ISO-4: Understanding the Context

Before an organization sets about to establish an ISMS or an auditor starts an ISO 27001 audit, it is essential to understand and set the ‘Context’ in which the activity needs to be planned and implemented.

By ‘Context’ we mean the internal and external issues that reflect the constraints for the activity of the organization.

To the extent these constraints are manageable, they can be addressed as part of the suggested business policy changes that can accompany the setting up of the ISMS. To the extent the constraints are internal and affect the ISMS risks, they need to be mitigated as a part of the risk management policy. To the extent the constraints are not controllable, they need to be accepted and risks arising thereof become absorbed risks.

Most of the time the role of an auditor arises in an existing organization which already has established a vision and mission and has a top management Governance system tuned to business objectives. The IS objectives are to be integrated into this structure. In the process it may cause disruptions of existing systems and hierarchy of decision making which has to be recognized as an “Implementation Risk” and has to be handled with finesse.

This is the toughest part of the activity of ISMS and is often addressed as the challenge of getting a Buy-In by the top management. A successful ISMS auditor needs to therefore have the skills of communication and persuasion required to get the plan accepted and resources sanctioned.

Most often, the ISMS activity in an organization is triggered because the market forces dictate them. Some clients would have raised a query “Are you ISO 27001 compliant? or Are you GDPR Compliant?”, or “Are you ITA 2008 Compliant?”, or “Are you DPDPB 2022/23 compliant?” etc.

The marketing person might have given a feedback that they may lose a prospective contract because of not being able to provide an assurance to the client about the status of Information Security/Privacy Protection in their company.

At this time, the Company needs to decide on what is required for them in the given context and chose if they have to go for ISO27001 or DPDPB 2022 or GDPR as a framework of designing its activity.

If a Company is operating in India entirely for the Indian customers, it has more value for ITA 2008 compliance than GDPR certification. If a company is interested in Privacy more than IS, priority has to be for GDPR than ISO 27001. In India ITA 2000/8 today is both an IS law as well as privacy law. The company has to determine this at the time it sets the context.

A GDPR or DPDPB 2022 framework may be recognized as a “Privacy Compliance” requirement and not an ISMS per-se. On the other hand ISO 27001 is an ISMS per-se and when associated with ISO 27701 adds Privacy also. However, a GDPR or DPDPB 2022 does address CIA principles of information security within the “Personal Information” domain and hence ISO 27001 is still relevant for implementation of GDPR or DPDPB. If the same principles are extended to Non Personal Data, a DPDPB compliant organization can be also compliant with ISO 27001 standards as a whole.

When we plan an ISMS under ISO 27001, we need to understand that the context has to take into account that there is a law in India on Information Security called Information Technology Act 2000/8 (ITA 2000/8) and there will be consequences if the ISMS does not meet the requirements of ITA 2000/8. Hence the need to understand the legal environment and ensure that the ISMS is in sync with the ITA 2000/8 is an essential part of the context building.

Available resources of a Company obviously is a constraint which has to be factored into the planning since an SME with a turnover of Rs 10 crores cannot be expected to spend as much money as an MNC with a turnover of Rs 1000 crores. A start up with 20 employees cannot plan an ISMS like an organization with 20000 employees. Hence the ISMS planner/auditor needs to be flexible and this gets reflected in the SOA (Statement of Applicability) or the Implementation Charter (PDPSI specification).

Apart from the legal compulsion which if not complied with, may come with heavy penalties, it is necessary for the management to be convinced about the need for the ISMS or DPCMS (Data Protection Compliance Management System). The best way to achieve this is to present the ISMS requirement as a “Business Objective”. It is for this reason that the ISMS planning has to take into account the needs of the CMO, CFO and the CEO as much as it is an initiative of the CTO to reduce the risk of data breach and meeting the risks of a Cyber attack.

This “Management perspective” of ISMS has to be addressed by linking the ISMS need to the business objective. Unless an organization is a philanthropic organization, management cannot disassociate itself from the profit motive. Hence it will be impractical if we as ISMS planners donot understand the needs of the management to make money for the Company. Hence the views of the CMO/CFO/CEO needs to be adequately respected and their acceptance to any ISMS proposal is a necessity.

Hence it is always better to start the ISMS activity with the development of an Information Asset Inventory and making the management realize the value of the assets they manage and the consequences of not securing these valuable assets. Developing an inventory of Data Assets mean identifying the Data Storage points, Data Collection Points and Data Processing Points. It is better to add the Data Disclosure points also to this “Data Mapping” exercise so that the lifecycle of data in the organization is properly understood for determining the context.

ISO 27001 may not directly refer to any controls that direct them to financially value the information assets while PDPCMS based on PDPCSI does mandate a thought on Data Valuation as a part of brining the visibility of the asset value to the top management. Similarly PDPCMS also takes into account the need for “Monetization” of personal data within the legal permissions by suggesting appropriate policies for “Profiling”, “Monetization” etc.

When a visionary ISO 27001 implementer interprets the “Context” under clause 4, he may include the “Risk Analysis” based on ISO 31000 and may arrive at the same conclusion that PDPCMS arrives at regarding the need for Data Asset Valuation. But as a framework, a majority of the implementers of ISO 27001 may miss these requirements.

It is for these reasons we say that PDPCSI is an improvement over existing frameworks such as ISO 27001 (with ISO 27701 combined).

It may take time for the market to realize this but it will happen over a period of time as PDPCMS becomes more and more common in implementation.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.