If you are responsible for implementing Information Assurance for Government or are part of the HMG supply chain then the IAMM should be on your radar. As a consequence of Cabinet Office initiatives for IA it has become a high profile topic for both HMG and commercial business risk managers. In the course of our work in this area we have found that there is a fair bit of confusion on what the IAMM involves and to whom it applies. To help clear this up, here is our quick guide.
What is IAMM and why should I care?
IAMM, The Information Assurance Maturity Model and Assessment Framework was published by The Cabinet Office and CESG in late 2008 to support HMG Departments in developing IA maturity. This was to support the adoption of the Security Policy Framework (SPF), which mandates 70 security controls for Government Departments to address.
Does IAMM apply to us?
From 2011 onwards, Ministerial and non-Ministerial Departments have been required to provide an annual report to Cabinet Office using the Security Risk Management Overview (SRMO). Departments are to use the IAMM and associated CESG Supported Self-Assessment procedure to establish the evidence to support the SRMO.
Organisations such as the Association of Chief Police Officers have stated that Police Forces are to demonstrate compliance with the SPF using the IAMM. Police Forces were to achieve a baseline review by 31st May 2011 with the aim of reaching Level 2 by March 2013 (See: Police Service IA Strategy 2010-13 v 1.0 ).
Government Departments are also required to report on the IA maturity of their supply chain. This means that those commercial companies forming parts of that supply chain are increasingly going to be required to demonstrate their compliance in this area.
Those businesses that can demonstrate their IA maturity and competence are more likely to have a competitive advantage.
How does IAMM work?
CESG proposes a number of options for audit and compliance:
- Self Assessment;
- Supported self assessment;
- Independent assessment and audit by an external body.
The IAMM assesses maturity of the following areas of information risk management:
- Leadership and Governance;
- Training, Education & Awareness;
- Information Risk Management;
- Through-Life IA Measures;
- Assured Information Sharing;
The process is as follows:
- Assess if the requirement to demonstrate IA maturity applies, is likely to apply to, and would benefit your organisation or company. If yes, then plan an assessment of IA maturity;
- Establish a Board level requirement with a commitment to achieve an IA maturity goal in a time frame that meets your business aims;
- Use the results of the maturity assessment to develop a strategy to address IA deficiencies to meet your timeline;
- Implement the strategy and plan for audits to confirm that IA maturity is improving.
What do I do next?
Decide if the IAMM applies or is of benefit to your organisation or Department.
If so conduct a self assessment or get qualified support in the form of an independent IAMM audit from an assessor company such as Ascentor.
By Steve Maddison , IAMM specialist and Director and Principal Consultant at Ascentor.
- What every Government Supplier needs to know about the UK Cyber Security Strategy
- Find out about Ascentor’s IAMM Audit service