Changes to the IASME Governance Standard

IASME, the UK’s partner for delivering Cyber Essentials is undergoing a major refurbishment of their own information security standard, IASME Governance Standard. The IASME Governance certification is changing, changing for the better, in my view.

After years of stagnant progression and not much customer-based interest (from our prospective of doing the certifications), IASME have decided to refresh the certification, and basically change all areas of it.

There will still be two levels, the basic self-assessment version which comes with GDPR support and the audited version. However, the previous Gold, Silver and Bronze tiers have now gone and there is now a simple pass or failure, which makes it easier for assessments and reduces confusion.

The IASME Governance Standard certification will now be known as IASME Cyber Assurance. This new Standard will be available from the 25th July 2022.

So, if you haven’t heard of IASME’s Information Security Standard before, what is it, how would it help you and should you get it?

The IASME Standard was formed way back in 2012, it was primarily designed to help and provide support to small and medium businesses to help them implement information security best practices and have defined policies and procedures in place at a reasonable affordable rate.

The easiest way to define what the standard is, is a cut down version of ISO 27001 for small and medium businesses.  The standard aligns in many ways with the full ISO 27001 standard, the NHS Data Security and Protection Toolkit as well as the NCSC’s ten steps to cyber security and is an excellent way of working towards becoming ISO 27001 or implementing a feature rich information security standard without the pain, expense time that the bigger standard require.

The IASME standard not only covers the basics of the Cyber Essentials technical controls, but also includes references to GDPR and lots of information about information security as you’d expect. The standard expects you to have security policies in place, security controls defined as well as business continuity and disaster recovery defined and tested. In essence it is a risk-based information security certification.

So, what’s changed in the new version and how is it going to affect you, when you undergo certification?

Cyber Essentials is a prerequisite

To achieve IASME Cyber Assurance you must have already achieved Cyber Essentials basic. When you go to complete your IASME Cyber Assurance assessment you will be asked several questions about your certification, including your certification number.

As mentioned earlier in this blog post, the IASME standard has been around for a long time and many things have changed and the way we work has changed greatly in the last few years. The v6 standard has now been redesigned and is now based around 13 themes.

These themes are:

  • Planning
  • Organisation
  • Assets
  • Legal and regulatory framework
  • Assessing and treating risk
  • Physical and environmental protection
  • People
  • Policy realisation
  • Access Control
  • Technical Intrusion
  • Backup and restore
  • Secure business operations, monitoring, review, change management
  • Resilience: Business continuity, incident management and disaster recovery

IASME Cyber Assurance Level 1 (the self-assessment)

There will be next to no changes here, you will still go via IASME’s website to sign up or via a certification body, like ourselves to get setup and gain access to the online portal and achieve certification.

Once you are in the portal you will have to answer all the questions, where are around 160 questions, if you don’t you fill be asked to complete any missing information.

IASME Cyber Assurance Level 2 (the audit)

This is where a lot of the noticeable changes will happen (outside of the 13 themes), once you have completed your self-assessment you must start working to achieve your audited assessment as soon as possible to ensure the environment is still the same as the scope of the assessment.

The auditor will arrange a meeting with the business and there will undergo interviews with staff around the business and the auditor will review your policies, procedures and look for evidence of what you have mentioned in your self-assessment.

Once the auditor has completed your audit, a report will be written and you will either pass/fail your assessment. Be warned however, that the auditor will be moderated by IASME’s internal technical team, which will mean that the timeframe to achieve the audited level 2 certification will be longer than the level 1, self-assessment.

What happens if I’m already doing an IASME Governance assessment

If you have already started your IASME Governance Standard before the 25th July, you will still be able to work on the older question set and you will still have six months to complete your assessment from the date of setup.

Pricing for IASME Cyber Assurance

The pricing has changed, in the previous standard you achieved Cyber Essentials at the same time of IASME Governance and the price was included, now however in the new version six standard, you are now required to have Cyber Essentials in place before you go for IASME Cyber Assurance.

The cost for achieving Cyber Essentials is based upon the same pricing tier as IASME Cyber Assurance.

The pricing for IASME Cyber Assurance is as follows.

Micro Organisations 0 – 9 Employees £300 + VAT
Small Organisations 10 – 49 Employees £400 + VAT
Medium Organisations 50 – 249 Employees £450 + VAT
Large Organisations 250 and above £500 + VAT