Funded by the Government’s Technology Strategy Board, the IASME (Information Assurance for Small and Medium Enterprises) Governance Standard was developed for smaller businesses as an appropriate and cost-effective alternative to the international standard ISO/IEC 27001.
IASME goes a step further than the Cyber Essentials Scheme (CES); in addition to the five technical areas of control assessed by CE or CE Plus, IASME tests for basic information security governance and since 1st March 2017, also includes a mandatory assessment against the GDPR requirements.
Based on international best practice, IASME is risk-based and provides a highly credible security management standard. It combines research in small company security with best practice such as ISO/IEC 27001, National Institute of Standards and Technology (NIST) 800-50, and the SANS/CPNI1 Critical Controls.
If you are a direct supplier to government or part of a government supply chain, CE is a mandatory requirement but IASME (which includes CE) allows you to demonstrate a more rigorous approach.
Having IASME certification may set you apart from your competition. It may also help you to participate in a government supply chain, where there is a growing awareness that small companies pose a known threat to information security.
Successful assessments are issued with an IASME certificate alongside the relevant CE certificate and Cyber Security Insurance of up to £25,000 of cover from AIG.
Gaining IASME certification involves answering a series of governance questions (over and above the CE questions) that are checked by an IASME accredited Certification Body (CB) – Ascentor was the first licensed external assessor. IASME certification is typically conducted at the same time as a CE. Companies can choose to self-assess against the IASME standard or go the extra step to evidence there security posture, and get an external IASME audit by a CB.
As well as audit and certification, we offer an advisory service where an accredited Ascentor assessor visits you to produce a risk assessment, a capability gap analysis and an implementation plan. We leave you to undertake the implementation activities before returning to complete the formal assessment, which will lead to certification.
For companies that don’t have an IT team or security team, we offer a day of on-site consultancy where we will talk you through the process and help you answer the questions. In these situations, the person providing the consultancy would be unlikely to carry out an subsequent audit. Although the IASME rules allow for the same consultant to provide consultancy and the audit, we would try and keep separation by using a different consultant for each task.