Introduction
You’re an organisation with 10 to 49 people and are looking for comprehensive cyber security protection, where do you go? Have you achieved Cyber Essentials and looking for more? Are you considering ISO 27001 but think it’s too much for a micro organisation? This is where IASME Cyber Assurance can be a great fit – an information security standard that’s designed with smaller organisations in mind. In this article, we dive into the new (version 7) release of IASME Cyber Assurance and see how it can be applied to an organisation of 10 to 49 people.
What Is IASME Cyber Assurance?
- A flexible and affordable information security standard that builds on Cyber Essentials
- Covers 14 themes that are aimed at making organisations more resilient
- Each theme has requirements based on organisational size and risk
- Two levels of the scheme: a verified self-assessment and an audit
- Certification can be gained for both levels
- Ideal for organisations looking for alternative or next step towards ISO 27001
| Feature | IASME Cyber Assurance Level One | IASME Cyber Assurance Level Two |
| Assessment | Verified self-assessment | Audit |
| Testing | Assessor reviews self-assessment | Assessor carries out audit and IASME moderator reviews |
| Controls | 14 themes | Same 14 themes |
| Certification | 12 month certificate | 3 year certificate, with annual (Level One) renewals |
This table shows the key differences between IASME Cyber Assurance Level One and Two
Which themes and requirements apply to an organisation with 10 to 49 people?
- IASME Cyber Assurance covers 14 themes
- Each theme has a number of requirements (security measures)
- An organisation can choose to implement the requirements, based on size and risk
- For an organisation with only 10 to 49 people, all 14 themes and 48 (of the 65) requirements are mandatory with others applied based on risk
| Themes | Further insight on aim of the theme | Number of Mandatory requirements for 10 to 49 person organisation |
| Planning | Consider information security for day-to-day activity and projects | 1 |
| Organisation | Have a clear structure and foundation for effective security | 3 |
| Assets | Understand what you have and how to protect it | 6 |
| Legal and Regulatory | Consider contractual obligations, data protection requirements and more | 3 |
| Risk | Identify threats, treat and manage them appropriately | 6 |
| Physical and environmental | Prevent theft, loss or damage and ensure protection from temperatures or humidity | 7 |
| People | Consider education, awareness, training and least privilege | 3 |
| Policy | For ‘right-sized’ security controls | 5 |
| Managing Access | Implement appropriate access to resources and data | 2 |
| Technical Intrusion | Leverage tools to detect and prevent unauthorised access | 2 |
| Change Management | Control and manage key changes | 1 |
| Secure Operations | Take action based on warning and alerts | 2 |
| Backups and Restores | Have regular and segregated data backups – test to ensure recovery | 4 |
| Resilience | Business continuity, incident management and disaster recovery | 3 |
The table shows the 14 themes, along with a brief outline of the aim of each theme, and shows the number mandatory requirements for each theme, based on an organisation with 10 – 49 people
What are the mandatory requirements for an organisation of 10 to 49 people?
| Number of employees | Mandatory Requirements | Non-Mandatory Requirements (considered based on risk) |
| 1 – 2 people | 20 | 45 |
| 3 to 9 people | 32 | 33 |
| 10 – 49 people | 48 | 17 |
| 50 or more people | 65 | 0 |
This table shows how the total number of requirements can be applied, based on organisational size
Details can be found in the standard, which is located on the IASME website here – a brief summary relating to the 32 requirements for a 10 to 49 person organisation is provided below (based on interpretation and paraphrasing):
- Make provisions for information security as part of business planning
- Ensure commitment, funding, and accountability for information security from the top
- Appoint a suitably skilled leader to coordinate and act on information security activities
- Define SLA’s or other contracts for partners and the supply chain
- Keep an up-to-date register of all information assets (including personal / BYOD)
- For each asset, include category, location, value, and owner
- Clearly identify sensitive assets
- Encrypt sensitive data, removable media, portable devices, and data stored on the cloud (including in transit to/from the cloud)
- Review data held at least annually to ensure relevance and accuracy
- Ensure assets are disposed of securely and removed from the asset register
- Maintain a list of requirements by legal, statutory, regulatory, and contractual obligations
- Have processes and support to fulfil legal obligations
- Ensure business records are protected from loss, destruction, or falsification
- Have an up-to-date and well-maintained risk assessment
- Extend risk assessment to cover customers, partners, contractors, and suppliers
- Keep up to date with emerging cyber threats
- Agree on organisational acceptance of risk
- Assign an owner to each risk and its treatment
- Create action plans from the risk assessment
- Ensure risk assessment covers physical harm to assets
- Include physical security that may be dictated by law and third parties
- Consider physical access control to protect your office environment
- Restrict access to wired and wireless networks to authorised users only
- Keep confidential information away from those not authorised to see and store it securely
- Ensure physical and environmental protection for assets taken away from the premises
- Ensure your environment is suitable for your equipment needs
- Have rules for the acceptable use of company assets
- Ensure appropriate access to data
- Have a suitable joiners, leavers, movers, and termination procedure
- Have a comprehensive, yet right-sized security policy
- Ensure policies include purpose, scope, requirements, review, monitoring and breaches
- Distribute policies to all people responsible for implementing them
- Ensure policy understanding
- Ensure policy review and updates
- Provide people access to resources and data necessary for their roles, but no more
- Ensure accounts and devices do not remain signed in indefinitely
- Detect unauthorised activity, deploying technical tools to support
- Review and act upon output from your tools, scans, and testing at least weekly
- Have documented change procedures
- Track and monitor systems, identifying unacceptable issues and improving security posture
- Pay attention to warnings and reporting, and take appropriate action
- Backup at least weekly and before a significant change
- Have at least one backup that’s off-site / some distance from the working copy
- Ensure logical segregation and appropriate security of backups
- Test restores (of data backups) at least monthly
- Have a Business Impact Assessment, Business Continuity, and Disaster Recovery Plan
- Exercise your plan at least annually and keep it up to date to account for change
- Learn lessons from events
How RB Consultancy Ltd Help?
As an Assessor and Certification Body for IASME Cyber Assurance, we carry out assessments and issue certificates for both levels of the scheme. Holding a Certified Information Systems Security Professional (CISSP) certification, we can also help organisations implement the security measures and provide support through the process. We have templates and documentation to leverage that can also assist with each theme, and can therefore provide completed packages to support.
Conclusion – how Cyber Assurance can help organisations between 10 and 49 people
IASME Cyber Assurance can be a great next step beyond Cyber Essentials. It provides additional confidence and assurance that a variety of security measures are in place to protect organisations. These security measures can be applied based on organisational size and risk. For an organisation of 10 to 49, there are 48 mandatory requirements for the scheme. With our credentials and experience, we help organisations through both levels of the scheme and issue the associated certificates. If you would like more information or any support with IASME Cyber Assurance, please contact us.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.