asks whether you've thought through your biggest risks—like losing customer data, being unable to operate, or facing a fine—and written them down so you can fix the most dangerous ones first.

⚡

Why This Matters to Your Business

Without knowing your biggest risks, you waste money on small problems while leaving yourself open to the ones that could shut you down or destroy your reputation. For example, a Delhi IT services firm that didn't identify client data theft as a top risk kept basic backups but no encryption; when ransomware hit, they lost ₹40 lakhs in ransom and three major clients. A manufacturing business in Gujarat didn't realize its production system was at risk until a supplier's breach exposed their designs to competitors. Banks and insurance companies now ask about your risk assessment before signing contracts—if you can't describe your risks, you lose business.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no written list of what could go wrong. If someone asks about cybersecurity risks, the owner or IT person gives different answers each time based on what they remember that day.

Level 1
Initial

You have mentioned risks in passing—maybe during a meeting or email—but nothing documented. You might know vaguely that "data" and "computers" are at risk, but you haven't written down which ones matter most.

Level 2
Developing

You have a simple list of 3–5 risks written in a document or spreadsheet (like Excel). You identified them by thinking about what could hurt the business, but you haven't formally scored them or linked them to actual business impact.

Level 3
Defined

You have a documented risk list with scores or rankings (high/medium/low) based on likelihood and impact. Someone responsible—usually the IT person or operations manager—reviews and updates it every 6–12 months, and leadership has seen it.

Level 4
Managed

You have a formal risk register that scores every identified risk, links each to business processes or systems, and shows who owns fixing each one. You review it quarterly, and decisions about which controls to build are tied directly to this list.

Level 5
Optimised

Your risk assessment is part of a continuous program: risks are re-evaluated after any incident or change, new risks are added as systems change, and your budget allocation is visibly tied to this assessment. You can show an auditor or customer exactly why you spent money on specific defenses.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Call a 1-hour meeting with the owner/manager and IT person. Brainstorm answers to: What data do we have that would hurt us if stolen? What systems must work every day? What would cost us the most money or reputation to lose? Write down 5–7 rough ideas.	Business owner or IT manager	1 day
1 → 2	Create a simple one-page risk list in Excel or Google Sheets. Write each risk in one column (e.g., 'Customer database stolen', 'Ransomware on production server'). Add a second column for why it matters (e.g., 'Would violate DPDP Act, lose clients'). Add a third column for rough impact (High/Medium/Low). Share with owner for sign-off.	IT person or operations manager	1 week
2 → 3	Expand the risk list to include likelihood (how often could this happen?) and impact (how bad if it does?). Score each risk as High/Medium/Low for both. Rank them by overall severity. Have owner and IT person agree on the top 3–5. Document approval with date and signatures.	IT person with owner sign-off	2–4 weeks
3 → 4	Build a formal risk register: add columns for 'Which system/data does this affect?', 'Current controls (what do we do now to reduce this risk?)', 'Owner (who fixes this?)', and 'Next action'. Link each risk to specific business processes (e.g., sales, payroll, operations). Set a review date (e.g., quarterly) and stick to it.	IT manager or external consultant	1–2 months
4 → 5	Integrate risk assessment into business-as-usual: after any incident, security change, or new system deployment, update the register. Use the register to justify annual cybersecurity spending and prioritize fixes. Share updates with the board or owner quarterly. Benchmark your risks against your industry and region annually.	IT manager, business owner, board/leadership	Ongoing (2–4 hours per quarter)

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Risk register or risk assessment document (Excel, Word, or formal tool) with list of identified risks, likelihood/impact scores, and ownership
Meeting minutes or email showing discussion of risks with owner/management and sign-off on the risk list
Evidence of review (e.g., dated risk assessment with version history or 'Last reviewed on [date]')
Document linking at least the top 3 risks to current controls or planned actions (e.g., 'Data theft risk → we are implementing encryption by Q2')
If maturity level 4+: Risk register with formal scoring matrix, ownership assignments, and quarterly review records with dates

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Can you show me your documented list of cybersecurity and data risks? Who prepared it and when was it last reviewed?"
"How do you decide which risks are most important? Walk me through how you prioritize—is it documented?"
"For your top 3 risks, what controls do you currently have in place to reduce them? How do you know if they're working?"
"If a new system or process is added to your business, how do you identify the new risks it brings? Show me an example."
"How often do you update your risk assessment, and what triggers an update? Can you show me the history of changes?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Create and maintain a simple risk register without buying software	Google Sheets (shared, cloud-backed, free) or Microsoft Excel with OneDrive	—
Identify and score risks using a structured framework (heat map builder)	NIST Cybersecurity Framework (NIST.gov) – free download; CERT-In advisories (cert-in.org.in) – free alerts	Qualitätskontrolle Risk Register templates (LogicGate, Alteryx Risk Cloud) ₹2,00,000–5,00,000/year
Assess your current security posture to understand existing gaps and risks	NIST Cybersecurity Self-Assessment (nist.gov), OWASP Risk Rating Methodology (free online)	Rapid7 InsightVM or Qualys VMDR (vulnerability scanning) ₹3,00,000–10,00,000/year depending on scope
Get threat intelligence specific to your industry and region to inform risk prioritization	CERT-In alerts (cert-in.org.in – free email alerts), MITRE ATT&CK (mitre.org – free framework)	Mandiant (threat intelligence reports) ₹5,00,000+/year, or regional cybersecurity firms in India
Document and track risk remediation actions over time	Asana, Trello, or Jira (free tier allows basic project tracking)	ServiceNow Risk Management ₹8,00,000+/year or Archer (RSA) ₹10,00,000+/year

🛡

How This Makes You More Resilient

When you have identified and prioritized your biggest risks, you stop guessing and start building defenses that actually protect what matters most to your business. This means ransomware, data theft, or system failure is less likely to succeed, and if it does happen, your team knows what to do because you've thought through the impact. Your customers and auditors see you as a professional, organized business—which helps you win contracts and avoid costly compliance fines.

⚠️

Common Pitfalls in India

Risk list sits on a shelf and is never updated: After writing it down once, many Indian SMEs forget to revisit it even after a breach, new system, or major change. Auditors and customers quickly spot a 2-year-old risk assessment and lose trust.
Confusing IT risks with business risks: Some businesses list only technical problems ('server down', 'virus infection') but miss business-critical risks like losing a key supplier's data or failing a regulatory audit, which have far bigger financial impact.
Over-estimating risks that feel scary but are unlikely: Many Indian businesses rank 'hacker from abroad' as high risk while ignoring 'employee with access to customer data leaves with no handover'—which is statistically more common and damaging.
No one owns the risk register: If it's not assigned to a specific person (usually the IT manager or operations head) with a clear review date, it becomes orphaned and loses credibility with leadership and auditors.
Forgetting to link risks to actual controls: A risk list is only useful if the next step is clear—'we identified this risk, so we will do X by date Y.' Without that link, auditors see busy-work, not serious risk management.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 6 (Data Protection Officer responsibilities) and Schedule 1 (general safeguarding principles) – requires businesses to understand and document risks to personal data
CERT-In 2022	Direction 4 (maturity level 2): 'Organisations shall conduct a risk assessment at least annually'
ISO 27001:2022	Clause 6.1 (risk and opportunity assessment) and Clause 8.2 (information security risk assessment and treatment)
NIST CSF 2.0	Govern Function (GV.RiskMgmt category): 'Risk to the organization is considered throughout the organization's planning and execution'

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →