IASME Cyber Assurance is a comprehensive, cost-effective cyber security standard designed to help organisations of all sizes improve their cyber resilience. The standard consists of cyber security controls and practices organised into fourteen themes, which are further grouped into four categories.
While exploring these themes, there will naturally be some overlap of topics, as they interrelate and build upon one another.
Following our previous blog, which detailed the themes under Identify and Classify, we now explore the six themes under the category Protect.
Protect
Theme 6 – Physical and Environmental Protection
Protecting information assets requires robust physical and environmental safeguards to prevent theft, loss, or damage. These measures often include common-sense actions such as locking doors and windows, installing window bars, and deploying video surveillance, all guided by a thorough risk assessment. Beyond physical security, environmental factors like temperature and humidity must also be controlled to ensure the safe operation of sensitive equipment. For instance, placing equipment off the ground can mitigate risks from water damage caused by floods or leaks.
Risk assessments should consider all environments, including offices, remote work locations, which includes the consideration of ‘home offices’ and travel scenarios. Policies must ensure confidential information is stored securely and out of sight when not in use. Physical access controls, such as locks and alarms, should restrict access to sensitive areas. External visitors, such as contractors or delivery personnel, should only be granted access when necessary and monitored when on office and related premises.
Networking equipment and wireless networks also require protection. Devices like routers should be in controlled areas, and wireless networks must use strong security protocols like WPA2 or WPA3. Confidential information should be shielded from unauthorised viewing using privacy screens or blinds, and precautions should be taken to prevent sensitive discussions from being overheard in shared spaces.
When information assets are taken off-site, additional precautions are necessary. Equipment left in vehicles must be locked and hidden, kept securely if offsite overnight, and employees should be made aware of the risks of shoulder surfing or accidental loss in public spaces.
Theme 7 – Training People
People are a critical line of defence in safeguarding an organisation’s information. Employees, contractors, and suppliers often have access to sensitive data, making them both assets and potential risks. This theme emphasises educating all stakeholders about their responsibilities and encouraging a culture where protecting data becomes second nature. Organisations must ensure everyone understands the value of information, the risks of mishandling it, and how to respond to incidents.
To manage this effectively, organisations should assign clear roles and responsibilities for information governance. Access to resources should be segregated based on risk, ensuring no single individual has unchecked control. The principle of ‘least privilege’ should guide access control, ensuring individuals only access information necessary for their roles. Access should be promptly updated or revoked when roles change or employment ends.
Explicit rules for acceptable use of company assets are essential. Policies should address personal use of resources, communication on public platforms, and incident handling. Training should be provided during onboarding, role changes, and at least annually. Employees should also be informed about current threats and encouraged to report vulnerabilities without fear of blame. Regular appraisals can identify training needs and ensure individuals are equipped to fulfil their roles.
By fostering accountability, providing training, and implementing robust access controls and providing training, organisations empower their people to protect sensitive information effectively.
Theme 8 – Policies and Procedures
Policies and procedures form the foundation of an organisation’s information security framework. They define rules, guidelines, and expectations while reflecting the organisation’s values and ethical standards. Effective policies are comprehensive yet tailored to the organisation’s specific needs and risks. They provide clear guidance on managing security and ensure all stakeholders understand their responsibilities, fostering a culture of compliance and accountability.
Organisations must develop an overarching security policy outlining their commitment to information security and the strategies to achieve it. This should be supported by detailed policies addressing specific areas, such as acceptable use, data protection, and incident management. Policies must be practical, concise, and accessible to all relevant personnel, including staff, contractors, and suppliers.
Clear communication is key to effective implementation. Policies should be distributed to all responsible parties, accompanied by training and documentation to ensure understanding.
Reviews should occur annually or when significant changes arise. Policies must be flexible enough to adapt to evolving risks and external requirements. By maintaining clear, well-communicated, and updated policies, organisations can ensure their security framework remains effective and aligned with their risk management strategy.
Theme 9 – Managing Access
Managing access ensures that individuals only have access to the information and resources necessary for their roles, following the principle of ‘least privilege’. This applies to both digital data and physical locations. By limiting access, organisations reduce the risk of accidental or intentional misuse of sensitive information while maintaining operational efficiency.
Organisations must establish robust access controls, granting permissions based on specific role requirements. Access should be determined by necessity rather than seniority and documented in the organisation’s structure. Physical access to sensitive areas, such as server rooms, should be restricted using locks, alarms, or other security measures. Access rights must be monitored and regularly reviewed.
Network and system-level access controls are equally important. Sensitive systems, such as those containing client data, should be segregated from the main network using routers, firewalls, or virtualization. Wireless networks must be secured with protocols like WPA2 or WPA3 to prevent unauthorised access. User accounts, including ‘cloud accounts’ and devices should automatically lock or sign out after periods of inactivity to reduce risks.
Access control policies should be informed by risk assessments and operational needs. Overly restrictive measures can frustrate employees and lead to security workarounds, undermining the system. Regular reviews of access controls ensure they remain effective and aligned with the organisation’s risk appetite. By implementing thoughtful and well-monitored access controls, organisations can protect their information while maintaining operational efficiency.
Theme 10 – Technical Intrusion
Technical intrusion focuses on protecting information systems from unauthorised access and misuse. Threats can originate externally, such as malware delivered via phishing emails or malicious websites, or internally, through staff negligence or misuse. These intrusions can lead to data theft, operational disruptions, or larger attacks on the organisation or its supply chain. To counter these risks, organisations must deploy anti-malware tools, intrusion detection systems, and other safeguards as appropriate.
Firewalls with intrusion detection and prevention features, anti-malware software, and two-factor authentication (2FA) are essential tools for detecting and preventing unauthorised activity. Filtered Domain Name System (DNS) services, such as Quad9 or OpenDNS, can block access to suspicious websites. Depending on the risk assessment, advanced tools like data loss prevention systems or honey pots may also be deployed.
Monitoring internal threats is equally important. This includes identifying unauthorised access, such as employees accessing restricted systems or using personal devices without approval. Regular reviews of security settings, software updates, and firewall configurations are necessary to address emerging threats.
Organisations must also educate employees about recognising phishing attempts and other common attack vectors, without creating a blame culture. By combining technical safeguards with employee awareness and regular system reviews, organisations can reduce the risk of technical intrusion and protect their information systems from both external and internal threats.
Theme 11 – Change Management
Change management ensures that changes to working practices, technology, and systems are implemented securely and with minimal disruption. A structured approach to change helps organisations maintain security, ensure compatibility with existing systems, and address associated risks.
Organisations must document clear procedures for managing changes. All new or modified hardware, software, and networks should include appropriate security measures and be tested for compatibility before deployment. Risks associated with decommissioning assets, such as securely erasing data, must also be managed. Changes should only be made with prior approval from designated decision-makers, such as directors, senior management or risk owners.
The approval process should consider potential impacts on all areas of the organisation, including external stakeholders such as partners, contractors and suppliers. An up-to-date list of approved software should be maintained, and unsupported or unnecessary software should be promptly removed.
Organisations must update asset registers, acceptable usage policies, and business continuity plans to reflect changes. Regular training and clear policies can help prevent unauthorised changes. By implementing a structured and secure approach to change, organisations can minimise risks and maintain operational continuity.
Look out for our next blog, Detect and Deter, which includes the theme Monitoring.