News & Insights

The IASME Cyber Assurance Standard

25 July 2022Consultancy, Cyber Awareness, Cyber Essentials, IASME Cyber Assurance
IASME Cyber Assurance logo

IASME have completely re-designed and rebranded their flagship IASME Governance Standard.

From July 25th IASME Governance will be known as IASME Cyber Assurance.

 

So what is IASME Cyber Assurance?

IASME Cyber Assurance is a comprehensive, affordable and flexible cyber security standard providing assurance that the organisation obtaining it has implemented a range of vital cyber security, privacy and data protections measures within their business.

It aligns with the UK Governments 10 steps to Cyber Security in addition to Data Privacy controls. Cyber Assurance also offers smaller companies within a supply chain a ‘right sized’ approach to demonstrate their level of information security for a realistic cost.

Critical Cyber Security measures are applied which include assessing and managing risk, training people and setting practical policies as well as resilience strategies including Data Backup, Business Continuity Planning and Incident Response as well as Legal and Regulatory requirements which are also addressed such as your country’s implementation of GDPR.

 

How do I get certified to IASME Cyber Assurance?

IASME Cyber Assurance is available in two levels – 1. A verified assessment and 2. An audited assessment.

For Level 1 – verified assessment, organisations access a secure portal to answer around 160 questions about their security. The assessment is marked by Fourtify OR another Certification Body and a pass or fail is returned to the organisation.

For Level 2 – audited, an assessor from Fourtify conducts an on-site audit of the controls, processes and procedures covered in the IASME Cyber Assurance standard. The audited version gives a higher level of assurance and is pass or fail. (There are no longer bronze, silver, and gold classifications to achieve).

 

What does IASME Cyber Assurance cover?

The new standard covers 13 themes. You will find duplicates in the controls; this is intentional due to the controls being applicable to various themes and is done as an important reminder to consider the controls in a number of different contexts.

The themes cover:

Theme 1 – Planning information security

  • A reference has been added to ensure sufficient funding is available in planning processes (based on existing requirements).

Theme 2 – Organisation

  • Supply chain management requirements are more precise, for example, defining SLAs or other contracts.

Theme 3 – Assets

  • The definition of ‘Information Assets’ has been standardised.
  • The basic elements that need recording in the asset register have been added.
  • ‘Identifying sensitive assets’, default encryption requirements, and ‘remote wiping capability’ requirements have been added and updated.
  • A new requirement has been set to review data for accuracy and relevancy.

Theme 4 – Legal and regulatory landscape

  • Increased emphasis on the continuous improvement cycle for business processes in place to meet legal obligations has been added.

Theme 5 – Assessing and treating risks

  • Triggers have been defined for reviewing the risk assessment and implementing the corresponding risk management process, where necessary.
  • There is a new requirement to consider technology and information assets that are not in scope for a pre-requisite scheme such as Cyber Essentials. For example, this includes non-internet connected devices, IoT devices, and paper-based systems.
  • Maintaining knowledge of countermeasures (relevant for risk treatment) and assigning risk owners is now in Theme 5.
  • The requirement to consider the technology and processes around implementing encryption for default requirements (Theme 3), and whether further assets should be encrypted, has been added.
  • The risk treatment plan has been added as a requirement.
  • There is a new requirement for the risk treatment plan to be signed off by an appropriate authority.

Theme 6 – Physical and environmental protection

  • Requirements have been added around considering physical access controls, including for wired and wireless networks.

Theme 7 – People

  • A revised emphasis is placed on creating an inclusive security culture where people are comfortable to report concerns and make suggestions on improving information security.
  • An inclusion of the requirement to manage role changes, not just termination.

Theme 8 – Policy realisation

  • Requirements for (minimum) policy documentation, and expectations for the contents and structure of policies have been added.
  • Triggers for reviewing policies have been defined.
  • Requirements have been added for policy approval and sign off, and documentation of the process to align with change management requirements.

Theme 9 – Managing access

  • The requirement for network segregation has been added.
  • A new requirement to ensure devices/ accounts do not remain signed in indefinitely has been added.

Theme 10 – Technical intrusion

  • Specific details surrounding some anti-malware controls have been removed. These are already covered in the documentation for prerequisite schemes, like Cyber Essentials.
  • The requirements for conducting vulnerability scans and penetration testing have been added. The triggers for conducting these have been updated.
  • A requirement is set to prevent unauthorised changes to systems, such as through the use of an allow list.

Theme 11 – Backup and restore

  • The minimum frequency for backing up and testing the restoration process has been added.
  • The requirements for backups regarding segregation and overwrite protection, including where cloud systems are used, have been clarified.

Theme 12 – Secure business operations: monitoring, review, and change management

  • Maintaining the requirements of the prerequisite scheme(s), such as Cyber Essentials, is now in this theme. Overlapping detail for controls already covered in these prerequisite schemes has been removed.
  • A specific requirement is set to create and implement a vulnerability disclosure policy.
  • The minimum frequency for conducting manual monitoring, where this is used, has been added.
  • Reminder included to review data collected and the retention schedule.
  • The requirements and guidance on appropriately protecting monitoring systems has been aligned with the SAQ.
  • Emphasis is added on taking action where it’s needed based on monitoring.
  • The requirements for change management have been enhanced.

Theme 13 – Resilience: business continuity, incident management, and disaster recovery

  • The requirements around communication have been condensed into the need for a communication policy.
  • A minimum baseline for components to include in the Business Continuity and Disaster Recovery Plan has been defined. This includes ‘strategic priority for asset recovery and how this can be achieved’.
  • The requirement to sign off the Business Continuity and Disaster Recovery Plan has been added. The minimum frequency for rehearsing this plan has been aligned to the SAQ.

 

Do I need Cyber Essentials Certification to achieve IASME Cyber Assurance?

Cyber Essential certification is now specified as a pre-requisite for IASME Cyber Assurance. There are early questions asking, “Do you have Cyber Essentials?” and “What is your certificate number?”.

The price of IASME Cyber Assurance does not include the price of Cyber Essentials certification.

 

If you are considering Cyber Assurance Certification and would like to discuss further, get in touch with the team today: hello@fourtify.co.uk.

If you would like to know more about how Fourtify can support you in achieving this standard see our services page here.