22 June 2026·10 min read·guides

Business Continuity and Disaster Recovery for Indian SMBs

BCP and DR planning for Indian SMBs: RTO, RPO, 3-2-1 backups, failover runbooks, cloud DR options, and DPDP/CERT-In compliance requirements in plain language.

Bachao.AI Research Team

Cybersecurity Research

Know your vulnerabilities before attackers do

Free scan · No credit card required

Get Your Free VAPT Scan

What this means for your business

Indian SMBs without documented security controls face 3× higher breach costs. This guide helps you close that gap.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

Business Continuity Planning (BCP) and Disaster Recovery (DR) determine whether your business survives a ransomware attack, a cloud outage, or a server-room flood. BCP covers staying operational — people, processes, vendors, communications. DR covers restoring your IT systems and data. Most Indian SMBs conflate them or ignore both. This guide explains what each covers, how to build a workable plan without a dedicated security team, and what DPDP and CERT-In now expect from you.

74%Indian organisations with no tested DR plan (NASSCOM-DSCI SMB Study 2023)

6 hrsMaximum CERT-In ransomware incident reporting window (CERT-In Directions 2022)

BCP vs DR — The Distinction That Matters

People use these terms interchangeably, but they are different scopes with different owners.

Business Continuity Planning is a business-level document: if the office is unreachable, a key vendor disappears, or a critical system is down for a week, how does the organisation keep serving customers? It covers people, supplier alternatives, communication scripts, and manual workarounds.

Disaster Recovery is a technology-level document: how do we restore specific systems and data to a known-good state, and in what order? It defines the team, the tooling, and step-by-step restoration procedures.

One complements the other. A DR runbook with no BCP means your technical team restores systems that no one in the business knows how to use in a crisis.

ℹ️

INFO

For Indian SMBs, start with DR. Most downtime events are IT failures, not office-level disruptions. Get your systems-recovery plan working first, then build the broader BCP around it.

Core Concepts Every SMB Must Understand

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

RTO is the maximum tolerable downtime — how long can your business operate before systems must be restored? An e-commerce checkout system might have an RTO of 1 hour. Your internal HR portal might tolerate 72 hours.

RPO is the maximum tolerable data loss — how far back in time can you afford to roll back? An RPO of 4 hours means you accept losing up to 4 hours of transactions. An RPO of zero means synchronous replication and near-zero data loss.

Setting realistic RTO/RPO for each system is the single most important step in DR planning. It drives every other decision: how much you invest in replication, how frequently you back up, and how much you spend on standby infrastructure.

xychart-beta
  title "RTO and RPO Tiers by System Criticality"
  x-axis ["Payment", "Auth/Login", "Customer DB", "Reporting", "Internal Tools"]
  y-axis "Hours" 0 --> 72
  bar [1, 2, 4, 24, 72]
  line [0.5, 1, 2, 8, 24]

Bar = RTO target (restore time). Line = RPO target (data loss window). Values are illustrative starting points — set yours by actual business impact.

The 3-2-1 Backup Rule

The 3-2-1 rule is the minimum viable backup standard: 3 copies of data, on 2 different storage media or services, with 1 copy offsite and offline (air-gapped from your primary network).

The offsite-offline copy is what saves you from ransomware. Ransomware routinely scans connected drives and mapped cloud storage for backup directories and encrypts those too. If your backup is reachable via SMB or a mounted S3 bucket with always-on credentials, it is not truly offsite.

🚨

DANGER

A backup that lives only in the same cloud account as your primary data is not a ransomware-safe backup. The attacker who steals your AWS root credentials can delete both. Use a separate account, a separate provider, or immutable object storage with object-lock enabled.

Failover, Runbooks, and RTOs

Failover is switching from a failed primary to a standby — automatic (warm/hot) or manual (cold). Most SMBs run cold-standby DR: restore from backup when needed. That is acceptable, but the RTO is hours to days. Size your plan accordingly.

Runbooks are step-by-step procedures, not architecture diagrams. A runbook says: log into AWS console → launch EC2 from AMI ami-0a1b2c3d → restore RDS snapshot prod-2026-MM-DD → update DNS A record → verify health endpoint. Executable by any qualified person, not only the author. If DR depends on one person's memory, you have no DR.

Building Your DR Plan in Five Steps

Step 1 — Asset and Dependency Inventory

List every system your business depends on. For each: service name, data it holds, criticality tier (Tier 1 = mission critical, Tier 2 = important, Tier 3 = non-critical), owner, and where data lives. Most Indian SMBs discover more critical dependencies than expected — payment gateways, WhatsApp Business API, accounting SaaS, cloud PBX.

Step 2 — Assign RTO and RPO

For each Tier 1 and Tier 2 system, assign realistic targets. Involve the business owner, not just IT — a CTO who sets RTO = 1 hour without consulting the CFO may find the cost unjustified; a CFO who does not understand RPO may not realise they are accepting a full day's lost transactions.

Step 3 — Design Your Backup Architecture

Implement 3-2-1 for every Tier 1 and Tier 2 system. For cloud-hosted workloads:

Automated daily snapshots in the same region
Cross-region replication or export to a second provider
Periodic export to immutable object storage (S3 Object Lock, or Wasabi with immutability enabled)

For on-premise servers, add an offsite copy — AWS Glacier or Google Coldline is cost-effective for infrequently-restored data.

Step 4 — Write Runbooks for Tier 1 Systems

Write runbooks executable under stress by someone who did not build the system. Include: incident declaration, who to call, step-by-step restore commands, integrity verification, and customer communication steps.

Store runbooks offline — printed binder, personal device, or a separate identity account. A runbook stored only in a Google Drive requiring corporate SSO is inaccessible when SSO is the system that is down.

Step 5 — Define Roles and Communication

Who declares a disaster? Who authorises emergency cloud spend? Who calls the bank, registrar, and cloud provider? Who communicates to customers? Assign each role to a primary and a backup. Store contact lists in physical form or on a personal device — not only in the corporate collaboration tool.

graph TD
    A[Incident Detected] --> B{Is it a security breach?}
    B -- Yes --> C[Isolate affected systems immediately]
    B -- No --> D[Assess service impact]
    C --> E[Notify CERT-In if data breach]
    D --> F{Is Tier 1 system down?}
    F -- Yes --> G[Declare DR event - notify DR lead]
    F -- No --> H[Raise support ticket - standard SLA]
    G --> I[Execute Tier 1 runbook]
    I --> J{Restore successful within RTO?}
    J -- Yes --> K[Verify data integrity against RPO]
    J -- No --> L[Escalate to vendor - consider failover region]
    K --> M{Data loss within RPO?}
    M -- Yes --> N[Restore service - communicate to customers]
    M -- No --> O[Assess business impact of data gap]
    L --> P[Activate cold standby or manual workaround]
    P --> N
    O --> N
    N --> Q[Post-incident review within 72 hours]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style L fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style M fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style N fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style O fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style P fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style Q fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Testing Your Plan

A plan that has never been tested is a hypothesis. CERT-In's published best-practice guidelines recommend annual DR exercises at minimum. The two main test formats are:

Tabletop Exercises

A tabletop is a structured discussion: the facilitator presents a scenario ("It is 2 AM Friday, your database is encrypted by ransomware") and walks through the response step by step. No systems are touched. The goal is to surface gaps — missing runbook steps, role ambiguities, unknown dependencies. Takes 2–3 hours; run quarterly.

Failover Drills

A failover drill tests whether recovery procedures actually work. For a cloud database: take a snapshot, delete the primary instance, restore from snapshot, time it, and verify data integrity. Disruptive — schedule in a maintenance window. Run Tier 1 drills at least annually.

💡

TIP

Many Indian SMBs run their first failover drill and discover their most recent backup is corrupt, the restore procedure is undocumented, or the restored environment points to the wrong database connection strings. Find these gaps in a controlled drill, not during an actual incident.

Cloud DR Options for Indian SMBs

Option	RTO	RPO	Best For	Notes
Snapshot restore (same region)	1–4 hours	Hours	Low-criticality workloads	Cheapest option; does not protect against region-level failure
Cross-region replication	15–60 min	Minutes	Tier 2 systems	Add 30–50% to storage cost; test restore path separately
Warm standby (parallel lower-spec instance)	5–15 min	Minutes	Tier 1 systems	Lower cost than hot standby; requires DNS/load-balancer cutover
Hot standby / multi-region active-active	Near zero	Near zero	Payment-critical systems	Highest cost; typically only for fintech/regulated sectors
Managed DR on AWS/Azure/GCP	Variable	Variable	Teams without DR expertise	AWS Elastic Disaster Recovery (DRS) is mature and India-region available

For most Indian SMBs, a combination of daily cross-region snapshots for Tier 1 systems and same-region snapshots for Tier 2 systems delivers acceptable resilience at manageable cost.

Ransomware Resilience — Where BCP/DR Directly Applies

Ransomware is now the most common trigger for DR execution in India. Attackers stay dormant for weeks so your most recent clean backup predates their presence, then delete or encrypt backups before deploying the payload.

Your DR plan must address:

Backup immutability — object-lock or write-once storage so backups cannot be deleted by a compromised credential
Backup age audit — median attacker dwell time globally is 10 days per Mandiant M-Trends 2024; test restores from 30-day-old backups too
Network segmentation — DR infrastructure on a separate account and network segment, not reachable from production
Pre-negotiated vendor contacts — cloud account team, cyber insurance carrier, and a CERT-In empanelled incident response partner should all be in your runbook before you need them

🛡️

SECURITY

If you receive a ransomware notice: do not pay immediately, do not reboot affected systems, and do not start restoring until you have determined the initial access vector. Restoring to a network that still has the attacker's persistence mechanism returns you to the same incident within hours.

DPDP and CERT-In Expectations

The Digital Personal Data Protection Act 2023 requires Data Fiduciaries to implement appropriate technical and organisational measures to safeguard personal data. If personal data is lost or made unavailable due to a preventable incident, the Data Fiduciary is liable. CERT-In's Cyber Security Framework for organisations recommends BCP/DR as a baseline control.

Practical compliance requirements:

DR plan must be documented, reviewed annually, and demonstrable to an auditor
Backup procedures for systems holding personal data must be explicitly documented
Any ransomware event where data may have been accessed triggers DPDP breach notification obligations — your BCP must include a notification workflow
CERT-In's April 2022 directions require reporting ransomware incidents within 6 hours of detection

Your organisation's DPDP compliance posture and your DR plan are not separate workstreams — they share the same data inventory, the same incident response procedures, and the same obligations around demonstrating due diligence.

Bachao.AI's automated VAPT identifies the external attack surface vulnerabilities most commonly exploited as ransomware entry points. If you have not run a free VAPT scan on your internet-facing assets, your DR plan is missing the threat intelligence it needs to be credible. Dhisattva AI Pvt Ltd builds tools that close this gap for resource-constrained Indian SMBs.

NIST's Contingency Planning Guide for Federal Information Systems (SP 800-34) remains the most comprehensive reference for building DR plans, adapted here for the Indian SMB context.

🎯Key Takeaway

A DR plan that has never been tested is not a plan — it is a false sense of security. Assign RTO/RPO to each critical system, implement 3-2-1 backups with at least one immutable copy, write runbooks executable by any qualified person, and run a failover drill annually. CERT-In reporting obligations and DPDP data-safeguarding requirements mean the cost of having no tested plan now includes regulatory exposure, not just business downtime.

Frequently Asked Questions

What is the difference between BCP and DR for an Indian SMB?

Business Continuity Planning covers how your organisation keeps operating during a disruption — people, vendors, communications, manual processes. Disaster Recovery is specifically about restoring IT systems and data. DR is a subset of BCP. For most SMBs, starting with DR (systems recovery) is more immediately actionable than a full BCP.

What RTO and RPO should a small Indian business target?

There is no universal answer — it depends on your business model. A payments company might need an RTO of 1 hour and RPO of 15 minutes for its transaction database. A professional services firm might tolerate 24-hour RTO on most systems. The right approach is to calculate the cost of downtime per hour for each critical system, then invest in recovery speed proportional to that cost.

Does CERT-In require Indian SMBs to have a DR plan?

CERT-In's 2022 cybersecurity directions and its published best-practice guidelines recommend documented BCP/DR as an organisational control. For regulated sectors (banking, insurance, securities), the respective regulators (RBI, IRDAI, SEBI) have explicit requirements. For all organisations, a ransomware incident now triggers a 6-hour CERT-In reporting obligation, which is not executable without a documented incident-response and DR process.

How does the DPDP Act affect our DR requirements?

DPDP 2023 requires Data Fiduciaries to implement appropriate technical and organisational measures to prevent personal data breaches. An absence of DR controls — leading to data loss — could be construed as a failure to take appropriate measures. Additionally, a ransomware event where data may have been exfiltrated triggers breach notification obligations. Your DR plan must include a notification workflow to be DPDP-compliant.

What is the 3-2-1 backup rule and is it sufficient for ransomware?

The 3-2-1 rule means three copies of data, on two different media types, with one copy offsite. It is a good baseline. For ransomware resilience, the offsite copy must also be immutable — write-once storage that cannot be deleted or overwritten even by a compromised administrator credential. Without immutability, a ransomware actor with your cloud credentials can delete all three copies.

We are a 20-person startup. Can we realistically build a DR plan?

Yes, and it does not require a dedicated security team. Start with a one-page asset inventory, assign RTO/RPO to your two or three most critical systems, implement automated daily snapshots with cross-region replication, and write a single runbook for each Tier 1 system. A tabletop exercise can be run in an afternoon. The minimum viable DR plan for a small startup is achievable in a focused week of effort and dramatically reduces your worst-case downtime.