Introduction
You’re an organisation with more than 49 people and are looking for comprehensive cyber security protection, where do you go? Have you achieved Cyber Essentials and are looking for more? Are you considering ISO 27001 but think it’s too much for an organisation of your size? This is where IASME Cyber Assurance can be a great fit. In this article we dive into the new (version 7) release of IASME Cyber Assurance and see how it can be applied to an organisation of more than 49 people.
What Is IASME Cyber Assurance?
- A flexible and affordable information security standard that builds on Cyber Essentials
- Covers 14 themes which are aimed at making organisations more resilient
- Each theme has requirements based on organisational size and risk
- Two levels the scheme: a verified self-assessment and an audit
- Certification can be gained for both levels
- Ideal for organisations looking for alternative, or next step towards ISO 27001
| Feature | IASME Cyber Assurance Level One | IASME Cyber Assurance Level Two |
| Assessment | Verified self-assessment | Audit |
| Testing | Assessor reviews self-assessment | Assessor carries out audit and IASME moderator reviews |
| Controls | 14 themes | Same 14 themes |
| Certification | 12 month certificate | 3 year certificate, with annual (Level One) renewals |
This table shows the key differences between IASME Cyber Assurance Level One and Two
Which themes and requirements apply to an organisation with more than 49 people?
- IASME Cyber Assurance covers 14 themes
- Each theme has a number of requirements (security measures)
- An organisation can choose to implement the requirements, based on size and risk
- For an organisation with more than 49 people, all 14 themes and all 65 requirements are mandatory
| Themes | Further insight on aim of the theme | Number of Mandatory requirements for more than 49 person organisation |
| Planning | Consider information security for day-to-day activity and projects | 1 |
| Organisation | Have a clear structure and foundation for effective security | 4 |
| Assets | Understand what you have and how to protect it | 6 |
| Legal and Regulatory | Consider contractual obligations, data protection requirements and more | 4 |
| Risk | Identify threats, treat and manage them appropriately | 9 |
| Physical and environmental | Prevent theft, loss or damage and ensure protection from temperatures or humidity | 7 |
| People | Consider education, awareness, training and least privilege | 4 |
| Policy | For ‘right-sized’ security controls | 7 |
| Managing Access | Implement appropriate access to resources and data | 4 |
| Technical Intrusion | Leverage tools to detect and prevent unauthorised access | 2 |
| Change Management | Control and manage key changes | 1 |
| Secure Operations | Take action based on warning and alerts | 5 |
| Backups and Restores | Have regular and segregated data backups – test to ensure recovery | 4 |
| Resilience | Business continuity, incident management and disaster recovery | 7 |
The table shows the 14 themes, along with a brief outline of the aim of each theme, and shows the number mandatory requirements for each theme, based on an organisation with more than 49 people
What are the mandatory requirements for an organisation of 10 to 49 people?
| Number of employees | Mandatory Requirements | Non-Mandatory Requirements (considered based on risk) |
| 1 – 2 people | 20 | 45 |
| 3 to 9 people | 32 | 33 |
| 10 – 49 people | 48 | 17 |
| 50 or more people | 65 | 0 |
This table shows how the total number of requirements can be applied, based on organisational size
Details can be found in the standard, which is located on the IASME website here – a summary relating to the 32 requirements for an organisation with more than 49 people is provided below (based on interpretation and paraphrasing):
- Make provisions for information security as part of business planning
- Ensure commitment, funding, and accountability for information security from the top
- Appoint a suitably skilled leader to coordinate and act on information security activities
- Form a group to coordinate and implement information security activities
- Define SLA’s or other contracts for partners and the supply chain
- Keep an up-to-date register of all information assets (including personal / BYOD)
- For each asset, include category, location, value, and owner
- Identify sensitive assets
- Encrypt sensitive data, removable media, portable devices, and data stored on the cloud (including in transit to/from the cloud)
- Review data held at least annually to ensure relevance and accuracy
- Ensure assets are disposed of securely and removed from the asset register
- Maintain a list of requirements by legal, statutory, regulatory, and contractual obligations
- Have processes and support to fulfil legal obligations
- Monitor compliance, counter deviations, or improve business processes
- Ensure business records are protected from loss, destruction, or falsification
- Have an up-to-date and well-maintained risk assessment
- Extend risk assessment to cover customers, partners, contractors, and suppliers
- Be aware of business risks and integrate with the information risk assessment
- Keep up to date with emerging cyber threats
- Agree on organisational acceptance of risk
- Assign an owner to each risk and its treatment
- Use risk assessment to set rules on how people use technology
- Create action plans from the risk assessment
- Have risk assessment and treatment plans signed off by an authorised person
- Ensure risk assessment covers physical harm to assets
- Include physical security that may be dictated by law and third parties
- Consider physical access control to protect your office environment
- Restrict access to wired and wireless networks to authorised users only
- Keep confidential information away from those not authorised to see and store it securely
- Ensure physical and environmental protection for assets taken away from the premises
- Ensure your environment is suitable for your equipment needs
- Have named individuals, roles, and responsibilities relating to information governance
- Have rules for the acceptable use of company assets
- Ensure appropriate access to data
- Have a suitable joiners, leavers, movers, and termination procedure
- Have a comprehensive, yet right-sized security policy
- Ensure policies include purpose, scope, requirements, review, monitoring, and breaches
- Ensure someone with competence and authority approves policies
- Ensure policies can cope with potentially conflicting rules
- Ensure policy understanding
- Ensure policy review and updates
- Provide people access to resources and data necessary for their roles, but no more
- Consider network segregation for sensitive assets
- Consider setting restrictions on the locations that can / can’t access data
- Ensure accounts and devices do not remain signed in indefinitely
- Detect unauthorised activity, deploying technical tools to support
- Review and act upon output from your tools, scans, and testing at least weekly
- Have documented change procedures
- Track and monitor systems, identifying unacceptable issues and improving security posture
- Prevent access to monitoring systems and preserve records
- Scan systems for vulnerabilities
- Include penetration testing if deemed necessary by your risk assessment
- Pay attention to warnings and reporting, taking appropriate action
- Backup at least weekly and before a significant change
- Have at least one backup that’s off-site / some distance from the working copy
- Ensure the logical segregation and secure storage of backups
- Test restores (of data backups) at least monthly
- Ensure data breaches are detected, recorded, and dealt with
- Have a Business Impact Assessment, Business Continuity, and Disaster Recovery Plan
- Exercise your plan at least annually and keep it up to date to account for change
- Analyse records for recurring incidents, effective incident management, and the effectiveness of risk assessment and business impact
- Learn lessons from events
How RB Consultancy Ltd Help?
As an Assessor and Certification Body for IASME Cyber Assurance, we carry out assessments and issue certificates for both levels of the scheme. Holding a Certified Information Systems Security Professional (CISSP) certification, we can also help organisations implement the security measures and provide support through the process. We have templates and documentation to leverage that can also assist with each theme and can therefore provide completed packages to support.
Conclusion – how Cyber Assurance certification can help organisations with more than 49 people
IASME Cyber Assurance can be a great next step beyond Cyber Essentials. It provides additional confidence and assurance that a variety of security measures are in place to protect organisations. These security measures can be applied based on organisational size and risk. For an organisation of more than 49 people, there are 62 mandatory requirements for the scheme. With our credentials and experience, we help organisations through both levels of the scheme and issue the associated certificates. If you would like more information or any support with IASME Cyber Assurance, please contact us.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.