IASME is proud to announce the relaunch of their flagship information security standard, the IASME CYBER ASSURANCE STANDARD, formerly known as the IASME GOVERNANCE STANDARD.
Refreshed and rebranded, the IASME Cyber Assurance scheme finally has its time in the spotlight with a new name, a revised logo and a refreshed focus. We welcome certification manager, Samantha Alexander to take the reins of the Cyber Assurance scheme. Sam brings a wealth of 
experience in leading and developing information assurance schemes and has worked closely with membership organisations.
” IASME Cyber Assurance is a well established and unique certification scheme starting to play a key role in securing supply chains in the UK and abroad”.
IASME Cyber Assurance Certification Manager, Samantha Alexander
The standard was compiled by SMEs for SMEs, originally with the support of the Technology Strategy Board (now Innovate UK) and was the basis for the creation of the IASME Consortium organisation, founded back in 2012. It was designed to provide common ground for SMEs alongside other information security standards -which are either not comprehensive or are too prescriptive in their complexity for an SME. As far as we know, the IASME Cyber Assurance standard is still the only cyber security certification scheme which has been specifically designed to be affordable and achievable for small organisations.
IASME Cyber Assurance is a comprehensive, flexible and affordable cyber security standard that provides assurance that an organisation has put in place a range of important cyber security, privacy and data protection measures. It aligns directly with the UK Government’s 10 steps to Cyber Security with additional Data Privacy controls and offers smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost.
Important cyber security measures are included such as assessing and managing risk, training people and setting practical policies and procedures. Key resilience strategies are covered and include backing up data, business continuity planning and incident response. Legal and regulatory requirements are also addressed such as your country’s implementation of GDPR (in the UK this is the Data Protection Act).
Cyber Essentials certification is a prerequisite
Cyber Essential certification is now specified as a prerequisite for IASME Cyber Assurance. There are early questions asking, “Do you have Cyber Essentials?” and “What is your certificate number?”. The price of IASME Cyber Assurance does not include the Cyber Essentials certification.
IASME Cyber Assurance is available in two levels – verified assessment and audited
For Level 1 – verified assessment, organisations access a secure portal to answer around 160 questions about their security. The assessment is marked by a Certification Body and a pass or fail is returned to the organisation. For Level 2 – audited, an independent assessor conducts an on-site audit of the controls, processes and procedures covered in the IASME Cyber Assurance standard. The audited version gives a higher level of assurance and is pass or fail. (There are no longer bronze, silver and gold classifications.
Enabling SMEs to compete for business
The Government’s Procurement Bill 2022 is passing through the parliamentary process and is due to come into law next year. It seeks to reform the UK’s public procurement regime to create a fairer and more transparent system. It also aims to support businesses by making public procurement more accessible to small businesses, and voluntary, charitable and social enterprises, by enabling them to compete for public contracts.
Over 95% of all organisations in the UK are SMEs, many of whom are the most innovative organisations in their sector. The new procurement bill is a positive sign that SMEs are being welcomed and encouraged into supply chains and allowed to compete with larger organisations for business.
A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This is a significant step towards reducing barriers to entry for smaller organisations in a supply chain as IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance.
The new version (6) of the IASME Cyber Assurance Standard has been updated to build upon the solid foundations of the original IASME Governance standard.
Why has it been updated?
IASME wanted to update the standard to ensure it remains relevant to recent changes to technology. These changes include the move that many businesses have made from on-premise infrastructure to the cloud. There have also been huge changes to business practices such as working from home and the increased use of mobile and personally owned devices. Over the years, we have received helpful feedback from businesses and Assessors about the standard – we have incorporated all this into the new version. As a living and evolving piece of work, there will continue to be future updates to the standard.
Why the name change?
The new name reflects a move towards clarifying what the certification means to an organisation and to those in a supply chain.
When is the launch date of the new IASME Cyber Assurance scheme?
25th July 2022. On that date, the updated question set (V6) will be live on the assessment platform and will be used for all new assessments. Any new assessment accounts opened on or after that date will use the new questions set. Anyone who opened an assessment account before 25th July 2022, will be assessed against the IASME Governance V5, and will have six months from their application date to complete their assessment.
What is the pricing structure for IASME Cyber Assurance certification?
The pricing structure can be seen below:
The standard has been re-structured
The standard document has been rearranged and organised into 13 themes. We have tried to make it friendly, easy to understand and structured in a logical order.
Some of the key themes include:
Identifying and protecting assets
Having a good understanding of your key information assets is essential in order to know what you need to protect. It is good practice to maintain an asset register of all your information assets, including physical, digital and people. It clarifies an appreciation of your attack surface and what you’ve got to lose.
Risk assessment and management
In order to effectively apply the correct controls to protect your business assets, it is important to understand what the risks are to your business and to manage those risks to keep them at an acceptable level to you, your customers, and supply chain. The process of risk assessment is balanced with your current risk appetite and begins with risk profiling (the enduring state of risk to the business, measured before any controls are implemented). A risk profiling tool is included in the standard for this purpose.
Training and managing people
Your staff, colleagues, contractors, partners, and co-workers can be your greatest allies as well as your greatest risk when it comes to security. Thorough and consistent measures are required to screen and train all staff to enable them to understand and comply with the security responsibilities of their job.
Access control and security of the physical environment
Best practice access control utilises the law of ‘least privilege’ which means giving users access to all the resources and data necessary for their roles, but no more. This applies equally to data stored on computer equipment as to the respective parts of the premises where you do business.
Identifying and creating relevant policies and procedures
Policies specify the rules, guidelines, and regulations that you require people to follow. They also reflect the values and ethics that are at the heart of your business.
Backing up data
Regularly backing up information, and having the ability to restore the backup, may be one of the most effective methods of protecting your business from the effects of accidental or malicious tampering. Effectively backing up data using different methods and different locations can be crucial for a recovery following deleted data, hardware failure, or ransomware.
Security monitoring and review
Creating processes to track and monitor information systems is important in order to detect threats and take steps to analyse and act on this information.
Business continuity planning and incident response
Planned and practiced methods that the business uses to make sure that it can transform, renew, and recover in timely response from a partial or total loss of information assets.
Risk based
The controls within the standard form the baseline for protection of an organisation. The risk assessment will always guide the depth of protection and inform an organisation of any additional controls that may be needed.
Cyber Assurance Assistance Tool in development
To assist businesses working towards the Cyber Assurance certification, we are developing an online, free to use IASME Cyber Assurance Assistance Tool. It will consist of a series of questions, targeted guidance and an action plan to help the user understand what needs to be done. Once competed, the Tool will direct users towards a Certification Body if they need help and onwards towards certification.
If you would like to read a version of this article which includes the technical details of the changes to IASME Cyber Assurance, please click here.
You can view the IASME Cyber Assurance Standard and Question Set on the IASME website in preparation for the launch on the 25th July 2022.
If you would like any more information or to discuss the standard, please email us at [email protected]