IASME Cyber Assurance (ICA) is a comprehensive, cost-effective cyber security standard designed to help organisations of all sizes, improve their cyber resilience. The standard consists of cyber security controls and practices organised into fourteen themes, which are further grouped into four categories: Identify & Classify, Protect, Detect & Deter, and Respond & Recover. To achieve certification, your organisation must meet the requirements of all applicable themes based on its size. Each theme includes clear guidance to help non-technical users implement the necessary processes and practices, making it accessible and easy to integrate into daily operations.
To support organisations further, IASME works with a network of trained Certification Bodies (CBs) that provide expert assistances in implementing the standard. This ensures that businesses can confidently build their cyber security capabilities and achieve certification in a cost-effective manner.
Certification provides organisations with an independent assessment of their cyber security maturity. This enables them to demonstrate compliance with legal requirements, such as GDPR and confidently assure clients and partners that their information is well-protected.
The IASME Cyber Assurance certification is available in two levels: Level One Verified Assessment and for greater assurance, Level Two Audited.
Over the next few weeks, we will be posting information on each of the four categories and the themes that make up IASME Cyber Assurance. The standard starts with business planning and ends with business continuity, providing a structured approach to achieve cyber resilience.
Identify and Classify
Theme 1 – Planning Information Security
Planning information security involves embedding security considerations into all aspects of an organisation’s business planning. This ensures that security is not an afterthought but an integral part of daily operations, projects, procurement, contracting, supplier management, and partnerships. By proactively addressing security during the planning phase, organisations can reduce the risk of unexpected vulnerabilities or costly incidents.
The level of planning required depends on the size and nature of the organisation. For smaller businesses, this might mean allocating appropriate budgets for ongoing security needs. Larger organisations may need to assess how changes to processes, working practices, hardware, or software could impact security and plan accordingly. Regardless of size, the goal is to build “right-sized” security measures that align with the organisation’s risk profile and operational needs.
Planning also involves preparing for potential events, such as cyber attacks or human errors, and ensuring that security is considered when implementing changes. This proactive approach helps organisations make informed decisions in advance, reducing the likelihood of being caught off guard by security challenges.
Ultimately, planning information security is about integrating security into the fabric of an organisation’s operations. It is a recurring theme throughout the IASME Cyber Assurance standard, supporting other areas such as Change Management and Secure Business Operations, to ensure a comprehensive and resilient approach to cyber security.
Theme 2 – Organisation
A strong organisational structure is essential for effective information security. This involves ensuring leadership commitment, allocating resources, and defining clear roles and responsibilities. Senior management must prioritise security, regularly review risks, and allocate funding to maintain a secure environment.
Appointing a skilled individual to oversee information security is crucial. This person should have the authority to coordinate security activities and work closely with leadership to make informed decisions. For medium and large organisations, forming a team to manage security activities is mandatory, while smaller organisations can adopt a more informal approach. Responsibilities should be clearly defined, and security objectives included in staff appraisals.
Effective supply chain management is also vital. Organisations must establish clear Service Level Agreements (SLAs) and contracts with suppliers, contractors, and partners to define security expectations. These agreements should be based on thorough risk assessments and regularly updated to address evolving security needs.
By embedding security into leadership, operations, and supply chain management, organisations can build a robust and resilient security framework. This ensures that both internal and external stakeholders are aligned in maintaining high security standards and mitigating risks.
Theme 3 – Assets
Understanding and managing assets is essential for businesses to protect valuable information and resources. Assets can include physical items, such as laptops and servers, and intangible ones, like customer data or intellectual property. To safeguard these, businesses must identify what they own, where it is located, and its value. An asset register, ranging from a simple list to a sophisticated system, is vital for tracking assets, including personal devices used for business purposes.
Each asset should be categorised, assigned an owner, and evaluated for its importance. The asset register must include details such as the type, location, value, and responsible person. Sensitive assets, like personal data or critical business information, require extra protection due to the significant impact their loss could have. Classification systems (e.g., public, confidential, secret) help prioritise protection and ensure assets are safeguarded throughout their lifecycle.
Encryption is crucial for protecting data stored on devices, in the cloud, or during transmission. Businesses should use industry-standard encryption tools and ensure they are properly configured. Additional measures, such as remote wipe features for mobile devices and secure cloud storage, are recommended for sensitive data. Verifying that cloud providers meet security standards is also important.
Finally, secure disposal of assets is critical to prevent unauthorised data recovery. Deleting files is often insufficient, so businesses should use specialist software or secure destruction services to permanently erase digital data. Physical media, such as paper documents or hardware, should be securely destroyed while adhering to environmental regulations like the UK and EU Waste Electrical and Electrical Equipment (WEEE) directive. By understanding their assets and implementing robust security measures, businesses can effectively minimise risks.
Theme 4 – Legal and Regulatory Landscape
Every organisation has legal, statutory, regulatory, and contractual obligations that must be met to ensure compliance and avoid penalties. These obligations may include company registration, accounting, customer management, data handling, and the use of technology. Specific requirements depend on the nature of the business, such as compliance with the Payment Card Industry Data Security Standard (PCI DSS) for handling credit card data or adherence to the UK GDPR for managing personal data. Additionally, businesses must comply with any contractual obligations, such as those with data centres, cloud service providers, or maintenance services.
To meet these obligations, businesses must design processes that align with legal requirements and support their objectives. For example, data protection laws may require organisations to delete or release data within specific timeframes. Policies and processes should be regularly reviewed and updated to ensure compliance. Employees must receive adequate training and resources to follow these processes, and feedback from stakeholders, such as employees and customers, can help identify areas for improvement.
Monitoring compliance is essential to ensure that policies and processes are being followed. Regular audits, both internal and external, can help identify deviations and areas for improvement. If non-compliance is identified, businesses should take corrective actions, which may include amending policies or, as a last resort, disciplinary measures.
Finally, organisations must protect their business records from loss, destruction, or falsification in line with legal and regulatory requirements. This includes maintaining a retention schedule to track records and ensuring that data is not kept longer than necessary, particularly when its purpose has expired, such as when a customer stops using a product. By maintaining clear security requirements and monitoring compliance, businesses can effectively manage their legal and regulatory responsibilities.
Theme 5 – Assessing and Treating Risks
Assessing and treating risks is essential for protecting an organisation from potential threats and ensuring its security measures are effective. A comprehensive risk assessment helps identify threats, such as malware, criminal activity, or human error, and evaluates their potential impact on the organisation, its customers, partners, and suppliers. This process should be regularly reviewed—at least annually, after incidents, or when significant changes occur—to ensure it remains up to date. Separating the risk assessment from the risk treatment plan allows organisations to identify risks clearly and create actionable steps to address them.
Risk assessments should involve knowledgeable individuals within the organisation, such as risk owners or an information security group, to ensure all areas of the business are considered. Risks should be evaluated based on the organisation’s risk appetite, which determines how much risk the business is willing to accept. For high-risk areas, actions may include implementing stricter controls, such as limiting the use of USB devices or enforcing secure access policies.
Treating risks involves creating an action plan to mitigate or reduce them to an acceptable level. This plan should prioritise changes based on the organisation’s risk appetite and include clear timeframes for implementation. Measures may include updating policies, improving staff training, or introducing new technologies. For example, organisations may adopt acceptable usage policies to regulate the use of personal devices, portable storage, or cloud services, ensuring these align with security requirements.
Finally, organisations must monitor and adapt to emerging threats and vulnerabilities, incorporating them into their risk assessments. Resources such as government guidance, industry reports, or consultancy services can help maintain awareness of new risks and countermeasures. By assigning ownership for each risk and ensuring accountability, organisations can effectively manage risks and maintain a secure environment.
Look out for our next blog, Protect which includes the themes: Physical protection, training people, policies and procedures, managing access and change management.