Naavi.org

Before an organization sets about to establish an ISMS or an auditor starts an ISO 27001 audit, it is essential to understand and set the ‘Context’ in which the activity needs to be planned and implemented.

By ‘Context’ we mean the internal and external issues that reflect the constraints for the activity of the organization.

To the extent these constraints are manageable, they can be addressed as part of the suggested business policy changes that can accompany the setting up of the ISMS. To the extent the constraints are internal and affect the ISMS risks, they need to be mitigated as a part of the risk management policy. To the extent the constraints are not controllable, they need to be accepted and risks arising thereof become absorbed risks.

Most of the time the role of an auditor arises in an existing organization which already has established a vision and mission and has a top management Governance system tuned to business objectives. The IS objectives are to be integrated into this structure. In the process it may cause disruptions of existing systems and hierarchy of decision making which has to be recognized as an “Implementation Risk” and has to be handled with finesse.

This is the toughest part of the activity of ISMS and is often addressed as the challenge of getting a Buy-In by the top management. A successful ISMS auditor needs to therefore have the skills of communication and persuasion required to get the plan accepted and resources sanctioned.

Most often, the ISMS activity in an organization is triggered because the market forces dictate them. Some clients would have raised a query “Are you ISO 27001 compliant? or Are you GDPR Compliant?”, or “Are you ITA 2008 Compliant?”, or “Are you DPDPB 2022/23 compliant?” etc.

The marketing person might have given a feedback that they may lose a prospective contract because of not being able to provide an assurance to the client about the status of Information Security/Privacy Protection in their company.

At this time, the Company needs to decide on what is required for them in the given context and chose if they have to go for ISO27001 or DPDPB 2022 or GDPR as a framework of designing its activity.

If a Company is operating in India entirely for the Indian customers, it has more value for ITA 2008 compliance than GDPR certification. If a company is interested in Privacy more than IS, priority has to be for GDPR than ISO 27001. In India ITA 2000/8 today is both an IS law as well as privacy law. The company has to determine this at the time it sets the context.

A GDPR or DPDPB 2022 framework may be recognized as a “Privacy Compliance” requirement and not an ISMS per-se. On the other hand ISO 27001 is an ISMS per-se and when associated with ISO 27701 adds Privacy also. However, a GDPR or DPDPB 2022 does address CIA principles of information security within the “Personal Information” domain and hence ISO 27001 is still relevant for implementation of GDPR or DPDPB. If the same principles are extended to Non Personal Data, a DPDPB compliant organization can be also compliant with ISO 27001 standards as a whole.

When we plan an ISMS under ISO 27001, we need to understand that the context has to take into account that there is a law in India on Information Security called Information Technology Act 2000/8 (ITA 2000/8) and there will be consequences if the ISMS does not meet the requirements of ITA 2000/8. Hence the need to understand the legal environment and ensure that the ISMS is in sync with the ITA 2000/8 is an essential part of the context building.

Available resources of a Company obviously is a constraint which has to be factored into the planning since an SME with a turnover of Rs 10 crores cannot be expected to spend as much money as an MNC with a turnover of Rs 1000 crores. A start up with 20 employees cannot plan an ISMS like an organization with 20000 employees. Hence the ISMS planner/auditor needs to be flexible and this gets reflected in the SOA (Statement of Applicability) or the Implementation Charter (PDPSI specification).

Apart from the legal compulsion which if not complied with, may come with heavy penalties, it is necessary for the management to be convinced about the need for the ISMS or DPCMS (Data Protection Compliance Management System). The best way to achieve this is to present the ISMS requirement as a “Business Objective”. It is for this reason that the ISMS planning has to take into account the needs of the CMO, CFO and the CEO as much as it is an initiative of the CTO to reduce the risk of data breach and meeting the risks of a Cyber attack.

This “Management perspective” of ISMS has to be addressed by linking the ISMS need to the business objective. Unless an organization is a philanthropic organization, management cannot disassociate itself from the profit motive. Hence it will be impractical if we as ISMS planners donot understand the needs of the management to make money for the Company. Hence the views of the CMO/CFO/CEO needs to be adequately respected and their acceptance to any ISMS proposal is a necessity.

Hence it is always better to start the ISMS activity with the development of an Information Asset Inventory and making the management realize the value of the assets they manage and the consequences of not securing these valuable assets. Developing an inventory of Data Assets mean identifying the Data Storage points, Data Collection Points and Data Processing Points. It is better to add the Data Disclosure points also to this “Data Mapping” exercise so that the lifecycle of data in the organization is properly understood for determining the context.

ISO 27001 may not directly refer to any controls that direct them to financially value the information assets while PDPCMS based on PDPCSI does mandate a thought on Data Valuation as a part of brining the visibility of the asset value to the top management. Similarly PDPCMS also takes into account the need for “Monetization” of personal data within the legal permissions by suggesting appropriate policies for “Profiling”, “Monetization” etc.

When a visionary ISO 27001 implementer interprets the “Context” under clause 4, he may include the “Risk Analysis” based on ISO 31000 and may arrive at the same conclusion that PDPCMS arrives at regarding the need for Data Asset Valuation. But as a framework, a majority of the implementers of ISO 27001 may miss these requirements.

It is for these reasons we say that PDPCSI is an improvement over existing frameworks such as ISO 27001 (with ISO 27701 combined).

It may take time for the market to realize this but it will happen over a period of time as PDPCMS becomes more and more common in implementation.

Naavi

ISO 27001:2022 adopts a structure of presenting the requirements through the main document that consists of 10 clauses and the Annexe A which indicates 93 controls.

In comparison, PDPSI adopts 12 Standards and 50 Model Implementation Specifications.

The first three clauses of ISO 27001 cover the scope, Normative references and the Terms and definitions. More critical aspects of implementation are covered by the clauses 4 to 10 namely

4: Context of the Organization

5: Leadership

6:Planning

7: Support

8: Operation

9: Performance Evaluation

10: Improvement.

The structure of the clauses follow the PDCA approach of Plan, Do, Check and Act cycle.

Clause 1 specifies the scope of the document as specifying the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of an organization. The requirements for assessment and treatment of IS risks are also covered. The scope does make a mention that excluding any part of the requirements specified in clauses 4 to 10 is not acceptable. But this has to be seen along with the “Statement of Applicability” under clause 6.1.3 (d) which allows omission of certain controls based on a justification.

PDPCSI defines its scope as the compliance of laws related to Personal Data Protection and includes the word “Compliance” in the title itself. The target law that a PDPCSI system has to address depends on the “Data Set”.

Hence if an organisation has multiple country data like GDPR data and Indian data, PDPCSI implementation may require application of one set of controls for GDPR data and another set of controls for Indian personal data.

This is achieved through appropriate “Classification” of information with a tag of “Applicable Jurisdiction”. This approach enables PDPCSI to be called a “Unified Framework”.

ISO avoids this difficulty by stating that the requirements are “Generic” and not specific to any sector. But ISO creates multiple standards for different sectors.

The version of PDPCSI applied to Non Personal Data which we may refer some times as “Non Personal Data Compliance Standard of India (NPD-CSI) will similarly focus on jurisdiction of law and NPD-CSI for Indian context will be compliant with ITA 2000/8. This framework titled as IISF 309 was one of the first such frameworks suggested by Naavi way back in 2009 along with three levels of maturity as Level I, II and III. This is now being merged with the concept of DTS and brought under NPD-CSI.

PDPCSI also refers to “Deviation Justification Document” and an “Implementation Charter” which provides flexibility to logically exclude certain Model Implementation Specifications (MIS) and arrive at a set of Adopted Implementation Specifications. (AIS). The PDPCSI supported DTS calculation is done on the basis of MIS but the Certification of Compliance is provided on the AIS and the Implementation Charter approved by the management on the basis of their Risk absorption policy.

DTS represents the maturity of an organisation in implementation and hence adds value to the framework.

PDPCSI therefore provides the flexibility for the management to tailor the framework for different sizes of the organization and different sectors.

ISO 27001 refers to ISO 27000 in its normative reference while PDPSI is a standalone framework.

However we may pick up ISO 27701 (A requirement and not a certifiable standard) for comparison with PDPCSI as it is a privacy framework.

ISO 27701 is presented as an extension of ISO 27001 and hence is dependent completely on ISO 27001. It defines a category of PIMS as an extension of ISMS but does not make distinction of type of organization or the sectoral differences.

In the description of the structure of the document, ISO 27701 states that “This is a sector-specific document related to ISO 27001 and 27002”. It appears to identify PII as a “Sector” by itself. The approach stems from the focus on “Data” more than the “Person behind data” which is necessary for Privacy discussions.

Some of the sectoral requirements are addressed through separate standard definitions making ISO 27701 a maze of multiple standard implementations. Compliance will always be better if it is simple.

If we make Compliance of one standard dependent on another and another as a chain, it will make it difficult for the complying organization to maintain the compliance over a time. PDPCSI tries to achieve simplification by making it a “Unified Model” and enabling flexibility to be achieved at the implementation level.

For Example a consent document under PDPCSI-India may conform to DPDPB 2022 while a similar document under GDPR may conform to GDPR requirements while the standard and the model implementation specification may remain the same for both. By adopting this process PDPCSI avoids duplication of standard to some extent. For the same reason PDPCSI leaves it to the consultants to develop their own templates and not make templates part of the MIS.

The 12 standards of PDPCSI are as follows:

1	Applicable Law
2	Governance Structure
3	Risk Mitigation Charter
4	Compliance By Design
5	Compliance oriented Data Classification
6	Distributed Responsibility
7	Communication with Stakeholders
8	Technical Controls
9	Policy Controls
10	Compliance Culture
11	Certification capability
12	Measurability

The Standards mentioned in PDPCSI are explained in greater detail under the Implementation specifications and some of the title headings may repeat under the MIS with specific responsibility assigned to different divisions.

We have presented the 12 standards of PDPCSI here for comparison with the clauses 1-10 of ISO 27001 only.

The difference in the approach between the the two frameworks is that ISO 27001 tries to follow the PDCA through the 10 clauses. PDPCSI on the other hand expects PDCA in each of the MIS implementations in addition to covering “Audit” as one of the controls. Even the MIS on audit would be subjected to PDCA process.

The four themes of the Annex A controls as against 14 earlier is closer to the PDPCSI approach where 5 responsibility centers were identified for implementing 50 MIS.

ISO 27001 is however more oriented to four processes whereas PDPCSI recognises five responsibility centers.

In a future article we shall present the mapping of ISO 27001 to PDPCSI and identify how may are similar and how many are different.

…Let us continue our discussion in the next article…

Naavi

The Annex A of ISO 27001:2022 contains 93 controls in four categories. The Organizational Controls under A.5 has 37 sub Controls, People Controls under A.6 has 8 sub controls, Physical Controls under A.7 has 14 sub controls and Technology controls under A.8 contain 34 sub controls.

The earlier version of ISO 27001:2013 was unwieldy with 14 different types of controls.

When we look at the categorization adopted by PDPSI, there are 5 categories and it is based on the “Responsibility Centers” . The five responsibility centers used in PDPSI are Management (15 Model Implementation Specifications or MIS), DPO (9 MIS), Legal (2 MIS),HR (4 MIS) and IT (20 MIS).

The 8 people controls under ISO 27001:2022 can be compared directly with the 4 HR (MIS 27-30) controls under PDPSI. The 34 technology controls and 8 physical controls under ISO 27001:2022 can mapped with the 20 MIS of PDPSI (MIS 31-50). The 37 Organizational controls under ISO 27001 can be compared and mapped with the 15 Management level MIS (MIS 1-15), 9 DPO level MIS (16-24) and 2 Legal level MIS (25-26).

ISO 27701 provides a mapping of the guidelines with GDPR. However, PDPSI can be mapped with GDPR as well as DPDPB 2022.

It would be interesting to compare the different controls under ISO 27001:2022 with the corresponding MIS under PDPSI . In this comparison we may find that PDPSI may not only cover the entire ISO 27001:2022 and ISO 27701:2019 but add a few more implementation specifications making it more comprehensive.

We shall discuss these in the next few articles.

Naavi

The scope of the ISO 27001:2022 standard is to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. (ISMS). The ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process. One of the objectives of the standard is to give confidence to interested parties that risks are adequately managed.

If we compare ISO 27001 with a framework such as PDPCSI, the following differences stand out.

1.PDPCSI applies to Personal Data only while ISO 27001 applies to both personal and non personal data

2. PDPCSI is related to mitigation of the risk of non compliance of a given personal data protection law while ISO 27001 is related to preserve the CIA of information

3. PDPCSI is to mitigate/avoid the risk of penalty under the data protection law while ISO 27001 is to provide confidence to the business partners.

There is one school of thought that ISO 27001 is an ISMS system while PDPCSI is a law compliance system and the two are not comparable.

However, law compliance always refers to the “Reasonable Security” to be maintained on personal data as part of the requirement of compliance. It is one of the sections of the law such as Article 32 (2) of GDPR or Section 9(4) of DPDPB 2022

Article 32(2) of GDPR or Section states “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Article 9(2) of DPDPB 2022 states “Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.”

ISO 27001 addresses these specific requirements of the data protection laws since it is a framework for preserving the Confidentiality, integrity and availability of information.

However PDPCSI considers this as one of the important requirements but there are a multitude of other requirements that it tries to address. The main requirements of privacy are establishing the legal basis for processing, protecting the rights of the data subjects, ensuring the compliance through out the life cycle of the data processing etc. Obviously, ISO 27001 does not aim to address these aspects.

In that case, it is unclear what does the change of title of ISO 27001 to include “Privacy Protection” mean.

When the number of controls in Annex A of ISO 27001 reduced from 114 to 93 in the new version, the following 11 new controls have been added.

• A.5.7 Threat intelligence
• A.5.23 Information security for the use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Physical security monitoring
• A.8.9 Configuration management
• A.8.10 Information deletion
• A.8.11 Data masking
• A.8.12 Data leakage prevention
• A.8.16 Monitoring activities
• A.8.23 Web filtering
• A.8.28 Secure coding

The reduction of the number from 114 to 93 has came about because of merging of several other controls. 35 of the earlier 114 controls remain unchanged, 23 controls were renamed and the remaining controls were merged into 24 new controls.

Hence if “Privacy Protection” has been added to ISO 27001 in the new version, it should be part of the above 11 controls.

On the other hand, ISO 27701 addressed the Privacy related controls applicable for PII as PIMS and included requirements such as

• Awareness and training: These controls address the need to raise awareness of privacy risks among employees and to provide them with training on how to protect personal data.
• Consent: These controls address the need to obtain consent from individuals before collecting, using, or disclosing their personal data.
• Data minimization: These controls address the need to collect only the personal data that is necessary for the purpose for which it is being collected.
• Data security: These controls address the need to protect personal data from unauthorized access, disclosure, modification, or destruction.
• Privacy impact assessment: The organization should conduct a privacy impact assessment (PIA) to identify and assess the privacy risks associated with its processing of personal data
• Privacy policy: The organization should have a privacy policy that sets out the organization’s commitment to privacy and the rights of individuals with respect to their personal data.
• Data protection officer: The organization should appoint a data protection officer (DPO) to oversee the organization’s compliance with privacy laws and regulations.
• Data breach notification: The organization should have a process for notifying individuals and regulators of data breaches.

ISO 27701 was not however a certification standard and it’s implementation had to be done along with ISO 27001 for certification.

Hence if we are looking at ISO 27001 as a standard for PIMS, then we need to look at both ISO 27001:2022 and ISO 27701:2019. However, ISO 27001:2022 does not refer to ISO 27701 in its normative reference list because it is the base standard and ISO 27701 is only a guidance. ISO 27701 on the other hand refers to ISO 27001:2013 and not ISO 27001:2022.

Hence ISO 27001:2022 cannot be considered as a framework for privacy management despite its title. A Creative auditor may however imply several aspects of Privacy into “Confidentiality”.

But ISO 27001+ISO 27701 is comparable to PDPCMS as a standard for implementation and certification of a PIMS.

ISO 27001 is relevant in comparison with PDPCMS to the extent PDPCMS protects CIA of personal data and hence we can continue to look at ISO 27001 from this limited perspective. After completing the discussion on ISO 27001, we shall explore ISO 27701 also.

Naavi

In November 2022, ISO introduced a new version of its popular ISMS framework namely ISO 27001. This ISO 27001:2022 will be the new standard to replace the ISO 27001:2013 version. The ISO expects that the certifications on the basis of 2013 version needs to be transitioned to the new version before November 2025.

However, as always “Compliance” is a journey and earlier one starts better it is. Naavi who has been a pioneer in recommending an indigenous framework PDPCSI (Personal Data Protection Standard of India) is in the forefront of education related to compliance of law related to Data Protection.

Naavi started his foray into the consultancy for Data Protection way back in 2000 with “CyLawCom” certification, and also developed a framework named IISF 309 (Indian Information Security Framework) compliant to ITA 2000, in March 2009. Subsequently Naavi shifted focus on Personal Data Protection and developed PDPCSI (Personal Data Protection Compliance Standard of India) as a framework for planning and implementing data protection compliance as per GDPR and the Indian personal data protection law as it is emerging.

PDPCSI already had incorporated several innovative thoughts that made it a better standard for compliance than the ISO 27701 specifically created for GDPR compliance. The concepts of Data Valuation, DTS and Distributed Responsibility were futuristic thoughts. In the past the PDPSI framework has been mapped to ISO 27701 as well as other frameworks to provide confidence to the market that PDPCSI is inclusive of all the best practices in the ISO 27701(which included ISO 27001:2013)

Now that ISO has come up with the new version, there is a need for the professionals to understand how PDPCSI current version compares with the proposed ISO 27001:2022.

With this objective in view, Naavi.org will start a series of articles to capture the essence of ISO 27001:2022. This will be the basis for the training on ISO 27001 that may emerge in due course from Cyber Law College/FDPPI.

While presenting ISO 27001:2022, we will try to provide relevant comparison to PDPCSI so that the body of knowledge developed would help understanding of both ISO 27001 and PDPCSI.

I am not sure of the time line for completion of this series since it will be done along with the other activities of Naavi. Since we are expecting the new version of DPDPB to be presented in the current Parliament there would be more activity related to the Training of DPOs in India and implementation of Privacy projects. Hence this series may take some time to complete. But just as we say “Little drops make the ocean”, we shall start stitching together some knowledge bits which will in due course will become useful.

In the past visitors to this website have said that ” Naavi.org is the wikipedia of Cyber Laws in India”. In the coming days, Naavi.org should also be called the wikipedia on ISO 27001.

Let’s hope that the almighty provides the time and energy to complete the project as soon as possible.

I request all of you to not only contribute your good wishes but also some thoughts of your own as guest articles are at least as comments to the article

Naavi

The bench of Mumbai High Court which is hearing the complaint against the recent IT rules regarding fake news is making comments which make good headlines in a Newspaper but are irresponsible and may even be termed naive and biased.

On 14th July, news laundry.com headlined “Can’t bring a hammer to kill an ant; Bombay High Court calls IT rules ‘excessive’ “

It was noteworthy that the same headline was used my multiple publications such as NDTV.com, Hindu, Deccan Herald, The Print etc.

The Court further went on to comment

“It is difficult that one authority of the Government is given absolute power to decide what is fake, false and misleading….” ..

“There is an assumption that what the FCU says is undeniably the the ultimate truth”.

‘No person is claiming a fundamental right to lie”…

“..a person can be anything they want (on the internet) is not necessarily impersonation”.

These are all the opinions of the individual judge/s and not supported by facts. In a way the Judges are lieing themselves when they are making these comments.

The current status of the case is captured in this video

The petitioner Mr Kunal Kamra is a political activist who can claim anything in his peition. But it is inappropriate for the Judges of the Bench to make comments as if it has already made its decision even before the trial concludes.

The way the judges are blurting out their views reminds the behaviour of the Supreme Court bench which heard the Nupur Sharma case indicates that this trial is a farce and the Judges have already made up their mind on the outcome.

The Court by its conduct is misleading the public by making unwarranted comments.

In our opinion just as I have the right to say that anything published about me online is false, the Government also has the right to say what is told about it in the digital media is not correct or false.

The Court cannot take a stand that any false statement can be made on the Government and the Government has to be a mute spectator.

For example, if any publication says that a particular judge is corrupt, has taken bribe for giving out a decision, does the judge not have a right to give a counter statement in the press besides launching a “Contempt” proceeding?

Similarly every citizen as well as the Government has the right to counter the truthfullness of a false statement first by a counter statement and this right is in addition to the right to file a case in a Court of law. What the counter statement does is to give the knoweldge to the publisher that the content is disputed.

If the publisher then decides that the content is fine and is part of the free speech, he can very well not do any thing on the counter statement. It would be ethical to publish the counter statement on the same publication but even this is not mandatory.

What the notification states is the right of the Government to make a public statement that a certain information as published is false. Currently this is only regarding the information about any Government department. There is no compulsion that the information has to be removed forthwith.

Only God knows how can the Court consider this “Right to Self Defence” as incorrect and undesirable.

It is also wrong to say that any “FactCheck call” will make the Intermediary vulnerable to punishment. Punishment if any will come only if a Court decides in a case that the false information casued a wrongful harm to some body.

The Court is completely wrong to presume that every Fact Check call is an automatic punishment on the Intermediary.

The Court has also asked repeatedly why this rule is for digital media only and not print media. I hope the Court will remember that the Print Media works under a different system where there is a publisher and editor to take the responsibility to the content posted by a reporter. On the digital media the reporter is himself the editor and the publisher and it needs a different set of rules. There is also a “Press Council” to monitor which is not available for digital media including you tube publications.

In order to defend the argument of the political petitioner, the Court has gone to the extent of saying that there is “No Impersonation” if a person presents himself as somebody else on the internet. This is pure and simple “Forgery” and the Court defends electronic forgery. This directly counters Section 66C and 66D of ITA 2000/8.

I will recall the words “Vinashakale viparata Buddhi” for this statement.

The Judge does not seem to know what are the implications of his statement.

In the video above one of the advocates for the petitioner has suggested that “Satire” by definition is stating a falsehood and hoodwinking the public to believe the untruth and later call it as a bloff and laugh it off. However until some body challenges the falsehood prevails and damages the social fabric.

The Cambridge dictionary only says Satire is a way of “criticising people or ideas in a humorous way”. It does not give license to say in digital writing some thing false and let it go viral just to excuse one self when cornered claiming it to be a “Satire”.

In the Advertisement industry, there is an ethical way of publishing articles which are paid for and are considered Advertorials. Such content always contain a note in some corner which says it is an advertisement.

Similarly of some content has to be considered a “Satire”, it should declare it to be so either in the beginning or in the end. On the other hand no body should be allowed to say falsehood and wait for the public to believe it as true and when challenged, state that ” I only wanted this to be a satire”.

This is absolutely unacceptable even if the Mumbai High Court has a counter view point.

The two judges of the bench hearing the case have already created enough damage to their reputation as independent judicial functionaries and should strictly refrain from making any further comments. Their views are known and they themselves are better than the advocates of the peritioners in defending the petition and they should straight away pronounce their judgement.

It is a waste of time and money to carry out such trials which have no purpose in the society. The Government should call out the evident bias that the bench is displaying and demand a new bench to be constituted for carrying on the trial.

Naavi