IASME Cyber Assurance Themes
If you’re looking at undergoing the IASME Cyber Assurance or IASME Cyber Baseline certification, you need to understand the standard and the associated themes that make up the standard. The themes make up the core of the IASME standard and are the same themes which are used for both the IASME Cyber Assurance and IASME Cyber Baseline certifications.
Within the IASME Cyber Assurance standard there are 13 themes, as mentioned we’re going to discuss each one in turn, however, please bear in mind that these descriptions are not definite, and every business will be different.
Theme 1: Planning information security
Theme one is all about how you as a business plan information security within the workplace, this theme is looking to make sure that you are applying information security within day-to-day operations. As part of this theme, you should also be looking to make sure that you are planning your decisions in advance and not reacting to events. This plays a part within change control.
Any projects should be planned according and should take the impact of information security into account. How is information going to be stored, who is going to be responsible for it, where is information being stored, is there enough budget allocated? And so forth.
Theme 2: Organisation
For theme 2, we’re looking to make sure that there is a clearly defined structure within the business. Here we are looking to make sure that the business knows who has the ultimate rights to make decisions about information security within the workplace.
We’re going to be looking to make sure there is a form of incident management in place (which will be discussed in later themes) and to know who is responsible for ensuring that information is safe if there is an incident and who will be accountable if an incident should happen.
As part of the organisation theme, we also need to know a bit about the human resource, or HR processes when it comes to resolving dispute within the business, who provides leadership, what is the escalation path for resolving the dispute?
We’re also going to be looking at how the business manages the information resources that are accessible, who has access to what information, who owns it, where does the information go? Is it accessible externally? What access to partners and suppliers have to information? How do they safeguard your information?
We also need to know whether the directors or the board of the company take responsibility for any actions that come regarding risk within the business. This is because ownership should flow from the top down.
There should also be, depending upon the size of the business, a dedicated group which is used to manage incidents, and information security. For micro businesses this is not going to be feasible, but for smaller and up, we should be looking to ensure there is a defined group of people in place, who can manage the incidents, communicate with key stake holders and inform people that need to know.
The business should also understand its defined Service Level Agreements or SLA. This is both internally and externally. What internal timeframes do you have for providing services and support and what external timeframes do you have to agree to if there is an outage?
Theme 3: Assets
Theme 3 is an important one and one that should be undertaken by all businesses whether they are going for IASME Cyber Assurance or IASME Cyber Baseline certifications. This is about understanding what assets you have within the business.
For this theme you should have an up-to-date asset register, which includes asset owners, the locations of the assets and also include not only physical, but informational assets as well. The asset register should also include all assets that access business data, this includes a high level of Bring Your Own Devices.
The asset register should be always kept up to date, ensuring that any assets which are removed from service are also removed from the register.
Without this information, how do you know what information you need to protect against attacks and incidents? How do you know where assets are, what’s on them and all sorts.
When it comes to logging the information in the register, you should ensuring that when its physical assets, you are logging their categories, such as server, laptop, removable media, then when its information assets, the categories could be employee data, contact information.
The asset register also needs to know where the information is being kept, it is located on local computer, is it in the cloud, in a filing cabinet.
You should also be recording the relative value of the asset, how much does it cost to the business if it was lost of deleted, this will help with budgeting and replacement of assets, should you need to.
Assets should also be clearly identified when it comes to information, are they confidential. Is it public domain or internal use only, all sensitive assets should be categorised like this and staff made aware accordingly.
When it comes to sensitive information or information being placed on external media, you should always ensure that information and external devices are encrypted to ensure that the information if protected.
Lastly you should ensure that you review the asset register, and all policies and procedures at least annually, or upon change or after an incident to make sure its all current.
Theme 4: Legal and regulatory landscape
When it comes to theme 4, this one, in my opinion is seriously over looked. All businesses should know what they need to comply with when it comes to any legally and regulatory compliances. Whether this is the data protection act, health and safety laws, employment laws and so forth.
For the IASME standard, businesses need to have a legal and regulatory list defined, this list should include what legal, statutory, regulatory and contractual obligations they need to meet, what companies they need to be associated with and for what information is associated, such as personal information.
You should ensure that you have processes in place to ensure the support of fulfilling any legal obligations and ensure that staff are trained appropriately.
You as a business will need to ensure that you remain compliant with the necessary requirements and that if you become non-compliant have a process in place to ensure that these are remediated and return to being compliant as soon as possible.
This could be through ensuring that renewal agreements are met, staff are trained or retrained under various certifications and that policies and procedures are inline with the necessary requirements.
You should also ensure that all your business records are protected from loss, destruction or falsification, this can be through backup and recovery processes which we’ll discuss in a later theme.
Theme 5: Assessing and treating risks
When it comes to information security and protecting the business, businesses need to understand their risks. By understanding your risks to the business, not only business-related risks but also cyber related, you can then start building out your information security management system.
For the IASME standard, you as a business need to ensure that you have a risk assessment and risk register which is kept up to date upon change, after an incident or at least annually.
If you do not have a risk register at this point in time, there are lots of examples available on the internet to review and download.
For the IASME standard, it concentrates on all areas of the business, not just internet connected devices, like Cyber Essentials requires.
The risk register should ensure that you have a unique ID, the name of the risk, type of risk, value of risk, any remediation controls and so forth. This will allow you as a business to identify what risks there are and how you can reduce that overall risk to the business.
The risk assessment should also cover areas such as customers, suppliers, partners etc.. for example what is the risk if someone doesn’t pay you. What happens if your phone system or email goes down, will that impact your business?
All business risks should be made aware to the director level and integrate these into the risk assessment. Senior management should always be aware of what risks there are to the business.
When working on your risk plan and risk register, you should have an understanding of what the acceptable risk is and what your risk appetite is for accepting that risk.
All risks defined in the register should have a risk owner, this risk owner should ensure that they are aware of this and manage the risk accordingly.
You should also ensure that when identifying risks and assets, which risks require encryption or additional protection in place to safe guard your assets.
The risk assessment and risk treatment plan should also be signed off by someone senior within the business and is authorised to make decisions.
Theme 6: Physical and environmental protection
Theme 6 is all about ensuring the business has sufficient protection in place for assets via physical and environmental means.
This theme links up along with your risk register and asset register, you must ensure that your risk assessment covers the risks of physical harm to any type of information assets.
You should ensure that you have implemented any physical security requirements that may be required by law or contractual agreements, such as locks on doors, CCTV, window protections.
You also need to look at what physical controls need to be in place for inside the business, such as access control. Do you use key fob access, are sensitive areas locked when not required. What about filing cabinets are these locked?
What about air conditioning for server rooms or sensitives areas that need climate control.
We also need to look at wireless and wired networks, are these designed to only be accessible by authorised users only? Is your guest wireless segregated from your main network?
All confidential information should be kept away from other information and securely stored when not required.
You should also look to ensure that you have covered your assets which leave your business premises, such as sales people or engineers, how are their devices protected? Are they encrypted, do they have lock screens?
Theme 7: People
Theme 7 is all about people and as you may expect this is about the onboarding processes before employment, then how staff are treated throughout their work career right through to offboarding. We need to know what these processes are, ensuring that documentation and processes are in place.
We also need to look at roles and responsibilities within the work place, does everyone have a specific role, do they know what this role is and what is required of them.
We need to ensure that staff are properly trained to do their work, do they need any special training?
All users should be granted least privilege access to do the work that they need to do. Noone should be running as a local administrator for their day-to-day roles.
You should ensure that people have the necessary access to access all the information and systems that they need to do their job.
All staff should be aware of threats to the business, how to identify them and who to report them to, should they find one.
When people leave the business, an offboarding meeting should be conducted by Human Resources or the relevant person and ensure that all assets are returned and that a debrief is carried out to understand the reason by they are leaving the business.
Theme 8: Policy realisation
Theme 8 is all about documentation, understanding and ensuring that your policies are up to date and are in place. For this theme we are looking to make sure that the right set of policies are in place for the size of the business.
For the IASME Cyber Assurance standard, all companies must apply and have in place all the policies and procedures which are required by the standard, but the complexity of the documentation will depend upon the size of the business. Therefore, a micro based company is not expected to have a complex set of documentation compared to an enterprise.
We need to see how the business distributes the documents to the staff, is it stored in a shared area, within a portal and so forth and how are staff made aware of any changes to these documents.
The business must have an information security policy in place and kept up to date.
All policies must be checked at least annually, or upon any change or incident as well as being written so that anyone within the business can understand them.
The documentation must have certain criteria listed within the documentation control section these are:
- Contain the purpose of the policy
- The scope of the policy
- The requirements of the policy (what do people need to do)
- When the policy will be reviewed
- How its monitored and implemented and verified that its working correctly
- And, what happens if the policy is not followed, or breached.
All policies must be signed off by someone within the business that has the appropriate level of company and authority within the business.
Theme 9: Managing access
So theme 9 is all about access control, who has access to what within the business, this may be data, systems, environments, offices, buildings and so forth.
Here we’re looking to see that least privilege access is given to all employees for accessing electronic or information systems. Or you could call it need to know.
You need to ensure that all applications and systems are setup correctly and that staff have access to what they need to do their job role. Ensuring that permissions are setup and configured from default settings.
You need to ensure that any wireless systems are configured accordingly to ensure that no unauthorised people can gain access to your systems, make sure that guest users are blocked from accessing the business network.
Make sure that all staff have to log into machines through authentication methods and that all file shares are locked down, or are inaccessible unless authenticated on the network.
You should consider do people need to access data from any locations, or should data be blocked from certain locations? For example specific countries?
You should ensure that staff have session timeouts implemented in applications or screen lockout implemented.
When it comes to people leaving the business, are there controls in place to ensure access is revoked in a timely manner? This links in with the theme about people.
Theme 10: Technical intrusion
Theme 10 looks at what controls and protections are in place to safeguard the business from intrusions.
So what do we mean my intrusions, we’re basically looking to ensure that any external threats into the business are blocked, so we’re going to be looking at protections for brute force password guessing, safeguarding against email phishing, poisoned websites and documents, control around USB devices and so forth.
For this theme are we are going to be checking to make sure that there are controls in place to review logs and events which are on devices, such as your firewall and computers. You need to be sure that you have appropriate protection in place in your environment, so boarder firewalls, and all endpoint devices having their firewall enabled as well by default at all times.
Your systems should be configured to scan for vulnerabilities at least every six months, or after major changes or following a security incident.
If deemed necessary, you should conduct penetration testing if it is deemed as a necessary risk.
For controlling access to applications and mobile applications, you should ensure that you have an approved allow list that authorises people what they can and can’t install on their devices.
Users should be made aware that they should pay attention to any alerts and warnings on their computers and to notify the relevant people at the time.
Theme 11: Backup and restore
Theme 11 is all about backing and restoring your data and ensuring that it works as expected. You should ensure that you are backing up your data regularly and that its actually backing up without any errors. Any errors should be identified and resolved as soon as possible.
A copy of the backups should be physically separate from where the data is backed up, so this could be another building, a cloud environment etc.
Restoration tests should be carried out regularly to ensure that they work and that you have confidence in your backup files. Restoration tests should be carried out at least monthly.
Backups should be recorded and tracked in your asset register to ensure you know what is being backed up and what is not.
Theme 12: Security business operations: monitoring, review and change management
Theme 12 is about change management and monitoring and reviewing systems, you should be ensuring that security is embedded into your day-to-day operations and that any changes are pushed through a change control process and signed off by the relevant body.
You should also ensure that the asset is kept up to date with any relevant assets that are monitored and updated through changes.
Monitoring should be in place to ensure that systems are working like they should and any warnings or errors are picked up and remediated as soon as possible.
If you have an incident, you should be able to isolate the affected systems for review at a later date and if required should be isolated for digital forensics.
Event logs on devices should be reviewed at least weekly and any abnormal issues should be resolved.
All logs should be stored in a protected area away from tampering and that they should be stored for at least six months so that you can look back and perform any trending data if required.
All data should be reviewed at least annual to ensure that its still up to date and relevant.
Service Level Agreements or SLAs and contracts, should be reviewed and ensure that they are up to date, that people know what the agreed levels are. This should be for internal SLAs as well as supplier based agreements.
Any changes to the business or environment should go through a risk analysis and added to the change control process. Any systems which are decommissioned should also be reviewed for any potential risks to the business that may become apparent in the future.
When changes are implemented, staff should be made aware of any changes when necessary.
Theme 13: Resilience: business continuity, incident management, and disaster recovery
Theme 13, the last theme for the IASME Standard is all about business continuity and incident management.
All staff should be made aware of who is in change if there is an incident and how to contact them. The business should ensure that they make it clear who is the authority to involve business continuity should an incident happen, such as loss of website, telephones or email go down.
There should be a process in place which identifies who is responsible for disclosing details of a data breach.
There should be a up to date communications policy in place which all staff are aware off, so if there is an incident staff know who to communicate. This should also include what can and cant be said to external parties.
A business impact assessment should be implemented and a business continuity and disaster recorder plan should be created within the business and kept up to date. This should also include any contact numbers and names which may be required during the disaster.
The disaster recovery and business continuity plans should be tested at least annually to ensure they still meet the needs of the business and work as they should. If not changes should be implemented and the plans up dated accordingly. These plans should be authorised by someone senior within the business.
If there is an incident the logs should be checked for trends and then when the systems are back up and running there should be a lessons learnt process so that everyone can learn from the incident and ensure it doesn’t happen again.