SMEs compiled the original IASME governance standard for SMEs, initially with the support of the Technology Strategy Board (now Innovate UK) and was the basis for the creation of the IASME Consortium organisation, founded in 2012. It was designed to provide common ground for SMEs alongside other information security standards -which either need to be more comprehensive or be too prescriptive in their complexity for an SME. The IASME Cyber Assurance standard is still the only cyber security certification scheme designed to be affordable and achievable for small organisations.

IASME Cyber Assurance is a comprehensive, flexible and affordable cyber security standard that assures an organisation has implemented a range of crucial cyber security, privacy and data protection measures. It aligns directly with the UK Government’s 10 steps to Cyber Security with additional Data Privacy controls. It offers smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost.

Necessary cyber security measures are included, such as assessing and managing risk, training people and setting practical policies and procedures. Key resilience strategies include backing up data, business continuity planning and incident response. Legal and regulatory requirements are also addressed, such as your country’s implementation of GDPR (in the UK, this is the Data Protection Act). Cyber Essential certification is now specified as a prerequisite for IASME Cyber Assurance.

Enabling SMEs to compete for business

The Government’s Procurement Bill 2022 is passing through the parliamentary process and will come into law next year. It seeks to reform the UK’s public procurement regime to create a fairer and more transparent system. It also aims to support businesses by making public procurement more accessible to small businesses and voluntary, charitable and social enterprises, enabling them to compete for public contracts.

Over 95% of all organisations in the UK are SMEs, many of whom are the most innovative organisations in their sector. The new procurement bill is a positive sign that SMEs are being welcomed and encouraged into supply chains and allowed to compete with larger business organisations.

Many industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This is a significant step towards reducing barriers to entry for smaller organisations in a supply chain, as IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance.

THE STANDARD HAS BEEN RE-STRUCTURED

The standard document has been rearranged and organised into 13 themes. We have made it friendly, easy to understand and structured in a logical order.

Some of the key themes include:

• Identifying and protecting assets

Having a good understanding of your critical information assets is essential to know what you need to protect. Maintaining an asset register of all your information assets, including physical, digital and people, is good practice. It clarifies an appreciation of your attack surface and what you’ve got to lose.

• Risk assessment and management

To effectively apply the proper controls to protect your business assets, it is essential to understand the risks to your business and manage those risks to keep them at an acceptable level for you, your customers, and your supply chain. The risk assessment process is balanced with your current risk appetite and begins with risk profiling (the enduring state of risk to the business, measured before any controls are implemented). A risk profiling tool is included in the standard for this purpose.

• Training and managing people

Your staff, colleagues, contractors, partners, and co-workers can be your greatest allies as well as your most significant risk when it comes to security. Thorough and consistent measures are required to screen and train all staff to enable them to understand and comply with the security responsibilities of their job.

• Access control and security of the physical environment

Best practice access control utilises the law of ‘least privilege’, which means giving users access to all the resources and data necessary for their roles, but no more. This applies equally to data stored on computer equipment and the respective parts of the premises where you do business.

• Identifying and creating relevant policies and procedures

Policies specify the rules, guidelines, and regulations you require people to follow. They also reflect the values and ethics at your business’s heart.

• Backing up data

Regularly backing up information, and having the ability to restore the backup, may be one of the most effective methods of protecting your business from the effects of accidental or malicious tampering. Effectively backing up data using different methods and locations can be crucial for recovery following deleted data, hardware failure, or ransomware.

• Security monitoring and review

Creating processes to track and monitor information systems is essential to detect threats and take steps to analyse and act on this information.

Business continuity planning and incident response

Planned and practised methods the business uses to ensure that it can transform, renew, and recover quickly from a partial or total loss of information assets.

• Risk-based

The controls within the standard form the baseline for the protection of an organisation. The risk assessment will always guide the depth of protection and inform an organisation of any additional controls that may be needed.

Forti5 Technologies is an IASME-certified business that assesses organisations to the IASME standards. We at Forti5 Technologies take the time to explain the assessment so that the company understands what is expected and why it is necessary.

If you would like to know more about how we can at Forti5 Technologies help you on the certification journey, do not hesitate to contact us.