The GOI released the notification of rule under Section 43A on April 11, 2011. Naavi has presented his views on the same in the article here.

One of the points raised by Naavi was that the rules were framed in such a manner as to make people think that compliance of the Sec 43A is deemed to have been completed if an organization is certified for ISO 27001. Naavi also pointed out that

a) Organizations which completed ISO 27001 before April 11 2011 obviously cannot be considered to have complied with the requirements and hence the notification was wrong per-se.

b) ISO 27001 audits donot in practice cover ITA 2008 as one of the laws that the target company need to comply with and hence it is improper to provide a compliance immunity based on ISO 27001 audit

c) It was conceptually wrong for the Government of India to have promoted ISO 27001 audit as a part of the law.

d) The notification amounted to hoisting a liability of Rs 7000/- on every citizen of India who had to buy the ISO 27001 specification to understand the parliamentary law and the industry had to spend over Rs 30000/- crores for meeting the requirements on an annual basis which is unfair, impractical and indicative of a scam of the size of the infamous 2G scam.

In response to an RTI query, the department clarified as follows by Mr Prafulla Kumar, Director, MCIT dated 11th July 2011.


Rule 8 donot mandate implementation of ISO 27001 standard exclusively. Body Corporate are free to adopt and implement other codes of best practices agreed by the industry associations or an entity formed by Industry association. Thus the presumption that body corporate will have to necessarily procure ISO 27001 docuemnt is not in order. They can adopt other codes of best practices suiting to their nature of business



However, the website states as follows:


ISO 27001 in India: Government regulations

ISO certification is not only a corporate issue. It is now becoming a government issue in the majority of countries around the world, too.

In India, in April 2011, the Government released a new announcement on privacy data law which relates to any company that collects information within the country. The proposed regulations will have a major impact on global enterprises doing business with Indian outsourcers. State regulations in India require companies to ensure private data stays private.

When outsourcing aspects of IT that touch data stores, companies need to be extra careful that the service providers they engage with, follow these new rules of the law, and the exact policies of their shareholders and/or management. Not complying with this new Act can create a disruption and result in fines, damaged reputation and even loss of revenue.

Organisations must follow new regulations stated in the Indian ITA (Information Technology Act), which include:

• ISO 27001 compliance

“The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government.”

• External auditing 

“The appropriate Government may cause an audit to be conducted of the affairs of the service providers and authorised agents in the State at such intervals as deemed necessary by nominating such audit agencies. (…) The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant upgradation of its process and computer resource.”

For more information on ITA regulations and other cyber laws in India, please visit the website below:

Things to remember 

ISO 27001

• ensures you comply with ITA 
• will underpin and protect IT worldwide over the next decade 
• is designed to harmonise with ISO 9001:2008, ISO 14001:2004, ISO 20000 and others for effective management system integration 
• implements the Plan-Do-Check-Act (PDCA) model 
• reflects the principles of the 2002 OECD guidance on the security of information systems and networks 


It is clear from the above that IT Governance is using the notification to mislead the public into believing that ISO 27001 is the compliance specification for Section 43A. The department by remaining silent will be considered as conspiring with the IT Governance organization to make people believe that they need to go through the ISO 27001 audit as a mandatory provision.

This completely validates the concern that Naavi expressed that the notification is a possible scam bigger than 2G scam.

We seek an explanation from DIT and the IT Governance authority about this.

Apart from placing this note for information to the relevant authorities through the Internet, we also urge the Comptroller and Auditor General (CAG) to take note of the possible irregular manner in which this notification is sought to be implemented though it is detrimental to the interests of the country and makes use of the parliamentary law to promote private foreign commercial interests. Specific attention of the two organizations involved will also be drawn through e-mails.


August 20, 2011

Be Sociable, Share!