Jump to content

IASME: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Updated number of Certification Bodies from 80 to 150. Removed the part about GDPR assessment being optional....it is now mandatory
Additional content, updated formatting, removed dead links, info on mappings
Line 1: Line 1:
{{DISPLAYTITLE:IASME Governance}}

{{Use dmy dates|date=November 2013}}
{{Use dmy dates|date=November 2013}}
'''IASME''' is an information assurance standard managed by The IASME Consortium that is particularly suitable for [[Small and medium-sized enterprises]] (SMEs).
'''IASME''' '''Governance''' is an [[Information assurance|Information Assurance]] standard that is designed to be simple and affordable to help improve the cyber security of [[Small and medium-sized enterprises]] (SMEs).


The IASME Governance controls are aligned with the [[Cyber Essentials]] scheme and certification to the IASME standard usually includes certification to Cyber Essentials. The standard was developed in 2010 and has proven to be very effective at improving the security of supply chains for large organisations.
It was originally developed as an academic-SME partnership and has attracting interest among decision-makers within the UK small business community.<ref>[http://www.consultancyweek.co.uk/2013/03/11/bis-call-for-interest-iasme BIS call for interest: IASME], 11 March 2013 by Consultancy Week Team. Retrieved on 19 April 2013</ref> IASME controls are aligned with the [[Cyber Essentials]] scheme and certification to the IASME standard usually includes certification to Cyber Essentials.


'''Background'''
=== '''Background''' ===
IASME Governance was originally developed as an academic-SME partnership that attracted a lot of interest from government and small businesses<ref>[http://www.consultancyweek.co.uk/2013/03/11/bis-call-for-interest-iasme BIS call for interest: IASME], 11 March 2013 by Consultancy Week Team. Retrieved on 19 April 2013</ref>


Research towards the IASME model was undertaken in the UK during 2009-10,<ref>[http://iasme.co.uk/iasmeesearchfindingsnov10.pdf] "Information Assurance and SMEs: Research Findings to inform the development of the IASME model" Retrieved on 27 October 2012</ref> after an acknowledgement that the current international information assurance standard ([[ISO/IEC 27001:2013]]) was complex for resource-strapped SMEs, providing a weakness in the supply chain. IASME was developed during 2010-11. It was launched later that year,<ref>[http://www.bcs.org/content/conBlogPost/1857 BCS Security Blog, 15 April 2011],
Research towards the IASME model was undertaken in the UK during 2009-10,<ref>[http://iasme.co.uk/iasmeesearchfindingsnov10.pdf] "Information Assurance and SMEs: Research Findings to inform the development of the IASME model" Retrieved on 27 October 2012</ref> after an acknowledgement that the current international information assurance standard ([[ISO/IEC 27001:2013|ISO/IEC 27001]]) was complex for resource-strapped SMEs, providing a weakness in the supply chain. IASME was developed during 2010-11 and was launched later that year<ref>[http://www.bcs.org/content/conBlogPost/1857 BCS Security Blog, 15 April 2011],
Retrieved on 14 September 2012</ref> and has been regularly revised to keep pace with changes in the information risk ecosystem. The development process with SMEs was explained in a published international SME conference paper.<ref>[http://eprints.worc.ac.uk/1600/ IASME: Information Security Management Evolution for SMEs] Retrieved on 15 March 2013</ref>
Retrieved on 14 September 2012</ref>. It has been revised regularly to keep pace with changes to the risk environmnent of SMEs. The development process with SMEs was explained in a published international SME conference paper.<ref>[http://eprints.worc.ac.uk/1600/ IASME: Information Security Management Evolution for SMEs] Retrieved on 15 March 2013</ref>


The IASME standard follows the same implementation pattern used by the international standards community including PDCA (Plan-Do-Check-Act) principles <ref>[http://asq.org/learn-about-quality/project-planning-tools/overview/pdca-cycle.html] "Plan-Do-Check-Act Cycle&nbsp;— The PDCA cycle" Retrieved on 27 October 2012</ref> and the Information Security Management System (ISMS) which provides a management framework. Both are refined and expressed in business terms recognizable by most organisations.
The IASME Governance standard follows the same implementation pattern used by the international standards community including PDCA (Plan-Do-Check-Act) principles <ref>[http://asq.org/learn-about-quality/project-planning-tools/overview/pdca-cycle.html] "Plan-Do-Check-Act Cycle&nbsp;— The PDCA cycle" Retrieved on 27 October 2012</ref> and the Information Security Management System (ISMS) which provides a management framework. Both are refined and expressed in business terms recognizable by most organisations.


The IASME standard was developed and piloted with the help of small businesses mostly in the West Midlands of the UK with encouraging results,.<ref>[http://www.fraggleworks.com/news.html?start=5 News&nbsp;— Fraggleworks] Retrieved 27 October 2012</ref><ref>[http://www.defencemanagement.com/article.asp?id=603&content_name=Cyber,%20Intelligence%20and%20Electronic%20Warfare&article=22071] "Securing the Supply Chain", Retrieved 17 March 2013</ref> However, IASME is applicable and useful to any small or medium-sized business, whether in the UK, or beyond.<ref>[http://iasme.co.uk/HMGIASMEFINAL.pdf] "Reputation Assured with IASME" Retrieved 27 October 2012</ref> It was designed for and is particularly useful for SMEs that make up part of a supply chain. An article explaining the supply chain benefits has been written by its developer, David Booth.<ref>[http://www.nb2bc.co.uk/successful_it_projects/articles/?id=184] "Protecting Information&nbsp;— Your Most Important asset" Retrieved on 27 October 2012</ref> Larger businesses could also use the IASME certification as an alternative to the ISO/IEC 27001 standard.
The IASME Governance standard was developed and piloted with the help of small businesses mostly in the West Midlands of the UK with encouraging results.<ref>[http://www.fraggleworks.com/news.html?start=5 News&nbsp;— Fraggleworks] Retrieved 27 October 2012</ref><ref>[http://www.defencemanagement.com/article.asp?id=603&content_name=Cyber,%20Intelligence%20and%20Electronic%20Warfare&article=22071] "Securing the Supply Chain", Retrieved 17 March 2013</ref> The standard has been shown to be useful to SMEs both in the UK and internationally.<ref>[http://iasme.co.uk/HMGIASMEFINAL.pdf] "Reputation Assured with IASME" Retrieved 27 October 2012</ref>


Large organisations can use the IASME Governance standard in their supply chains to understand and reduce supplier risk. An article explaining the supply chain benefits has been written by its developer, David Booth.<ref>[http://www.nb2bc.co.uk/successful_it_projects/articles/?id=184] "Protecting Information&nbsp;— Your Most Important asset" Retrieved on 27 October 2012</ref> Both large and small organisations can use the IASME certification as an alternative to the ISO/IEC 27001 standard.
'''Usage of the standard'''


=== '''Structure of the standard''' ===
The standard is managed by [http://www.iasme.co.uk/ The IASME Consortium Ltd] who operate a network of around 150 Certification Bodies<ref>{{Cite web|url=https://iasme.co.uk/certification-bodies/|title=Certification Bodies – IASME|website=iasme.co.uk|language=en-US|access-date=2017-03-29}}</ref> who are licensed to certify candidate organisations.
The standard is managed by [http://www.iasme.co.uk/ The IASME Consortium Ltd] who operate a network of around 150 Certification Bodies<ref>{{Cite web|url=https://iasme.co.uk/certification-bodies/|title=Certification Bodies – IASME|last=|first=|date=|website=IASME Consortium|language=en-US|archive-url=|archive-date=|dead-url=|access-date=2017-03-29}}</ref> who are licensed to certify candidate organisations.


The standard is available at two levels of assurance:
The standard is available at two levels of assurance:
* '''Verified Self-assessment''' - candidates complete an online questionnaire with around 150 simple questions about their organisation. This is marked by a Certification Body who awards the certification if all of the answers given are compliant with the standard.
* '''IASME Governance Self-assessment''' - candidates complete an online questionnaire with around 150 simple questions about their organisation. This is marked by a Certification Body who awards the certification if all of the answers given are compliant with the standard.
* '''Audited (IASME Gold)''' - the candidate organisation is visited by an IASME Certification Body who verifies compliance with the standard and, if appropriate, issues certification.
* '''IASME Governance Audited (IASME Gold)''' - the candidate organisation is visited by an IASME Certification Body who verifies compliance with the standard and, if appropriate, issues certification.
In 2017 the standard was updated to include additional questions to help organisations comply with the [[General Data Protection Regulation|General Data Protection Regulations (GDPR)]].


In 2017, the standard was updated to include additional questions to enable organisations comply with the [[General Data Protection Regulation|General Data Protection Regulations (GDPR)]].
'''Popularity and awards'''


=== Comparison with other standards ===
The IASME standard has become a focus of attention, as the information security threat to UK businesses continues to increase, and vulnerabilities in their systems continue to cause expensive data breaches and system failures. The increasing number of newspaper and journal articles on this subject reflect an increased security awareness, and several are included here.<ref>[http://www.vigilance-securitymagazine.com/industry-news/information-security-and-management/3007--iasme-sutcliffe-partner-to-launch-ground-breaking-cyber-security-accreditation-and-liability-insurance-scheme-for-small-businesses]

Vigilance Security Magazine, 14 February 2013</ref><ref>[http://www.ft.com/cms/s/0/806d7d72-7d16-11e2-adb6-00144feabdc0.html#axzz2Lqz0Uo7E Financial Times, 25 February 2013]</ref> The standard is useful in assisting organisations to comply with data protection legislation.
==== ISO/IEC 27001 ====
IASME Governance is a risk-led standard with a similar set of controls as the [[ISO/IEC 27001]] standard. A document is available from IASME that shows this comparison

'''NCSC 10 Steps to Cyber Security'''

IASME Governance maps very closely to the UK Government's [[National Cyber Security Centre (United Kingdom)|NCSC]] [https://www.ncsc.gov.uk/guidance/10-steps-cyber-security 10 Steps to Cyber Security]. A mapping between the two standards is available<ref>{{Cite web|url=https://www.iasme.co.uk/wp-content/uploads/2018/09/10-Steps-Mapping-to-IASME-v1.0.xlsx|title=Mapping between IASME Governance and 10 Steps to Cyber Security|last=|first=|date=|website=IASME Consortium|archive-url=|archive-date=|dead-url=|access-date=}}</ref>

==== Cyber Assessment Framework ====
The [https://www.ncsc.gov.uk/guidance/nis-directive-cyber-assessment-framework Cyber Assessment Framework (CAF)] has been developed by the UK Government to allow organisations to demonstrate their compliance to the [[NIS Directive]]. The IASME Governance Standard maps closely to the CAF<ref>{{Cite web|url=https://www.iasme.co.uk/wp-content/uploads/2018/09/CAF-Mapping-to-IASME-v1.0.xlsx|title=Mapping between IASME Governance and the CAF / NIS Directice|last=|first=|date=|website=IASME Consortium|archive-url=|archive-date=|dead-url=|access-date=}}</ref>.

=== '''Usage of the standard''' ===
The IASME standard has become a focus of attention, as the information security threat to UK businesses continues to increase, and vulnerabilities in their systems continue to cause expensive data breaches and system failures. The increasing number of newspaper and journal articles on this subject reflect an increased security awareness.<ref>[http://www.vigilance-securitymagazine.com/industry-news/information-security-and-management/3007--iasme-sutcliffe-partner-to-launch-ground-breaking-cyber-security-accreditation-and-liability-insurance-scheme-for-small-businesses]
Vigilance Security Magazine, 14 February 2013</ref><ref>[http://www.ft.com/cms/s/0/806d7d72-7d16-11e2-adb6-00144feabdc0.html#axzz2Lqz0Uo7E Financial Times, 25 February 2013]</ref>


IASME was specifically mentioned in a keynote speech at the Infosec Europe 2013 event held in London<ref>[https://www.gov.uk/government/speeches/chloe-smith-keynote-speech-at-infosec-2013 Cabinet Office, 23 April 2013]</ref> and received an innovation award from Computer Weekly Europe shortly afterwards.<ref>[http://www.computerweekly.com/news/2240183137/Computer-Weekly-European-User-Awards-for-Security-Winners]</ref>
IASME was specifically mentioned in a keynote speech at the Infosec Europe 2013 event held in London<ref>[https://www.gov.uk/government/speeches/chloe-smith-keynote-speech-at-infosec-2013 Cabinet Office, 23 April 2013]</ref> and received an innovation award from Computer Weekly Europe shortly afterwards.<ref>[http://www.computerweekly.com/news/2240183137/Computer-Weekly-European-User-Awards-for-Security-Winners]</ref>

It is recognised by the [[States of Jersey]] as suitable security standard for the government supply chain<ref>{{Cite web|url=https://www.gov.je/Government/PublicSectorReform/eGovernment/Pages/SecurityStandards.aspx|title=Security standards|last=Jersey|first=States of|website=www.gov.je|language=en|access-date=2018-10-01}}</ref>.


==See also==
==See also==
* [[Cyber Essentials]]
* [[Cyber Essentials]]
*[[ISO/IEC 27001]]
*[[General Data Protection Regulation|GDPR]]
*[[NIS Directive]]


== References ==
== References ==
Line 38: Line 59:
== External links ==
== External links ==


*The IASME Governance self-assessed question set - https://www.iasme.co.uk/cyberessentials/basic-level-cyber-essentials/free-download-of-self-assessment-questions/
*More about The IASME Process and Standard at http://iasme.co.uk.
*The IASME Governance standard - https://www.iasme.co.uk/the-iasme-standard/free-download-of-iasme-standard/
*Research on the need for IASME at http://staffweb.worc.ac.uk/hensonr/iasmeesearchfindingsnov10.pdf
*Research on IASME development at http://eprints.worc.ac.uk/1600/
*Research on the need for IASME - http://staffweb.worc.ac.uk/hensonr/iasmeesearchfindingsnov10.pdf
*Research on IASME development - http://eprints.worc.ac.uk/1600/
*Webinar: "Are you or have you ever been a vulnerability to your customers" at https://connect.innovateuk.org/web/iasme-webinar
*Webinar: "Are you or have you ever been a vulnerability to your customers" - https://connect.innovateuk.org/web/iasme-webinar




[[Category:Articles created via the Article Wizard]]
[[Category:Information Assurance]]
[[Category:Business models]]
[[Category:Cyber Security]]
[[Category:Companies in Worcestershire]]
__FORCETOC__
__INDEX__

Revision as of 09:53, 1 October 2018


IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

The IASME Governance controls are aligned with the Cyber Essentials scheme and certification to the IASME standard usually includes certification to Cyber Essentials. The standard was developed in 2010 and has proven to be very effective at improving the security of supply chains for large organisations.

Background

IASME Governance was originally developed as an academic-SME partnership that attracted a lot of interest from government and small businesses[1]

Research towards the IASME model was undertaken in the UK during 2009-10,[2] after an acknowledgement that the current international information assurance standard (ISO/IEC 27001) was complex for resource-strapped SMEs, providing a weakness in the supply chain. IASME was developed during 2010-11 and was launched later that year[3]. It has been revised regularly to keep pace with changes to the risk environmnent of SMEs. The development process with SMEs was explained in a published international SME conference paper.[4]

The IASME Governance standard follows the same implementation pattern used by the international standards community including PDCA (Plan-Do-Check-Act) principles [5] and the Information Security Management System (ISMS) which provides a management framework. Both are refined and expressed in business terms recognizable by most organisations.

The IASME Governance standard was developed and piloted with the help of small businesses mostly in the West Midlands of the UK with encouraging results.[6][7] The standard has been shown to be useful to SMEs both in the UK and internationally.[8]

Large organisations can use the IASME Governance standard in their supply chains to understand and reduce supplier risk. An article explaining the supply chain benefits has been written by its developer, David Booth.[9] Both large and small organisations can use the IASME certification as an alternative to the ISO/IEC 27001 standard.

Structure of the standard

The standard is managed by The IASME Consortium Ltd who operate a network of around 150 Certification Bodies[10] who are licensed to certify candidate organisations.

The standard is available at two levels of assurance:

  • IASME Governance Self-assessment - candidates complete an online questionnaire with around 150 simple questions about their organisation. This is marked by a Certification Body who awards the certification if all of the answers given are compliant with the standard.
  • IASME Governance Audited (IASME Gold) - the candidate organisation is visited by an IASME Certification Body who verifies compliance with the standard and, if appropriate, issues certification.

In 2017, the standard was updated to include additional questions to enable organisations comply with the General Data Protection Regulations (GDPR).

Comparison with other standards

ISO/IEC 27001

IASME Governance is a risk-led standard with a similar set of controls as the ISO/IEC 27001 standard. A document is available from IASME that shows this comparison

NCSC 10 Steps to Cyber Security

IASME Governance maps very closely to the UK Government's NCSC 10 Steps to Cyber Security. A mapping between the two standards is available[11]

Cyber Assessment Framework

The Cyber Assessment Framework (CAF) has been developed by the UK Government to allow organisations to demonstrate their compliance to the NIS Directive. The IASME Governance Standard maps closely to the CAF[12].

Usage of the standard

The IASME standard has become a focus of attention, as the information security threat to UK businesses continues to increase, and vulnerabilities in their systems continue to cause expensive data breaches and system failures. The increasing number of newspaper and journal articles on this subject reflect an increased security awareness.[13][14]

IASME was specifically mentioned in a keynote speech at the Infosec Europe 2013 event held in London[15] and received an innovation award from Computer Weekly Europe shortly afterwards.[16]

It is recognised by the States of Jersey as suitable security standard for the government supply chain[17].

See also

References

  1. ^ BIS call for interest: IASME, 11 March 2013 by Consultancy Week Team. Retrieved on 19 April 2013
  2. ^ [1] "Information Assurance and SMEs: Research Findings to inform the development of the IASME model" Retrieved on 27 October 2012
  3. ^ BCS Security Blog, 15 April 2011, Retrieved on 14 September 2012
  4. ^ IASME: Information Security Management Evolution for SMEs Retrieved on 15 March 2013
  5. ^ [2] "Plan-Do-Check-Act Cycle — The PDCA cycle" Retrieved on 27 October 2012
  6. ^ News — Fraggleworks Retrieved 27 October 2012
  7. ^ [3] "Securing the Supply Chain", Retrieved 17 March 2013
  8. ^ [4] "Reputation Assured with IASME" Retrieved 27 October 2012
  9. ^ [5] "Protecting Information — Your Most Important asset" Retrieved on 27 October 2012
  10. ^ "Certification Bodies – IASME". IASME Consortium. Retrieved 29 March 2017. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  11. ^ "Mapping between IASME Governance and 10 Steps to Cyber Security". IASME Consortium. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  12. ^ "Mapping between IASME Governance and the CAF / NIS Directice". IASME Consortium. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  13. ^ [6] Vigilance Security Magazine, 14 February 2013
  14. ^ Financial Times, 25 February 2013
  15. ^ Cabinet Office, 23 April 2013
  16. ^ [7]
  17. ^ Jersey, States of. "Security standards". www.gov.je. Retrieved 1 October 2018.


Retrieved from "https://en.wikipedia.org/w/index.php?title=IASME&oldid=861972093"