Demystifying BS 10012 for Indian Companies

Naavi has time and again emphasized that “Security” is for the good of the community and if regulatory agencies want to prescribe security guidelines it has to be easily amenable for compliance.

When a regulation like GDPR or PDPA 2018 or even ITA 2000/8 is issued as a legal instrument, then every entity coming under the jurisdiction of the law need to comply with it. Normally most entities are law-abiding and will try to be compliant. But if the regulation is unclear or too complicated, compliance will be low.

It is the duty of experts to come to the assistance of the subject entities to be compliant with the necessary guidelines and the law.

Whenever such a need exists on making people aware of a law and how it has to be implemented in practice, there arises a commercial opportunity in “Training”, “Implementation Consultancy” and “Certification”.

Ideally the law has to be made by the Government and it should be left to the private sector to equip itself with the necessary knowledge and skill. If some experts are good enough to package a service to spread the knowledge and skill, it is their ingenuity.

If Government can invest on its own on outreach programs, it would be good.

However, a law-maker cannot tell a citizen that he has to make a payment to know what the law is. If the Government does so, it becomes a “Tax”. Hence Government programs have to be essentially free for the participants. If a private sector partner is used in such training, then the cost has to be subsidized by the Government to some extent through sponsorship partly or fully.

This principle that “Law should be made known to citizen free of cost”, was discussed extensively in when the then UPA Government came up with Section 43A (ITA 2008) guidelines in April 2011 in which they made a mention that ” Adherence to ISO 27001 standard will be deemed to be compliance of Section 43A.

Naavi took a serious objection to this rule stating that it would make the lakhs of prospective compliance organizations to first of all buy the standard at around US$160 and then spend about Rs 3 lakhs to get certified. We said then that this was a scam bigger than 2G. The MEITY of Mr Kapil Sibal at that time was very angry about this comparison with 2G Scam and many of the executives are still harboring a grudge against Naavi for this purpose.

However, in reply to an RTI, the ministry confirmed that it is not “Mandatory” to have ISO 27001 certification to be compliant with Section 43A and though the ISO organization was allowed to make commercial gain out of the inappropriate mention in the guideline, the matter rested there.

(Details are available in earlier articles of around 2011 in this site available through the link on Old Posts)

Section 43A is now being Replaced

Presently we are in the new era of Data Protection and expecting the PDPA 2018 to be passed whenever the political will manifests. Once this is enacted, Section 43A will be replaced with a whole set of regulations in the Act itself.

As a result, the compliance managers need to understand the law and interpret it in a manner it would be acceptable in a subsequent judicial scrutiny.

Naavi has through Cyber Law College already offered to provide training on PDPA 2018 in the same manner in which he has been instrumental in spreading the awareness of ITA 2008 or HIPAA or GDPR, in India. (for all the three of which, recorded Course content is available at

On PDPA 2018, Naavi has adopted a slightly different mode of online coaching since the law is yet to crystalize. These courses are of course priced and are expected to generate revenue to the provider of the course. Naavi has also been discussing with some partner organizations for sponsorship such programs.

During these courses, Naavi often presents a Framework of his own under the banner “Indian Information Security Framework-IISF-309” which tries to incorporate the requirements of compliance to the extent necessary.

This framework is actually a substitution for the “Standards” though it may not be as detailed as a standards document and is explained more during the implementation training.

Being Certified Vs Being Compliant

Many Companies however are more interested in getting themselves “certified to be compliant” rather than actually “being compliant”. For this purpose they look for an agency whose “Certificate” has some blind recognition and is available even at an expensive price.

The GDPR regime as a whole is heavily biased towards making money and hence apart from imposing insane penalties for non compliance, it enables creation of  a Certification system whereby people make money for just reprinting GDPR articles as “Implementation Guidelines” or “Standards” and creating “Certification of Certifying professionals”  as well as the “Certification of compliance” itself.

Naavi believes that this entire eco-system is dishonest since it’s purpose is making money through licensed distribution of what should be a free knowledge and not oriented towards creating an eco-system of faithful compliance.

No doubt some level of compliance does come out of such activities but the value proposition is mostly inadequate and often exploitative.

New Mission to Demystify Data Protection Regulations in India

Having declared the intentions of Naavi to work towards making “Security Knowledge” as affordable as possible to the market place, Naavi’s Cyber Law College is interested in undertaking a missionary approach towards spreading the knowledge about Data Protection Regulations in India at prices that are if possible lesser than the competition.

Towards this objective, Naavi is embarking on empowering organizations for BS 10012-2017 compliance while the Certifications can be obtained by organizations that partner Naavi in this program if required.

Just as in 2004-06, Cyber Law College  embarked upon a “Cyber Law Awareness Movement”, it is now proposed that Cyber Law College and Naavi will embark on a “Demystifying Data Protection Laws” which will include compliance of GDPR to BS 10012 standard, PDPA 2018 (as proposed) and ITA 2018 in general as applicable to data protection.

This program will consist of in-house corporate awareness programs, extended training programs and educational courses.

I look forward to other professionals and organizations to provide their guidance on how this objective can be achieved and how the mission of Cyber Law College can be made a success.

One of the objectives of this proposed movement is that by the time the PDPA 2018 comes into effect, the codes and practices etc which the DPA need to provide does not become a commodity that can be used for exploitation of the user industries and the possibility of exploitation  in selling the standards and providing certifications etc are very much reduced.

I wish that DPA never allows “Standards” organizations to create copies of the legislation and call it as proprietary standards protected by Copyright. All such standards should be declared as open source or otherwise certifications based on them should not be recognized by the DPA. Commercial exploitation should be limited to the implementation of such standards and not by selling the standards specification itself. is interested in creating a knowledge distribution system in such a manner and at such a price that the possibility of such exploitation is substantially reduced if not eliminated. 

Watch out for more details in this site from time to time.

Your comments are welcome.


This entry was posted in Cyber Law and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.