Let's Build a Responsible Cyber Society




Is DIT misleading the public?

The GOI released the notification of rule under Section 43A on April 11, 2011. Naavi has presented his views on the same in the article here.

One of the points raised by Naavi was that the rules were framed in such a manner as to make people think that compliance of the Sec 43A is deemed to have been completed if an organization is certified for ISO 27001. Naavi also pointed out that

a) Organizations which completed ISO 27001 before April 11 2011 obviously cannot be considered to have complied with the requirements and hence the notification was wrong per-se.

b) ISO 27001 audits donot in practice cover ITA 2008 as one of the laws that the target company need to comply with and hence it is improper to provide a compliance immunity based on ISO 27001 audit

c) It was conceptually wrong for the Government of India to have promoted ISO 27001 audit as a part of the law.

d) The notification amounted to hoisting a liability of Rs 7000/- on every citizen of India who had to buy the ISO 27001 specification to understand the parliamentary law and the industry had to spend over Rs 30000/- crores for meeting the requirements on an annual basis which is unfair, impractical and indicative of a scam of the size of the infamous 2G scam.

In response to an RTI query, the department clarified as follows by Mr Prafulla Kumar, Director, MCIT dated 11th July 2011.


However, the website http://www.itgovernanceasia.com/t-iso27001.aspx?utm_source=DSCI&utm_campaign=iso27001  states as follows:


It is clear from the above that IT Governance is using the notification to mislead the public into believing that ISO 27001 is the compliance specification for Section 43A. The department by remaining silent will be considered as conspiring with the IT Governance organization to make people believe that they need to go through the ISO 27001 audit as a mandatory provision.

This completely validates the concern that Naavi expressed that the notification is a possible scam bigger than 2G scam.

We seek an explanation from DIT and the IT Governance authority about this.

Apart from placing this note for information to the relevant authorities through the Internet, we also urge the Comptroller and Auditor General (CAG) to take note of the possible irregular manner in which this notification is sought to be implemented though it is detrimental to the interests of the country and makes use of the parliamentary law to promote private foreign commercial interests. Specific attention of the two organizations involved will also be drawn through e-mails.



August 20, 2011

Message sent to IT Goverance through the website:

"I refer to the content in your website which promotes ISO 27001 audit as a recommendation of the Government of India under the rules notified for Sec 43A of ITA 2008. My full views are available at http://www.bloggernews.net/127009 and also at www.naavi.org.
It is improper for your organization to use the Indian Government to promote ISO 27001 audit and you need to refrain from the same. Kindly respond to naavi9@gmail.com "

Message sent to DIT (pkumar@mit.gov.in ): CC: mocit@nic.in,, kapilsibal@hotmail.com, tipu_in@yahoo.com, sushma.swaraj@bjp.org, arun.jaitely@bjp.org, janardhana.swamy@bjp.org, ajaitley@sansad.nic.in, manmohan@sansad.nic.in, cpio-law@nic.in

Mr Prafulla Kumar
New Delhi

Regarding ISO 27001 and Sec 43A-ITA 2008 compliance

Dear Sir

I recall my previous correspondence that DIT in its notification of April 11, 2011, on rules under Section 43A promoted ISO 27001 audit as an information security framework for compliance of Section 43A of the Act. I had pointed out that it was not fair or legal to use a legal document passed by the Parliament to promote a foreign private interest. I had also pointed out that by including the ISO 27001 as part of the rule notification you were mandating every citizen of India to acquire a copy of the specification that costs Rs 7000/- each for 1.2 billion people in foreign exchange. I also pointed out that this would suggest more than 1 million entities to conduct IS 27001 audit at a cost of around Rs 30000/- crores per annum and all this suggests a scam bigger than 2G scam.

You strongly disagreed with my view that you were promoting ISO 27001 through legislation and even replied to me that that was not the intention.

However I insisted that the the wording were misleading and need to be changed when the notification was presented in the Parliament in the current session.

I am not sure if this has been done.

In the meantime I need to point out that in the website of the IT Governance authority ( http://www.itgovernanceasia.com/t-iso27001.aspx?utm_source=DSCI&utm_campaign=iso27001) they are using the guideline as a promotion of ISO 27001 audit being necessary for compliance of Sec 43A.

I am now bringing this to your notice to request you to kindly

a) Order the removal of the reference to MIT rules in the website of IT Governance Asia.
b) Take steps if not already taken to remove the misleading content in the notification.

I have brought this to the notification of many MPs to watch out for the notification to be tabled in the Parliament. I reiterate that the notification has been drafted in a manner that misleads the public and when presented in the Parliament without proper clarification or change as suggested, it would amount to misleading the Parliament as well.

In the event the notification is presented in its present form and passed it will be necessary to move a Privilege motion exclusively on this issue.

I am aware that your department as well as the Parliament is busy with several other pressing engagements and the notification may pass through without any MP noticing my objections.

Anyway this Government considers people like us as unelected and unelectable and hence not worthy of responding to.

However I presume that the DIT consists of officials who are still responsive to public opinion and would consider my request to remove the references to ISO 27001 in the said notification of April 11 2011.

In case this is not done, the view that the misleading of the public is deliberate would gain strength.


 Comments are Welcome at naavi@vsnl.com