Is DIT misleading the public?
The GOI released the notification of rule under
Section 43A on April 11, 2011. Naavi has presented his views on the same
in the article here.
One of the points raised by Naavi was that the rules were framed in such
a manner as to make people think that compliance of the Sec 43A is
deemed to have been completed if an organization is certified for ISO
27001. Naavi also pointed out that
a) Organizations which completed ISO 27001 before April 11 2011
obviously cannot be considered to have complied with the requirements
and hence the notification was wrong per-se.
b) ISO 27001 audits donot in practice cover ITA 2008 as one of the laws
that the target company need to comply with and hence it is improper to
provide a compliance immunity based on ISO 27001 audit
c) It was conceptually wrong for the Government of India to have
promoted ISO 27001 audit as a part of the law.
d) The notification amounted to hoisting a liability of Rs 7000/- on
every citizen of India who had to buy the ISO 27001 specification to
understand the parliamentary law and the industry had to spend over Rs
30000/- crores for meeting the requirements on an annual basis which is
unfair, impractical and indicative of a scam of the size of the infamous
In response to an RTI query, the department clarified as follows by Mr
Prafulla Kumar, Director, MCIT dated 11th July 2011.
However, the website
states as follows:
It is clear from the above that IT Governance is
using the notification to mislead the public into believing that ISO
27001 is the compliance specification for Section 43A. The department by
remaining silent will be considered as conspiring with the IT Governance
organization to make people believe that they need to go through the ISO
27001 audit as a mandatory provision.
This completely validates the concern that Naavi expressed that the
notification is a possible scam bigger than 2G scam.
We seek an explanation from DIT and the IT Governance authority about
Apart from placing this note for information to the relevant authorities
through the Internet, we also urge the Comptroller and Auditor General (CAG)
to take note of the possible irregular manner in which this notification
is sought to be implemented though it is detrimental to the interests of
the country and makes use of the parliamentary law to promote private
foreign commercial interests. Specific attention of the two
organizations involved will also be drawn through e-mails.
August 20, 2011
Message sent to IT Goverance through the website:
"I refer to the content in your website which promotes ISO 27001 audit
as a recommendation of the Government of India under the rules notified
for Sec 43A of ITA 2008. My full views are available at http://www.bloggernews.net/127009
and also at www.naavi.org.
It is improper for your organization to use the Indian Government to
promote ISO 27001 audit and you need to refrain from the same. Kindly
respond to firstname.lastname@example.org "
Message sent to DIT (email@example.com ): CC: firstname.lastname@example.org,, email@example.com,
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org,
email@example.com, firstname.lastname@example.org, email@example.com,
Mr Prafulla Kumar
Regarding ISO 27001 and Sec 43A-ITA 2008 compliance
I recall my previous correspondence that DIT in its notification of
April 11, 2011, on rules under Section 43A promoted ISO 27001 audit as
an information security framework for compliance of Section 43A of the
Act. I had pointed out that it was not fair or legal to use a legal
document passed by the Parliament to promote a foreign private interest.
I had also pointed out that by including the ISO 27001 as part of the
rule notification you were mandating every citizen of India to acquire a
copy of the specification that costs Rs 7000/- each for 1.2 billion
people in foreign exchange. I also pointed out that this would suggest
more than 1 million entities to conduct IS 27001 audit at a cost of
around Rs 30000/- crores per annum and all this suggests a scam bigger
than 2G scam.
You strongly disagreed with my view that you were promoting ISO 27001
through legislation and even replied to me that that was not the
However I insisted that the the wording were misleading and need to be
changed when the notification was presented in the Parliament in the
I am not sure if this has been done.
In the meantime I need to point out that in the website of the IT
Governance authority ( http://www.itgovernanceasia.com/t-iso27001.aspx?utm_source=DSCI&utm_campaign=iso27001)
they are using the guideline as a promotion of ISO 27001 audit being
necessary for compliance of Sec 43A.
I am now bringing this to your notice to request you to kindly
a) Order the removal of the reference to MIT rules in the website of IT
b) Take steps if not already taken to remove the misleading content in
I have brought this to the notification of many MPs to watch out for the
notification to be tabled in the Parliament. I reiterate that the
notification has been drafted in a manner that misleads the public and
when presented in the Parliament without proper clarification or change
as suggested, it would amount to misleading the Parliament as well.
In the event the notification is presented in its present form and
passed it will be necessary to move a Privilege motion exclusively on
I am aware that your department as well as the Parliament is busy with
several other pressing engagements and the notification may pass through
without any MP noticing my objections.
Anyway this Government considers people like us as unelected and
unelectable and hence not worthy of responding to.
However I presume that the DIT consists of officials who are still
responsive to public opinion and would consider my request to remove the
references to ISO 27001 in the said notification of April 11 2011.
In case this is not done, the view that the misleading of the public is
deliberate would gain strength.
Comments are Welcome at