Introduction
You’re an organisation with 1 or 2 people and are looking for comprehensive cyber security protection, where do you go? Have you achieved Cyber Essentials and are looking for more? Are you considering ISO 27001 but think it’s too much for a micro organisation?
This is where IASME Cyber Assurance comes in. It’s an information security standard designed specifically with smaller organisations in mind. In this article, we explore the newly released version 7 of IASME Cyber Assurance and how it can be effectively applied to organisations with 1 to 2 people.
What Is IASME Cyber Assurance?
IASME Cyber Assurance is a flexible and affordable information security standard that builds on the foundation of Cyber Essentials. It is:
-
Based on 14 key themes aimed at improving organisational resilience
-
Scalable, with requirements tailored to organisational size and risk
-
Available in two certification levels: Verified Self-Assessment and Audited Certification
It’s an ideal next step for organisations that want an alternative to ISO 27001, or a more achievable stepping stone toward it.
| Feature | IASME Cyber Assurance Level One | IASME Cyber Assurance Level Two |
| Assessment | Verified self-assessment | Audit |
| Testing | Assessor reviews self-assessment | The assessor carries out the audit, and the IASME moderator reviews |
| Controls | 14 themes | Same 14 themes |
| Certification | 12-month certificate | 3-year certificate, with annual (Level One) renewals |
This table shows the key differences between IASME Cyber Assurance Level One and Two
Which themes and requirements apply to an organisation with 1 to 2 people?
- IASME Cyber Assurance covers 14 themes
- Each theme has a number of requirements (security measures)
- An organisation can choose to implement the requirements based on size and risk
- For an organisation with 1 to 2 people, 12 (of the 14) themes and 20 (of the 65) requirements are mandatory, with others applied based on risk
| Themes | Further insight on the aim of the theme | Number of Mandatory requirements for 1 to 2-person organisation |
| Planning | Consider information security for day-to-day activities and projects | 0 |
| Organisation | Have a clear structure and foundation for effective security | 1 |
| Assets | Understand what you have and how to protect it | 4 |
| Legal and Regulatory | Consider contractual obligations, data protection requirements, and more | 1 |
| Risk | Identify threats, treat and manage them appropriately | 1 |
| Physical and environmental | Prevent theft, loss, or damage and ensure protection from temperatures or humidity | 2 |
| People | Consider education, awareness, training, and least privilege | 1 |
| Policy | For ‘right-sized’ security controls | 1 |
| Managing Access | Implement appropriate access to resources and data | 1 |
| Technical Intrusion | Leverage tools to detect and prevent unauthorised access | 1 |
| Change Management | Control and manage key changes | 0 |
| Secure Operations | Take action based on warnings and alerts | 1 |
| Backups and Restores | Have regular and segregated data backups – test to ensure recovery | 4 |
| Resilience | Business continuity, incident management, and disaster recovery | 2 |
The table shows the 14 themes, along with a brief outline of the aim of each theme, and shows the mandatory requirements for each theme, based on an organisation with 1 to 2 people
What are the mandatory requirements for an organisation of 1 to 2 people?
| Number of employees | Mandatory Requirements | Non-Mandatory Requirements (considered based on risk) |
| 1 – 2 people | 20 | 45 |
| 3 to 9 people | 32 | 33 |
| 10 – 49 people | 48 | 17 |
| 50 or more people | 65 | 0 |
This table shows how the total number of requirements can be applied, based on organisational size
Details can be found in the standard, which is located on the IASME website here – a brief summary relating to the 20 requirements for a 1 to 2-person organisation is provided below (based on interpretation and paraphrasing):
- Appoint a suitably skilled leader to coordinate and act on information security activities
- Keep an up-to-date register of all information assets (including personal / BYOD)
- Encrypt sensitive data, removable media, portable devices, and data stored on the cloud (including in transit to/from the cloud)
- Review data held at least annually to ensure relevance and accuracy
- Ensure assets are disposed of securely and removed from the asset register
- Have processes and support to fulfil legal obligations
- Have an up-to-date and well-maintained risk assessment
- Consider physical access control to protect your office environment
- Ensure your environment is suitable for your equipment needs
- Have security training and awareness
- Have a comprehensive, yet right-sized security policy
- Ensure accounts and devices do not remain signed in indefinitely
- Detect unauthorised activity, deploying technical tools to support
- Review and act upon output from your tools, scans, and testing at least weekly
- Backup at least weekly and before a significant change
- Have at least one backup that’s off-site / some distance from the working copy
- Ensure logical segregation and appropriate security of backups
- Test restores (of data backups) at least monthly
- Have a Business Impact Assessment, Business Continuity, and Disaster Recovery Plan
- Exercise your plan at least annually and keep it up to date to account for change
How RB Consultancy Ltd Help?
As an Assessor and Certification Body for IASME Cyber Assurance, RB Consultancy Ltd is qualified to:
-
Conduct assessments and issue certificates at both self-assessment and audit levels
-
Provide CISSP-certified expertise to help implement the required controls
-
Supply templates and pre-prepared documentation to accelerate the process
-
Offer end-to-end support tailored to micro-organisations
Whether you need guidance, implementation help, or a full certification package, we are here to support your journey to stronger information security.
Conclusion – how Cyber Assurance can help organisations with 1 or 2 people
IASME Cyber Assurance can be a great next step beyond Cyber Essentials. It provides additional confidence and assurance that a variety of security measures are in place to protect organisations. These security measures can be applied based on organisational size and risk. For an organisation of 1 to 2 people, there are 20 mandatory requirements for the scheme. With our credentials and experience, we help organisations through both levels of the scheme and issue the associated certificates. If you would like more information or any support with IASME Cyber Assurance for Micro Organisations, please contact us.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.