The IASME Governance standard is a government-backed information assurance framework that helps SMEs implement an effective GDPR-compliant information assurance program. It was developed as an affordable and achievable alternative to the international standard, ISO 27001 which may be out of reach for many small organisations.

In this article we’ll take a deep dive into the IASME Governance standard. We’ll look at what the IASME Governance standard is, who it is for, what it involves, and how it compares to Cyber Essentials.

What does the IASME Governance standard involve?

The IASME Governance certification was designed to help smaller organisations improve their information security posture. It provides an affordable way to demonstrate a good level of cyber security and information governance to clients and other stakeholders. Organisations will be assessed on a number of information assurance controls such as risk assessment, incident management, policies, data protection and operational management. On passing the assessment, the organisation will receive certificates showing their compliance to both IASME Governance and Cyber Essentials.

Is IASME Governance better than Cyber Essentials?

The IASME Governance standard includes Cyber Essentials certification so it shouldn’t be viewed as an alternative. While Cyber Essentials checks technical controls, IASME Governance builds upon this by also including checks against key governance elements such as risk assessment management and business continuity. It also includes a GDPR requirements assessment which can demonstrate that you have taken into account the requirements of the General Data Protection Regulation (GDPR).

What steps are involved to achieve IASME Governance certification?

> Before any engagement can begin, your chosen IASME certification Body (such as Predatech), will need to ask a few questions to understand the scope of the assessment. This is also an opportunity for you to ask any questions you may have and to agree target timelines. For example, if you need to achieve the IASME Governance standard by a set date, make sure to discuss this with your Certification Body. And if you believe that your organisation may need some support with completing the questionnaire, make sure to ask your Certification Body what guidance they can provide.

> When an engagement formally begins an organisation is granted access to IASME’s online portal which presents around 160 short questions, including all the Cyber Essentials assessment questions.

> Once these questions have been answered, your Certification Body will review and provide a pass or fail. Some Certification Bodies will offer a free retest should your organisation fail at the first attempt.

Self-Assessment or Audited (Gold)?

The IASME Governance certification comes in two forms, the self-assessed and audited (Gold) version. The audited certification asks the same questions as the self-assessed version. The key difference is that it also typically involves an onsite audit that may include interviews with staff as well as review of key documentation and system configurations.

What does it cost?

IASME Governance standard (self-assessed) costs £400. This includes the cost of the Cyber Essentials certification. The audited version will cost more as it requires an IASME accredited Certification Body (such as Predatech) to audit the assessment. This normally involves an onsite audit, but during coronavirus, these are being carried out remotely.

Who are IASME?

IASME (Information Assurance for Small and Medium Enterprises) was formed in 2010 through a Government funded project that aimed to create an ‘affordable and achievable’ alternative to ISO 27001. Since 2010 IASME has played an important role in promoting cyber security best practice. More recently, the National Cyber Security Centre (NCSC) has chosen IASME to take over full responsibility for Cyber Essentials delivery from April 2020. This means that all Cyber Essentials certification bodies now have to be accredited by IASME.

Why does information assurance really matter?

Information assurance (IA) focuses on protecting and managing risks related to the use, processing, storage and transmission of information and is built upon five pillars: availability, integrity, authentication, confidentiality and non-repudiation. Adopting a formal information security standard can help to ensure that security becomes part of your organisation’s culture and ultimately will help to strengthen your resilience to cyber incidents.

Want to find out more?

If you’d like to find out more about the IASME Governance standard, please contact Predatech for a free consultation.