I’m surprised this piece of legislation has not gotten more press.
In February, the Ministry of Communications and Information Technology (MCIT) released the draft notification proposed to be released in respect of Section 43A of ITA 2008.
Under Sec 43A the ITA (Information Technology Act) defines what “Sensitive Personal Information” is and the “Reasonable Security Practice” that a company should follow to protect it.
The current phrasing of the ITA can easily be interpreted to make ISO 27001 mandatory.
Clause 7 sub-rule 1 includes, “Any person, including a body corporate shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards which shall require a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.” Sub-rule 2 follows and defines an acceptable program as “The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” has been adopted by the country
While sub-rule 2 does allow for use of an alternate ISMS that meets the requirements of sub-rule – this piece of legislation (if passed) will mandate that all Indian companies protect sensitive data via ISO 27001.
What will this mean?
- It’s a good time to be a registrar, ISO 27001 Consultant, or ISO 27001 Lead Auditor living in India?
- Companies doing business with Indian companies that need to demonstrate compliance with 27001 are going to be asked to demonstrate 27001 compliance?
- Dependent upon the success level – Will other governments follow suit?
Free Download: ISO 27001 Implementation Roadmap
Have no fear – our “roadmap” will guide you, step by step, through
the entire ISO 27001 process.
The roadmap will show you, in concrete terms, that ISO 27001 is
manageable — and not out of reach for anyone! Getting to ISO 27001
certification is a process made up of things you already know –
and things you may already be doing!