On July 25th 2022, Assure Technical’s Cyber Accreditation Body, IASME, relaunched their flagship Information Security standard. IASME Cyber Assurance replaces the existing IASME Governance standard.
This blog provides useful information about the standard and how it differs from it’s predecessor. It also offers guidance to existing IASME Governance certificate holders on what this means for them.
As well as changes to the question set and structure of the standard, the most noticeable difference to existing clients is that Cyber Essentials has been decoupled from the process and these certificates will need to be obtained sequentially.
If you would like any information about the standard or what the changes mean to you, please do not hesitate to get in touch. Our team of friendly experts will be happy to help.
About IASME Cyber Assurance
IASME Cyber Assurance is a comprehensive, flexible and affordable cyber security standard that provides assurance that an organisation has put in place a range of important cyber security, privacy and data protection measures.
The standard was developed by SMEs, for SMEs; originally with the support of the Technology Strategy Board (now Innovate UK). It has been designed to provide common ground for SMEs alongside other information security standards – which are either not comprehensive or are too prescriptive in their complexity for an SME.
It aligns directly with the UK Government’s 10 steps to Cyber Security with additional Data Privacy controls and offers smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost.
Important cyber security measures are included such as:
- assessing and managing risk.
- training people and setting practical policies and procedures.
- key resilience strategies including backing up data, business continuity planning and incident response.
- legal and regulatory requirements such as implementation of GDPR and the UK Data Protection Act.
As far as we know, IASME Cyber Assurance remains the only cyber security certification scheme which has been specifically designed to be affordable and achievable for small organisations.
A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This is a significant step towards reducing barriers to entry for smaller organisations in a supply chain as IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance.
Two levels of IASME Cyber Assurance certification
Level 1 – the verified self assessment which involves answering approximately 160 questions about your security.
Level 2 – one of our trained assessors conducts an on-site audit of the controls, processes and procedures covered in the IASME Cyber Assurance standard. The audited version gives a higher level of assurance.
How does IASME Cyber Assurance differ from IASME Governance?
As well as a change in name, which has been made in a bid to make it clearer what the standard provides, four other important changes have been introduced:
1. Cyber Essential certification is no longer included but is a pre-requisite
Organisations will now have to purchase the Cyber Essentials and IASME Cyber Assurance certificates separately and complete them sequentially.
2. Updates to accomodate key changes in technology
The standard has been changed to accomodate key changes to technology, such as the general trend away from on-premise infrastructure to the cloud.
3. One level of Audited accreditation
The bronze, silver and gold classifications of IASME Governance Audited are replaced with one simplified level of IASME Cyber Assurance Audited.
4. The standard has been restructured
The standard document has been rearranged and organised into 13 easy to understand, logically ordered themes. These include:
Identifying and protecting assets
Having a good understanding of your key information assets is essential in order to know what you need to protect. It is good practice to maintain an asset register of all your information assets, including physical, digital and people. It clarifies an appreciation of your attack surface and what you’ve got to lose.
Risk assessment and management
In order to effectively apply the correct controls to protect your business assets, it is important to understand what the risks are to your business and to manage those risks to keep them at an acceptable level to you, your customers, and supply chain.
The process of risk assessment is balanced with your current risk appetite and begins with risk profiling (the enduring state of risk to the business, measured before any controls are implemented). A risk profiling tool is included in the standard for this purpose.
Training and managing people
Your staff, colleagues, contractors, partners, and co-workers can be your greatest allies as well as your greatest risk when it comes to security. Thorough and consistent measures are required to screen and train all staff to enable them to understand and comply with the security responsibilities of their job.
Access control and security of the physical environment
Best practice access control utilises the law of ‘least privilege’ which means giving users access to all the resources and data necessary for their roles, but no more. This applies equally to data stored on computer equipment as to the respective parts of the premises where you do business.
Identifying and creating relevant policies and procedures
Policies specify the rules, guidelines, and regulations that you require people to follow. They also reflect the values and ethics that are at the heart of your business.
Backing up data
Regularly backing up information, and having the ability to restore the backup, may be one of the most effective methods of protecting your business from the effects of accidental or malicious tampering. Effectively backing up data using different methods and different locations can be crucial for a recovery following deleted data, hardware failure, or ransomware.
Security monitoring and review
Creating processes to track and monitor information systems is important in order to detect threats and take steps to analyse and act on this information.
Business continuity planning and incident response
Planned and practiced methods that the business uses to make sure that it can transform, renew, and recover in timely response from a partial or total loss of information assets.
Risk based
The controls within the standard form the baseline for protection of an organisation. The risk assessment will always guide the depth of protection and inform an organisation of any additional controls that may be needed.
How does this affect existing IASME Governance clients?
On 25th July 2022, the new IASME Cyber Assurance question set will be live on the IASME assessment platform and will be used for all new assessments.
Any assessments commenced before this date will continue to complete the existing IASME Governance question set and will have and will have six months from their application date to complete their assessment.
We will contact our existing clients to guide them through the new process.