Introduction
You’re an organisation with 3 to 9 people and are looking for comprehensive cybersecurity protection; where do you go? Have you achieved Cyber Essentials and are looking for more? Are you considering ISO 27001 but think it’s too much for a micro organisation? This is where IASME Cyber Assurance can be a great fit – an information security standard that’s designed with smaller organisations in mind. In this article, we dive into the new (version 7) release of IASME Cyber Assurance and see how it can be applied to an organisation of 3 to 9 people.
What Is IASME Cyber Assurance?
- A flexible and affordable information security standard that builds on Cyber Essentials
- Covers 14 themes that are aimed at making organisations more resilient
- Each theme has requirements based on organisational size and risk
- Two levels of the scheme: a verified self-assessment and an audit
- Certification can be gained for both levels
- Ideal for organisations looking for alternative or next step towards ISO 27001
| Feature | IASME Cyber Assurance Level One | IASME Cyber Assurance Level Two |
| Assessment | Verified self-assessment | Audit |
| Testing | Assessor reviews self-assessment | Assessor carries out audit and IASME moderator reviews |
| Controls | 14 themes | Same 14 themes |
| Certification | 12 month certificate | 3 year certificate, with annual (Level One) renewals |
This table shows the key differences between IASME Cyber Assurance Level One and Two
Which themes and requirements apply to an organisation with 3 to 9 people?
- IASME Cyber Assurance covers 14 themes
- Each theme has a number of requirements (security measures)
- An organisation can choose to implement the requirements, based on size and risk
- For an organisation with only 3 to 9 people, all 14 themes and 32 (of the 65) requirements are mandatory with others applied based on risk
| Themes | Further insight on aim of the theme | Number of Mandatory requirements for 3 to 9 person organisation |
| Planning | Consider information security for day-to-day activity and projects | 1 |
| Organisation | Have a clear structure and foundation for effective security | 1 |
| Assets | Understand what you have and how to protect it | 6 |
| Legal and Regulatory | Consider contractual obligations, data protection requirements and more | 1 |
| Risk | Identify threats, treat and manage them appropriately | 1 |
| Physical and environmental | Prevent theft, loss or damage and ensure protection from temperatures or humidity | 6 |
| People | Consider education, awareness, training and least privilege | 3 |
| Policy | For ‘right-sized’ security controls | 2 |
| Managing Access | Implement appropriate access to resources and data | 2 |
| Technical Intrusion | Leverage tools to detect and prevent unauthorised access | 1 |
| Change Management | Control and manage key changes | 1 |
| Secure Operations | Take action based on warning and alerts | 1 |
| Backups and Restores | Have regular and segregated data backups – test to ensure recovery | 4 |
| Resilience | Business continuity, incident management and disaster recovery | 2 |
The table shows the 14 themes, along with a brief outline of the aim of each theme, and shows the mandatory requirements for each theme, based on an organisation with 3 to 9 people
What are the mandatory requirements for an organisation of 3 to 9 people?
| Number of employees | Mandatory Requirements | Non-Mandatory Requirements (considered based on risk) |
| 1 to 2 people | 20 | 45 |
| 3 to 9 people | 32 | 33 |
| 10 to 49 people | 48 | 17 |
| 50 or more people | 65 | 0 |
This table shows how the total number of requirements can be applied, based on organisational size
Details can be found in the standard, which is located on the IASME website here – a brief summary relating to the 32 requirements for a 3 to 9-person organisation is provided below (based on interpretation and paraphrasing):
- Make provisions for information security as part of business planning.
- Appoint a suitably skilled leader to coordinate and act on information security activities.
- Keep an up-to-date register of all information assets (including personal / BYOD).
- For each asset, include category, location, value, and owner.
- Identify sensitive assets.
- Encrypt sensitive data, removable media, portable devices, and data stored on the cloud (including in transit to/from the cloud).
- Review data held at least annually to ensure relevance and accuracy
- Ensure assets are disposed of securely and removed from the asset register.
- Have processes and support to fulfil legal obligations.
- Have an up-to-date and well-maintained risk assessment.
- Ensure the risk assessment covers physical harm to assets.
- Consider physical access control to protect your office environment.
- Restrict access to wired and wireless networks to authorised users only.
- Keep confidential information away from those not authorised to see and store it securely.
- Ensure physical and environmental protection for assets taken away from the premises.
- Ensure your environment is suitable for your equipment needs.
- Have rules for acceptable use of company assets.
- Ensure appropriate access to data.
- Have a suitable joiners, leavers, movers and termination procedure.
- Have a comprehensive, yet right-sized security policy.
- Distribute policies to all people responsible for implementing them.
- Provide people access to resources and data necessary for their roles, but no more.
- Ensure accounts and devices do not remain signed in indefinitely.
- Detect unauthorised activity, deploying technical tools to support.
- Have a documented procedure for change.
- Review and act upon output from your tools, scans, and testing at least weekly.
- Backup at least weekly and before a significant change.
- Have at least one backup that’s off-site / some distance from the working copy.
- Ensure logical segregation and appropriate security of backups.
- Test restores (of data backups) at least monthly.
- Have a Business Impact Assessment, Business Continuity, and Disaster Recovery Plan.
- Exercise your plan at least annually and keep it up to date to account for change.
How RB Consultancy Ltd Help?
As an Assessor and Certification Body for IASME Cyber Assurance, RB Consultancy Ltd carry out assessments and issue certificates for both levels of the scheme. Holding a Certified Information Systems Security Professional (CISSP) certification, we can also help organisations implement the security measures and provide support through the process. We have templates and documentation that can be leveraged to assist with each theme, providing completed packages to support.
Conclusion – How Cyber Assurance can help organisations with 3 to 9 people
IASME Cyber Assurance can be a great next step beyond Cyber Essentials. It provides additional confidence and assurance that a variety of security measures are in place to protect organisations. These security measures can be applied based on organisational size and risk. For an organisation of 3 to 9, there are 32 mandatory requirements for the scheme. With our credentials and experience, we help organisations through both levels of the scheme and issue the associated certificates. If you would like more information or any support with IASME Cyber Assurance, please contact us.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.