An in-depth look at the relaunch of IASME Cyber Assurance on the 25th July 2022, formerly IASME Governance

IASME is proud to announce the relaunch of their flagship information security standard, the IASME CYBER ASSURANCE STANDARD, formerly known as the IASME GOVERNANCE STANDARD.

Refreshed and rebranded, the IASME Cyber Assurance scheme finally has its time in the spotlight with a new name, a revised logo and a refreshed focus. We welcome certification manager, Samantha Alexander to take the reins of the Cyber Assurance standard.  Sam brings a wealth of  experience in leading and developing information assurance schemes and has worked closely with membership organisations.

” IASME Cyber Assurance is a well established and unique certification scheme starting to play a key role in securing supply chains in the UK and abroad”. 
IASME Cyber Assurance Certification Manager, Samantha Alexander

The standard, now known as the IASME Cyber Assurance standard was the basis for the creation of the IASME Consortium organisation, founded back in 2012. The motivation was to create an Information Assurance Standard that was affordable and accessible for SMEs. This is still the case today.

IASME Cyber Assurance is a comprehensive, flexible and affordable cyber security standard that provides assurance that an organisation has put in practice a range of important cyber security, privacy and data protection measures. It aligns directly on all topics with the UK Government’s 10 steps to Cyber Security in addition to Data Privacy controls and offers smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost. Important cyber security measures are set out which include assessing and managing risk, training people and setting practical policies as well as resilience strategies such as backing up data, business continuity planning and incident response. Legal and regulatory requirements are also addressed such as your country’s implementation of GDPR (in the UK this is the Data Protection Act).

IASME Cyber Assurance is available in two levels – verified assessment and audited

For  Level 1 -verified assessment,  organisations access a secure portal to answer around 160 questions about their security. The assessment is marked by a Certification Body and a pass or fail is returned to the organisation. For Level 2 -audited,  an independent assessor conducts an on-site audit of the controls, processes and procedures covered in the IASME Cyber Assurance standard. The audited version gives a higher level of assurance and is pass or fail. (There are no longer bronze, silver, and gold classifications.)

Enabling SMEs to compete for business

The Government’s Procurement Bill 2022 is passing through the parliamentary process and is due to come into law next year. It seeks to reform the UK’s public procurement regime to create a fairer and more transparent system. It also aims to support businesses by making public procurement more accessible to small businesses, and voluntary, charitable and social enterprises, by enabling them to compete for public contracts.

Over 95% of all organisations in the UK are SMEs, many of whom are the most innovative organisations in their sector. The new procurement bill is a positive sign that SMEs are being welcomed and encouraged into supply chains and allowed to compete with larger organisations for business.

A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This is a significant step towards reducing barriers to entry for smaller organisations in a supply chain as IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance.

The new version (6) of The IASME Cyber Assurance Standard has been updated to build upon the solid foundations of the original IASME Governance standard.

Why has it been updated?

IASME wanted to update the standard to ensure it remains relevant to recent changes to technology. These changes include the move that many businesses have made from on-premise infrastructure to the cloud. There have also been huge changes to business practices such as working from home and the increased use of mobile and personally owned devices. Over the years, we have received helpful feedback from businesses and Assessors about the standard – we have incorporated all this into the new version. As a living and evolving piece of work, there will continue to be future updates to the standard.

Why the name change?

The new name reflects a move towards clarifying what the certification means to an organisation and to those in a supply chain.

When is the launch date of the new IASME Cyber Assurance?

25th July 2022. On that date, the updated question set (V6) will be live on the assessment platform and will be used for all new assessments. Any new assessment accounts opened on or after that date will use the new questions set. Anyone who opened an assessment account before 25^th July 2022, will assess against the IASME Governance V5, and will have six months from their application date to complete their assessment.

Cyber Essentials certification is a prerequisite 
Cyber Essential certification is now specified as a prerequisite for IASME Cyber Assurance. There are early questions asking, “Do you have Cyber Essentials?” and “What is your certificate number?”. The price of IASME Cyber Assurance does not include the Cyber Essentials certification.

What is the pricing structure for IASME Cyber Assurance?

The pricing structure can be seen below:

Streamlining the reporting and moderation at audited level

We want to streamline the certification process particularly for the reporting and moderation at the audited level. The report writing and feedback and conversations with the moderator that occur during the audited level will now all take place on the assessment platform.  When the reporting and moderation process becomes more predictable and streamlined, it will be easier to anticipate how long it will take and that will mean more people will want to sell and to take up the audited level.

Cyber Assurance Assistance Tool in development
To assist businesses working towards the Cyber Assurance certification, we are developing an online, free to use IASME Cyber Assurance Assistance Tool. It will consist of a series of questions, targeted guidance and an action plan to help the user understand what needs to be done. Once competed, the Tool will direct users towards a Certification Body if they need help and onwards towards certification.

Updates to the standard

The standard has been re-structured

The changes that we’ve done to the standard fundamentally covers the same topics. The questions are very similar and the process for certifying to self-assessment is much the same. There are, however, quite a few changes to how things are structured. The standard document has been rearranged and organised into 13 themes. We have tried to make it friendly and easy to understand and structured in a logical order. In the standard document alongside each of these themes with the many elements and controls within them, there is plenty of guidance about how to implement them including specific guidance for smaller companies. The updated version uses more diagrams, illustrations, and icons and the available templates and guidance have had references added to them (eg on the implementation of EU /UK GDPR).

The technical bit

What’s changed in Version 6 of the IASME Cyber Assurance Standard?

Additions and changes to the Appendices which now include ‘pull out’ sections with additional guidance.

• Appendix A – Compatibility with regulation and other cyber and information security standards .The Cyber Assessment Framework (CAF) and IASME Cyber Baseline standards have been added.
• Appendix B – Carrying out your information risk assessment – is new guidance to help start an information risk assessment. It gathers widely applicable risks referenced throughout the Standard.
• Appendix C – Explicit and implied information security policies. This section has been amended to define and support the Standard’s minimum documentation requirements for information security policies. It includes guidance on creating a suitable set of policies to support the organisation’s needs for security.
• Appendix D – Glossary – key terminology used throughout the Standard has been added and some definitions from Version 5 have been updated.
• Appendix E – The IASME family of practical information and cyber security certifications – an overview of the information security standards offered by IASME Consortium, often in partnership with external organisations, and how they fit alongside IASME Cyber Assurance.

Scheme context

• Guidance on how to determine the scope of an IASME Cyber Assurance certification has been added. This also defines the prerequisite certifications and the associated requirements.
• Additional details are provided on IASME’s quality assurance for the IASME Cyber Assurance scheme.
• Being able to show the actions taken towards legal compliance to legal authorities becomes a business driver for implementing, and certifying to, the Standard.

The 13 Themes 
The Standard duplicates controls that are applicable to multiple themes. The duplication is a reminder to consider the control in a new context. Additionally, it supports each theme to ‘stand on its own’ so users can approach the Standard at their own pace, for example, one theme at time.

Theme 1 – Planning information security

• A reference has been added to ensure sufficient funding is available in planning processes (based on existing requirements).

Theme 2 – Organisation

• Supply chain management requirements are more precise, for example, defining SLAs or other contracts.

Theme 3 – Assets

• The definition of ‘Information Assets’ has been standardised.
• The basic elements that need recording in the asset register have been added.
• ‘Identifying sensitive assets’, default encryption requirements, and ‘remote wiping capability’ requirements have been added and updated.
• A new requirement has been set to review data for accuracy and relevancy.

Theme 4 – Legal and regulatory landscape

• Increased emphasis on the continuous improvement cycle for business processes in place to meet legal obligations has been added.

Theme 5 – Assessing and treating risks

• Triggers have been defined for reviewing the risk assessment and implementing the corresponding risk management process, where necessary.
• There is a new requirement to consider technology and information assets that are not in scope for a pre-requisite scheme such as Cyber Essentials. For example, this includes non-internet connected devices, IoT devices, and paper-based systems.
• Maintaining knowledge of countermeasures (relevant for risk treatment) and assigning risk owners is now in Theme 5.
• The requirement to consider the technology and processes around implementing encryption for default requirements (Theme 3), and whether further assets should be encrypted, has been added.
• The risk treatment plan has been added as a requirement.
• There is a new requirement for the risk treatment plan to be signed off by an appropriate authority.

Theme 6 – Physical and environmental protection

• Requirements have been added around considering physical access controls, including for wired and wireless networks.

Theme 7 – People

• A revised emphasis is placed on creating an inclusive security culture where people are comfortable to report concerns and make suggestions on improving information security.
• An inclusion of the requirement to manage role changes, not just termination.

Theme 8 – Policy realisation

• Requirements for (minimum) policy documentation, and expectations for the contents and structure of policies have been added.
• Triggers for reviewing policies have been defined.
• Requirements have been added for policy approval and sign off, and documentation of the process to align with change management requirements.

Theme 9 – Managing access

• The requirement for network segregation has been added.
• A new requirement to ensure devices/ accounts do not remain signed in indefinitely has been added.

Theme 10 – Technical intrusion

• Specific details surrounding some anti-malware controls have been removed. These are already covered in the documentation for prerequisite schemes, like Cyber Essentials.
• The requirements for conducting vulnerability scans and penetration testing have been added. The triggers for conducting these have been updated.
• A requirement is set to prevent unauthorised changes to systems, such as through the use of an allow list.

Theme 11 – Backup and restore

• The minimum frequency for backing up and testing the restoration process has been added.
• The requirements for backups regarding segregation and overwrite protection, including where cloud systems are used, have been clarified.

Theme 12 – Secure business operations: monitoring, review, and change management

• Maintaining the requirements of the prerequisite scheme(s), such as Cyber Essentials, is now in this theme. Overlapping detail for controls already covered in these prerequisite schemes has been removed.
• A specific requirement is set to create and implement a vulnerability disclosure policy.
• The minimum frequency for conducting manual monitoring, where this is used, has been added.
• Reminder included to review data collected and the retention schedule.
• The requirements and guidance on appropriately protecting monitoring systems has been aligned with the SAQ.
• Emphasis is added on taking action where it’s needed based on monitoring.
• The requirements for change management have been enhanced.

Theme 13 – Resilience: business continuity, incident management, and disaster recovery

• The requirements around communication have been condensed into the need for a communication policy.
• A minimum baseline for components to include in the Business Continuity and Disaster Recovery Plan has been defined. This includes ‘strategic priority for asset recovery and how this can be achieved’.
• The requirement to sign off the Business Continuity and Disaster Recovery Plan has been added. The minimum frequency for rehearsing this plan has been aligned to the SAQ.

You can view the IASME Cyber Assurance Standard and Question Set  on the IASME website in preparation for the launch on the 25th July 2022.

If you would like any more information or to discuss the standard, please email us at [email protected]