Has the business reviewed its risk and compliance approach in the last 12 months?

Have you sat down in the last 12 months to check whether your security and compliance rules are still working and still make sense for your business? This means looking at what you're doing to protect data, follow laws, and manage risks—and asking if it's actually helping or if it's become outdated.

⚡

Why This Matters to Your Business

If you never review your controls, they become like a padlock on a door that nobody uses anymore—it doesn't protect anything. A manufacturing business in Bangalore had strict email filters set up 3 years ago, but never reviewed them; when a new GST compliance requirement came in 2024, nobody noticed the software wasn't logging the right information, and they faced a ₹50,000 penalty during a GST audit. Without regular reviews, you might also miss that a departed employee still has access to your accounting system, or that customer data is sitting unencrypted on an old server. When a customer or auditor asks "Are you secure?" and you can't prove you've checked in the last year, trust disappears and so do contracts.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no written record of any review of your security or compliance practices. Your security setup is whatever was installed years ago and nobody remembers why half of it exists.

Level 1
Initial

You did a review once when a customer demanded it, but it was informal—maybe an email thread or a conversation. There's no documented plan from that review and nothing was actually changed based on what you found.

Level 2
Developing

You have a documented record of a review done in the last 12-18 months, usually prompted by a customer audit or a near-miss incident. You made a list of issues but only fixed the urgent ones.

Level 3
Defined

You conduct a formal annual review (checklist-based) led by your IT person or a hired consultant, document findings, and create an action plan with timelines. You've actually completed most of the actions from your last review.

Level 4
Managed

You run a quarterly review cycle using a structured risk assessment method; findings are tracked and prioritized by business impact. Leadership approves the review and allocates budget for fixes before the next review starts.

Level 5
Optimised

You conduct continuous risk and compliance monitoring through automated tools and monthly management reviews. Each review incorporates changes in law, customer requirements, and threat landscape; findings trigger immediate action or justified deferral with board sign-off.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Schedule a half-day meeting with your IT person and business owner to walk through your current security practices (passwords, backups, access controls, data storage). Document what you find in a simple table: what we have, why we think we have it, and what's working or broken.	Business owner + IT person	1 day
1 → 2	Create a formal annual review schedule on your calendar for the same date next year. Use a simple checklist (see tools section) covering legal requirements (DPDP Act, GST IT rules), customer expectations, and your own risk areas. Document the review in writing with date, who did it, and findings—keep it in a secure folder.	IT person or external consultant	1 week (first time); 2-3 days annually after that
2 → 3	Upgrade your review checklist to include a risk scoring method: for each finding, note severity (critical/high/medium/low) and who must fix it. Create an action log with owner, target date, and status. Track this monthly and report progress to leadership or your board.	IT person with business owner input	2-4 weeks to set up; then 1 day/month to maintain
3 → 4	Move to a quarterly review cycle instead of annual. Before each review, scan for new regulations (check CERT-In alerts, MEITY advisories, customer security letters) and add them to your checklist. Tie review findings to budget planning so money gets allocated to fixes before they're needed.	IT person as owner; CFO and business owner to approve budget	1-2 months to establish process; then 1 day per quarter
4 → 5	Implement continuous monitoring using endpoint detection (e.g., Wazuh open-source or paid SIEM), automated policy compliance checks, and a monthly metrics dashboard. Set up alerts for policy violations so you catch issues before they become risks. Integrate threat intelligence feeds (e.g., CERT-In advisories) into your review process automatically.	IT person or managed security service provider	Ongoing (1-2 months to set up; 5-10 hours/month to operate)

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Annual or quarterly risk assessment report signed and dated, listing identified risks, their severity, and controls in place to mitigate them
Compliance review checklist completed and dated within the last 12 months, covering relevant laws (DPDP Act, GST IT rules, industry regulations) and customer security requirements
Action log or remediation plan with at least 3 control improvements identified, owners assigned, target completion dates, and evidence of at least 50% completion
Meeting notes or sign-off from leadership (owner/CFO) showing they reviewed the assessment findings and approved the remediation plan
Audit trail or email evidence showing the review was actually done (e.g., external assessor report, consultant summary, or internal memo with supporting photos of systems checked)

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"When was your last risk and compliance review, and can you show me the documented findings?"
"Have you reviewed whether DPDP Act 2023 requirements are being met in your current controls? What did you find?"
"Show me the action plan from your last review—what issues were identified and which ones have been fixed?"
"How often do you review your controls? Is it documented and scheduled, or ad hoc when something breaks?"
"If there was a major incident (data breach, ransomware, regulatory change) today, would your existing controls catch it? What was the last date you tested this assumption?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Create and track a simple annual risk review checklist	Google Sheets template + NIST CSF 2.0 reference guide (free PDF from NIST); or use a blank spreadsheet with columns: Control Name \| Current Status \| Works Y/N \| Risk If Missing \| Action Needed \| Owner \| Due Date	Qualys Risk Assessment (₹3-5 lakh/year for MSME tier); Rapid7 Nexpose (₹2-4 lakh/year)
Monitor continuous compliance and generate review reports automatically	Wazuh (open-source endpoint and log monitoring); Prometheus + Grafana (monitoring dashboard)	Tenable Nessus Professional (₹1.5-2 lakh/year); CrowdStrike Falcon Prevent (₹4-6 lakh/year)
Track regulatory changes and CERT-In alerts automatically	CERT-In official portal (cert-in.org.in/alerts); MeitY advisories RSS feed; Google Alerts for 'DPDP Act' + industry keywords	Deloitte Risk & Compliance Dashboard (custom; approx ₹5+ lakh/year); Everbridge Critical Event Management (₹2-3 lakh/year)
Document and store review evidence securely	OneDrive or Google Drive with strong encryption + access logs; or Nextcloud (self-hosted open-source)	Box (₹15,000-30,000/year); Citrix ShareFile (₹20,000-40,000/year)
Conduct structured risk assessment interviews and create reports	Use NIST CSF 2.0 workbook (free) + Microsoft Word/Excel templates	Risk Ledger or Cyber Risk Quantification tool (₹50,000-2,00,000/year); Gartner Risk Radar (subscription needed)

🛡

How This Makes You More Resilient

When you review your controls regularly, you catch problems before they become crises—an unpatched server, a lost backup drive, or a new law you missed. This means when a ransomware attack happens or a customer audit arrives, you're ready instead of scrambling. You'll also keep customer trust because you can prove you're staying on top of security, which means you keep contracts and avoid expensive fines.

⚠️

Common Pitfalls in India

Treating the annual review as a checkbox exercise: You do it once a year because an auditor asks, write a generic report, and forget about it. Reality: Reviews only matter if you actually act on findings and track progress. Set a quarterly checkpoint to prove something changed.
Ignoring new Indian regulations: You reviewed your controls for DPDP Act in 2023, but you never checked whether GST IT rules, SEBI cyber governance rules (for financial companies), or new RBI guidelines affected you. Reality: Indian regulatory changes are frequent and industry-specific. Subscribe to CERT-In and MeitY alerts and add "Regulatory Watch" to every review.
Reviewing only after something breaks: You do a thorough review only after a breach, audit failure, or customer complaint. Reality: By then, damage is done. Schedule reviews for a fixed date (e.g., March 31 every year) and do them regardless—even if nothing bad happened, you'll sleep better and catch drift early.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 8(1) & Schedule 1 (Consent Policy) - requires regular review of data protection practices; Section 7 (Privacy by Design) - implies periodic compliance checks
CERT-In 2022	Direction 4(d) - entities must conduct periodic security audits and risk assessments; Implementation Guidelines recommend annual reviews
ISO 27001:2022	Clause 6.2 (Objectives and Planning) and Clause 9.2 (Internal Audit) mandate regular review of information security objectives and control effectiveness
NIST CSF 2.0	Govern Function (GV.RiskManagement-03) - "Organizational risk strategy is reviewed and updated"; also Manage (MA.Control-2) requires periodic control review

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →