Is India selling itself out to ISO 27001?
It appears that India is on the verge of introducing
an "ISO Tax" on Indian corporate entities.
Recently, the Ministry of Communications and Information Technology
(MCIT) released the draft notification proposed to be released in
respect of Section 43A of ITA 2008.
Knowingly or unknowingly the draft guideline is appearing to perennial
drain of funds from India to a foreign organization.
This needs to be debated at length before the notification is finalized.
The specific point of contention is whether a notification under a
statutory law can make it mandatory that Indian Body Corporates subject
themselves to a standard which is proprietary and belongs to a foreign
organization.
The notification under Sec 43A defines what is "Sensitive Personal
Information" and "Reasonable Security Practice" that a body corporate
should follow to avoid liabilities under the said section.
At first glance it appears that the guidelines are trying to suggest use
of ISO 27001 as an "optional" framework for "reasonable security
practice". However, the drafting as of now would end up being
interpreted as making ISO 27001 mandatory.
For example, under clause 7 of the notification, it is stated
"Any person, including a body corporate shall be considered to have
complied with reasonable security practices and procedures, if they have
implemented such security practices and standards which shall require a
comprehensive documented information security programme and information
security policies that contain managerial, technical, operational and
physical security control measures that are commensurate with the
information assets being protected."
But in the very next paragraph it says that the security practices
prescribed by ISO 27001 standard are enshrined in the principle outlined
the previous paragraph.
It also subsequently mentions that body corporate which has implemented
ISO 27001 shall be deemed to have complied with the reasonable security
practices.
While advocating and recognizing ISO 27001, the guideline also renders
it a monopoly status since no other practice is considered acceptable.
The notification specifies that if industry associations or industry
clusters are following any other practice presently, they need to get
their codes of best practices approved by the Government and shall be
also notified.
With these suggestions, the notification makes ISO 27001 as the monopoly
standard of security for all body corporates.
Since this notification is part of ITA 2008, this means that there would
be a legally created monopoly for what was originally designed by ISO as
a code of best practices for the sake of uniformity in the practices.
In order to justify the stand taken, the notification also provides a
statutory certificate that "ISO 27001 has already been adopted by the
Country"!.
It is not clear how the notification abrogates to itself the right to
declare ISO 27001 as the "Indian National Information Security Standard"
and whether there was any study to confirm what percentage of Indian
Corporates presently are ISO 27001 certified so that one can make a
statement that it has been adopted by the country.
While there is no dispute that ISO 27001 is a popular framework and is
also a comprehensive framework, it is not considered appropriate for the
Government of India to incorporate it to the statutory law as a
mandatory feature.
It must be remembered that though ISO 27001 is called a "Standard", its
specifications are not available in the public domain and has to be
purchased by any person who wants to know what is the "Standard".
Since the notification is not disclosing the specifications as a part of
the notification but is suggesting that every body corporate (which term
includes firm, sole proprietorship or other association of individual)
should follow the framework, it is mandating that all such entities
which would like to be compliant with the law and wants to know what the
law is, purchase a copy of the specification from the international
agencies which have been authorized to sell the specifications. The bear
specification costs US $ 159/- which is like a tax imposed on law
abiding entities.
There are more than a million entities which would immediately come
under the radar of this notification and we are therefore talking of
around US$ 150 million or around Rs 675 crores only on purchase of
specifications that may go to ISO. Then the cost of conducting a gap
analysis at around Rs 3 to 5 lakhs per company and then certification
would all add up to a massive investment of around Rs 1 lakh crores if
all the body corporates need to be ISO 27001 certified. Even if the ISO
certification comes down to around Rs 1 lakh, the overall cost to the
industry to remain compliant would be prohibitive.
Another point to be noted is that though ISO is termed as "International
Standards Organization", it's ownership is not international and Indian
Government has no stake in it.
Hence all payments that are made towards ISO compliance indirectly goes
to the foreign organization and causes a drain of resources from India.
It is necessary to recognize that ISO 27001 is neither a rocket science
nor the perfect remedy for Information Security. There are other equally
competent frameworks and perhaps all of them suffer from inadequate
inclusion of "legal aspects of Information Security". Several
organization such as RBI have already developed separate information
security standards that are already in use and do take into account the
ISO27001 prescriptions. Hence there is no reason why ISO 27001 alone has
to be declared by statute as the acceptable standard.
As a statutory prescription, the best option is to suggest that an
organization shall declare its information security policy and may adopt
ISO 27001 if it so desires. This is the approach Companies Act takes
when it suggests a model Articles of Association that can be adopted
with the permission for a company to draft its own articles.
A similar approach is required for the Information Security Standard
also. It is enough if the statutory guideline states that "Each
organization shall develop a comprehensive Information Security Policy,
register it with the CERT-In and disclose it to public through its
website". CERT-In can then monitor from time to time with a regulatory
audit if the disclosed policy is indeed being followed or not.
It is left to the customers who do business with such a company to
consider if the disclosed policy is good enough or not.
Such a policy would be transparent, flexible and acceptable to all
companies big or small without any compulsion to use a specific
framework.
There should be no need for prior approval and gazette notification of
the policies as is being suggested now.
The notification can however clarify that whether a policy adopted by a
body corporate is considered "reasonable or not" will be determined when
there is a claim against the company and the reviewing judical authority
takes the facts and circumstances into consideration to decide if the
policy is "reasonable" and its adoption can be consisered as "Due
diligence".
By not adopting such a open disclosure oriented policy, the draft
notification has created a situation that once the notification is made,
lakhs of body corporates will be rendered "Non compliant" with the
provisions of Section 43A and make them vulnerable to being held liable.
This could create a rush for ISO 27001 certifications to such an extent
that the system which already has many agencies who provide
certifications as a matter of routine would become even more diluted.
This will defeat the very purpose of the new notifications to improve
the information security practices in the industry.
I hope CERT-In would take these comments into consideration and delete
the specific reference to ISO 27001 in Clause 7 of the proposed
notification.
Naavi
February 20, 2011
Any Comments on this article can be sent to
naavi@vsnl.com
Reference:
Draft Guideline-Sensitive Personal Information
Comments are Welcome at
naavi@vsnl.com