Let's Build a Responsible Cyber Society




Is India selling itself out to ISO 27001?

It appears that India is on the verge of introducing an "ISO Tax" on Indian corporate entities.

Recently, the Ministry of Communications and Information Technology (MCIT) released the draft notification proposed to be released in respect of Section 43A of ITA 2008.

Knowingly or unknowingly the draft guideline is appearing to perennial drain of funds from India to a foreign organization.

This needs to be debated at length before the notification is finalized.

The specific point of contention is whether a notification under a statutory law can make it mandatory that Indian Body Corporates subject themselves to a standard which is proprietary and belongs to a foreign organization.

The notification under Sec 43A defines what is "Sensitive Personal Information" and "Reasonable Security Practice" that a body corporate should follow to avoid liabilities under the said section.

At first glance it appears that the guidelines are trying to suggest use of ISO 27001 as an "optional" framework for "reasonable security practice". However, the drafting as of now would end up being interpreted as making ISO 27001 mandatory.

For example, under clause 7 of the notification, it is stated

"Any person, including a body corporate shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards which shall require a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected."

But in the very next paragraph it says that the security practices prescribed by ISO 27001 standard are enshrined in the principle outlined the previous paragraph.

It also subsequently mentions that body corporate which has implemented ISO 27001 shall be deemed to have complied with the reasonable security practices.

While advocating and recognizing ISO 27001, the guideline also renders it a monopoly status since no other practice is considered acceptable. The notification specifies that if industry associations or industry clusters are following any other practice presently, they need to get their codes of best practices approved by the Government and shall be also notified.

With these suggestions, the notification makes ISO 27001 as the monopoly standard of security for all body corporates.

Since this notification is part of ITA 2008, this means that there would be a legally created monopoly for what was originally designed by ISO as a code of best practices for the sake of uniformity in the practices.

In order to justify the stand taken, the notification also provides a statutory certificate that "ISO 27001 has already been adopted by the Country"!.

It is not clear how the notification abrogates to itself the right to declare ISO 27001 as the "Indian National Information Security Standard" and whether there was any study to confirm what percentage of Indian Corporates presently are ISO 27001 certified so that one can make a statement that it has been adopted by the country.

While there is no dispute that ISO 27001 is a popular framework and is also a comprehensive framework, it is not considered appropriate for the Government of India to incorporate it to the statutory law as a mandatory feature.

It must be remembered that though ISO 27001 is called a "Standard", its specifications are not available in the public domain and has to be purchased by any person who wants to know what is the "Standard".

Since the notification is not disclosing the specifications as a part of the notification but is suggesting that every body corporate (which term includes firm, sole proprietorship or other association of individual) should follow the framework, it is mandating that all such entities which would like to be compliant with the law and wants to know what the law is, purchase a copy of the specification from the international agencies which have been authorized to sell the specifications. The bear specification costs US $ 159/- which is like a tax imposed on law abiding entities.
There are more than a million entities which would immediately come under the radar of this notification and we are therefore talking of around US$ 150 million or around Rs 675 crores only on purchase of specifications that may go to ISO. Then the cost of conducting a gap analysis at around Rs 3 to 5 lakhs per company and then certification would all add up to a massive investment of around Rs 1 lakh crores if all the body corporates need to be ISO 27001 certified. Even if the ISO certification comes down to around Rs 1 lakh, the overall cost to the industry to remain compliant would be prohibitive.

Another point to be noted is that though ISO is termed as "International Standards Organization", it's ownership is not international and Indian Government has no stake in it.

Hence all payments that are made towards ISO compliance indirectly goes to the foreign organization and causes a drain of resources from India.

It is necessary to recognize that ISO 27001 is neither a rocket science nor the perfect remedy for Information Security. There are other equally competent frameworks and perhaps all of them suffer from inadequate inclusion of "legal aspects of Information Security". Several organization such as RBI have already developed separate information security standards that are already in use and do take into account the ISO27001 prescriptions. Hence there is no reason why ISO 27001 alone has to be declared by statute as the acceptable standard.

As a statutory prescription, the best option is to suggest that an organization shall declare its information security policy and may adopt ISO 27001 if it so desires. This is the approach Companies Act takes when it suggests a model Articles of Association that can be adopted with the permission for a company to draft its own articles.

A similar approach is required for the Information Security Standard also. It is enough if the statutory guideline states that "Each organization shall develop a comprehensive Information Security Policy, register it with the CERT-In and disclose it to public through its website". CERT-In can then monitor from time to time with a regulatory audit if the disclosed policy is indeed being followed or not.

It is left to the customers who do business with such a company to consider if the disclosed policy is good enough or not.

Such a policy would be transparent, flexible and acceptable to all companies big or small without any compulsion to use a specific framework.

There should be no need for prior approval and gazette notification of the  policies as is being suggested now.

The notification can however clarify that whether a policy adopted by a body corporate is considered "reasonable or not" will be determined when there is a claim against the company and the reviewing judical authority takes the facts and circumstances into consideration to decide if the policy is "reasonable" and its adoption can be consisered as "Due diligence".

By not adopting such a open disclosure oriented policy, the draft notification has created a situation that once the notification is made, lakhs of body corporates will be rendered "Non compliant" with the provisions of Section 43A and make them vulnerable to being held liable. 

This could create a rush for ISO 27001 certifications to such an extent that the system which already has many agencies who provide certifications as a matter of routine would become even more diluted. This will defeat the very purpose of the new notifications to improve the information security practices in the industry.

I hope CERT-In would take these comments into consideration and delete the specific reference to ISO 27001 in Clause 7 of the proposed notification.


February 20, 2011

Any Comments on this article can be sent to naavi@vsnl.com


Draft Guideline-Sensitive Personal Information


 Comments are Welcome at naavi@vsnl.com