ISO 27001:2022 adopts a structure of presenting the requirements through the main document that consists of 10 clauses and the Annexe A which indicates 93 controls.
In comparison, PDPSI adopts 12 Standards and 50 Model Implementation Specifications.
The first three clauses of ISO 27001 cover the scope, Normative references and the Terms and definitions. More critical aspects of implementation are covered by the clauses 4 to 10 namely
4: Context of the Organization
5: Leadership
6:Planning
7: Support
8: Operation
9: Performance Evaluation
10: Improvement.
The structure of the clauses follow the PDCA approach of Plan, Do, Check and Act cycle.
Clause 1 specifies the scope of the document as specifying the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of an organization. The requirements for assessment and treatment of IS risks are also covered. The scope does make a mention that excluding any part of the requirements specified in clauses 4 to 10 is not acceptable. But this has to be seen along with the “Statement of Applicability” under clause 6.1.3 (d) which allows omission of certain controls based on a justification.
PDPCSI defines its scope as the compliance of laws related to Personal Data Protection and includes the word “Compliance” in the title itself. The target law that a PDPCSI system has to address depends on the “Data Set”.
Hence if an organisation has multiple country data like GDPR data and Indian data, PDPCSI implementation may require application of one set of controls for GDPR data and another set of controls for Indian personal data.
This is achieved through appropriate “Classification” of information with a tag of “Applicable Jurisdiction”. This approach enables PDPCSI to be called a “Unified Framework”.
ISO avoids this difficulty by stating that the requirements are “Generic” and not specific to any sector. But ISO creates multiple standards for different sectors.
The version of PDPCSI applied to Non Personal Data which we may refer some times as “Non Personal Data Compliance Standard of India (NPD-CSI) will similarly focus on jurisdiction of law and NPD-CSI for Indian context will be compliant with ITA 2000/8. This framework titled as IISF 309 was one of the first such frameworks suggested by Naavi way back in 2009 along with three levels of maturity as Level I, II and III. This is now being merged with the concept of DTS and brought under NPD-CSI.
PDPCSI also refers to “Deviation Justification Document” and an “Implementation Charter” which provides flexibility to logically exclude certain Model Implementation Specifications (MIS) and arrive at a set of Adopted Implementation Specifications. (AIS). The PDPCSI supported DTS calculation is done on the basis of MIS but the Certification of Compliance is provided on the AIS and the Implementation Charter approved by the management on the basis of their Risk absorption policy.
DTS represents the maturity of an organisation in implementation and hence adds value to the framework.
PDPCSI therefore provides the flexibility for the management to tailor the framework for different sizes of the organization and different sectors.
ISO 27001 refers to ISO 27000 in its normative reference while PDPSI is a standalone framework.
However we may pick up ISO 27701 (A requirement and not a certifiable standard) for comparison with PDPCSI as it is a privacy framework.
ISO 27701 is presented as an extension of ISO 27001 and hence is dependent completely on ISO 27001. It defines a category of PIMS as an extension of ISMS but does not make distinction of type of organization or the sectoral differences.
In the description of the structure of the document, ISO 27701 states that “This is a sector-specific document related to ISO 27001 and 27002”. It appears to identify PII as a “Sector” by itself. The approach stems from the focus on “Data” more than the “Person behind data” which is necessary for Privacy discussions.
Some of the sectoral requirements are addressed through separate standard definitions making ISO 27701 a maze of multiple standard implementations. Compliance will always be better if it is simple.
If we make Compliance of one standard dependent on another and another as a chain, it will make it difficult for the complying organization to maintain the compliance over a time. PDPCSI tries to achieve simplification by making it a “Unified Model” and enabling flexibility to be achieved at the implementation level.
For Example a consent document under PDPCSI-India may conform to DPDPB 2022 while a similar document under GDPR may conform to GDPR requirements while the standard and the model implementation specification may remain the same for both. By adopting this process PDPCSI avoids duplication of standard to some extent. For the same reason PDPCSI leaves it to the consultants to develop their own templates and not make templates part of the MIS.
The 12 standards of PDPCSI are as follows:
1 | Applicable Law |
2 | Governance Structure |
3 | Risk Mitigation Charter |
4 | Compliance By Design |
5 | Compliance oriented Data Classification |
6 | Distributed Responsibility |
7 | Communication with Stakeholders |
8 | Technical Controls |
9 | Policy Controls |
10 | Compliance Culture |
11 | Certification capability |
12 | Measurability |
The Standards mentioned in PDPCSI are explained in greater detail under the Implementation specifications and some of the title headings may repeat under the MIS with specific responsibility assigned to different divisions.
We have presented the 12 standards of PDPCSI here for comparison with the clauses 1-10 of ISO 27001 only.
The difference in the approach between the the two frameworks is that ISO 27001 tries to follow the PDCA through the 10 clauses. PDPCSI on the other hand expects PDCA in each of the MIS implementations in addition to covering “Audit” as one of the controls. Even the MIS on audit would be subjected to PDCA process.
The four themes of the Annex A controls as against 14 earlier is closer to the PDPCSI approach where 5 responsibility centers were identified for implementing 50 MIS.
ISO 27001 is however more oriented to four processes whereas PDPCSI recognises five responsibility centers.
In a future article we shall present the mapping of ISO 27001 to PDPCSI and identify how may are similar and how many are different.
…Let us continue our discussion in the next article…
Naavi