If you sign a contract without understanding the cybersecurity clauses, you could accidentally agree to rules you can't follow—and then face penalties, contract termination, or customer lawsuits when something goes wrong. For example, a manufacturing MSMEs in Pune signed a vendor agreement that required SOC 2 compliance but never read it; when a data breach happened, the client sued for ₹50 lakhs for breach of contract, even though cyber insurance didn't cover contractual obligations. Surprise data obligations hidden in fine print can also trigger regulatory fines under DPDP Act if you're found non-compliant. Without knowing what you've promised, you can't build the right security controls, leaving your business exposed to legal and financial disaster.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have contracts scattered across email, WhatsApp, or printed folders with no system for tracking them. Nobody in your company knows what security or data rules are written into your vendor agreements or client contracts.
Initial
You keep a basic list of active contracts in a spreadsheet or folder, but you've never actually gone through them to highlight cybersecurity or data protection clauses. Security obligations remain unknown.
Developing
You have a contract register and you've read through most contracts once to identify data handling and security requirements. You have a rough list of obligations, but there's no formal sign-off or update process when contracts change.
Defined
You maintain a documented inventory of all active contracts with a summary of cybersecurity and data obligations clearly listed for each one. Your IT team and management have reviewed and approved this list, and you update it when contracts renew.
Managed
You have a formal process: every new contract is reviewed by your IT team or external advisor before signing, obligations are logged in a tracked system, and relevant teams know their responsibilities. Contracts are reviewed annually and obligations are checked against your current security posture.
Optimised
Contract review is embedded in your procurement workflow—no contract is signed without IT security sign-off. You have a live dashboard showing all active obligations, automated alerts for renewal dates, and regular audits confirming compliance with contractual promises. Legal and IT teams collaborate continuously.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Collect all active contracts (vendor agreements, client NDAs, SaaS subscriptions, outsourcing deals) into one folder. Create a simple spreadsheet listing contract name, parties, start/end date, and file location. | Office Manager or Business Owner | 2-3 days |
| 1 → 2 | Read through each contract and highlight any clause mentioning data, security, compliance, breach notification, or confidentiality. Create a one-page summary for each contract listing these obligations in plain language. | Business Owner or IT person (with legal support if budget allows) | 1-2 weeks depending on contract volume |
| 2 → 3 | Create a formal Contracts & Obligations Register (spreadsheet or simple database) showing each contract, key security obligations, who is responsible, and compliance status. Get this reviewed and signed off by your manager and IT lead. Assign owners to each obligation. | IT person with approval from Business Owner | 2-3 weeks |
| 3 → 4 | Establish a contract review process: every new contract must be reviewed by IT/Security before signing, a checklist of security questions must be answered, and obligations must be added to your register immediately. Document this in a policy. | Business Owner and IT person (with external legal advisor if possible) | 4-6 weeks |
| 4 → 5 | Integrate contract management into your procurement workflow using a simple tool, set up calendar reminders for renewal reviews, conduct quarterly compliance audits against your obligations register, and track remediation if any gaps are found. | IT person with support from Procurement/Admin | Ongoing (2-4 hours/month) |
Documents and records that prove your maturity level.
- A master register or spreadsheet of all active contracts with vendor/client names, contract dates, and file location
- At least 5 contracts with cybersecurity, data protection, or compliance clauses visibly highlighted or summarized
- A documented inventory or checklist showing data handling obligations (e.g., 'Must encrypt data in transit', 'Must report breaches within 72 hours', 'Must achieve ISO 27001 certification')
- Email or sign-off document showing that a manager or IT person has reviewed and approved the obligations register
- For newer organizations: evidence of pre-signature IT review (e-mail approval, checklist, or meeting notes) for at least the last 3 contracts signed
Prepare for these questions from customers or third-party reviewers.
- "Show me your complete list of active contracts. How do you ensure nothing is missed?"
- "Take me through one of your vendor contracts. What are the specific security or data obligations you've committed to?"
- "Who in your company is responsible for making sure you meet these contractual obligations? How do they know what to do?"
- "Have you ever discovered a contractual obligation that you couldn't meet? How did you handle it?"
- "If a data breach happened tomorrow, what contractual obligations would you be in breach of? Walk me through how you'd handle the notification and liability."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Store and organize contracts in one searchable place | Google Drive or Microsoft OneDrive with organized folder structure and naming convention; Notion template for contract tracking | DocSend (₹5,000–10,000/year), Ironclad or Concord (starts ₹1,50,000+/year, overkill for MSMEs) |
| Create and maintain a contracts & obligations register | Excel or Google Sheets (simple template with contract name, obligations, owner, status columns) | Airtable (₹5,000–15,000/year for small team), Monday.com (₹10,000–20,000/year) |
| Track contract renewal dates and set reminders | Google Calendar (create entries for each contract end date), Trello with due date reminders | Zoho Desk (includes contract management, ₹3,000–15,000/year) |
- Signing contracts without reading the fine print, especially with SaaS vendors or BPO partners who sneak in liability clauses or data residency requirements your IT team can't meet
- Verbal agreements or WhatsApp confirmations with vendors—these are just as binding legally but leave no paper trail of obligations, making compliance impossible to prove
- Forgetting to update your obligations register when contracts are renewed or amended; you end up following old rules and missing new requirements
- Assuming vendors are responsible for all security—many contracts actually split responsibility, and you might unknowingly be liable for encryption, access controls, or incident response that you thought the vendor would handle
- Not translating technical contract language into actions your IT team understands; a clause saying 'ensure data confidentiality' is too vague and won't guide real security work
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (Consent for processing), Section 8 (Data processing and contractual obligations), Section 10 (Lawful basis); requires clear documentation of data handling agreements with third parties |
| CERT-In 2022 Guidelines | Direction 3 (Create documented information security policies) and Direction 4 (Third-party security obligations); mandates that organizations assess and document security requirements in vendor/partner contracts |
| ISO 27001:2022 | A5.12 (Supplier relationships), A5.13 (Supplier service delivery management); clause 8.4 (External provider processes) |
| NIST CSF 2.0 | Govern (GV) function - GV.RO-02 (Manage agreements with suppliers); Protect (PR) function - PR.AC-06 (Establish physical and logical access controls based on contracts) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →