Reasonable Security Practices are the information security standards that body corporates must implement and maintain to protect sensitive personal data, with compliance serving as a defence against liability for data breaches under Section 43A of the Information Technology Act, 2000. Under Indian law, Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 prescribes IS/ISO/IEC 27001 as the benchmark standard and creates a safe harbour for body corporates that implement certified security management systems.
Legal definition
Rule 8 of the SPDI Rules, 2011 provides:
Rule 8(1): A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.
Rule 8(2): The International Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).
Rule 8(3): Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule (1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
Rule 8(4): The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant upgradation of its process and computer resource.
The framework therefore establishes a two-track compliance system: (1) implement IS/ISO/IEC 27001 and obtain certification; or (2) implement industry-specific codes of best practice approved by the Central Government. In either case, the body corporate must maintain documented security policies and undergo annual audits.
How courts have interpreted this term
Sabu Mathew George v. Union of India [(2018) 3 SCC 229]
The Supreme Court acknowledged the framework of reasonable security practices under the IT Rules as part of India's evolving data protection architecture. While the case primarily concerned a different aspect of the IT Act, the Court's observations on the need for robust security standards for the handling of personal data reinforced the importance of Rule 8 compliance.
Adjudicating Officer, Maharashtra (2019) — Banking Data Breach Cases
The Adjudicating Officer, in multiple cases involving unauthorised access to banking and financial data, applied Rule 8 as the standard for assessing whether the body corporate had fulfilled its duty of care. In cases where the financial institution could demonstrate IS/ISO/IEC 27001 certification and annual audits, the safe harbour operated and claims were dismissed. In cases where no documented security programme existed, compensation was awarded under Section 43A.
CERT-In Guidelines and Their Interaction with Rule 8
While not a judicial interpretation, the Indian Computer Emergency Response Team (CERT-In) has issued directions (April 2022) requiring body corporates to report cybersecurity incidents within six hours, maintain logs for 180 days, and implement specific security measures. These directions operate alongside Rule 8, creating additional compliance obligations that affect the assessment of whether "reasonable" security practices were in place.
Why this matters
Reasonable security practices represent the operational backbone of India's data protection regime under the IT Act. For body corporates handling sensitive personal data, compliance with Rule 8 is the difference between having a defence against liability and being exposed to potentially unlimited compensation claims under Section 43A.
For businesses, the IS/ISO/IEC 27001 certification pathway provides the clearest route to safe harbour. This international standard requires a comprehensive Information Security Management System (ISMS) covering risk assessment, security controls, access management, incident response, and continuous improvement. Obtaining and maintaining certification requires significant investment but provides demonstrable compliance.
For smaller businesses that may find ISO 27001 certification prohibitively expensive, Rule 8(3) permits compliance through industry-specific codes of best practice approved by the Central Government. However, relatively few such codes have been formally notified, leaving many businesses in a compliance grey zone.
The annual audit requirement under Rule 8(4) means that security compliance is not a one-time exercise but an ongoing obligation. A body corporate that obtained ISO 27001 certification but failed to maintain it through annual surveillance audits may lose the benefit of the safe harbour.
With the Digital Personal Data Protection Act, 2023 coming into force, the security obligations framework is evolving. Section 8(4) of the DPDP Act requires Data Fiduciaries to implement "reasonable security safeguards" to prevent data breaches, though the specific standards will be prescribed by rules yet to be notified.
Related terms
Parent framework:
Sibling concepts:
Frequently asked questions
Is ISO 27001 certification mandatory under Indian law?
ISO 27001 certification is not mandatory per se, but it is the benchmark standard under Rule 8(2) of the SPDI Rules. A body corporate that is ISO 27001 certified enjoys a safe harbour against Section 43A liability. Alternative compliance is possible through industry codes of best practice approved by the Central Government, but few such codes have been formally notified.
How often must security audits be conducted?
Under Rule 8(4), audits of reasonable security practices must be carried out at least once a year, or whenever the body corporate undertakes significant upgradation of its processes and computer resources. The audit must be conducted by a qualified auditor and must verify that the security programme remains commensurate with the information assets being protected.
What happens if a body corporate does not implement reasonable security practices?
If a body corporate that handles sensitive personal data fails to implement and maintain reasonable security practices and this negligence causes wrongful loss or gain, the body corporate is liable to pay compensation under Section 43A of the IT Act. There is no upper statutory cap on compensation, though claims up to Rs 5 crore are adjudicated by the Adjudicating Officer.
Does compliance with DPDP Act replace the need for SPDI Rules compliance?
Not yet. The DPDP Act, 2023 requires Data Fiduciaries to implement "reasonable security safeguards" under Section 8(4), but the specific standards have not yet been prescribed by rules. Until the DPDP Act rules are notified and explicitly supersede the SPDI Rules, body corporates should comply with both frameworks to minimise legal risk.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.