The IASME Governance standard was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001.
What is IASME Governance?
The IASME Governance standard allows the small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers information.
The IASME Governance assessment includes a Cyber Essentials assessment and GDPR requirements and is available either as a self assessment or on-site audit.
The assessment is available as a verified self-assessment or an on-site audit.
Audited IASME Governance (sometimes known as IASME Gold) is an independent on-site audit of the level of information security provided by your organisation. It offers a similar level of assurance to the internationally recognised ISO 27001 standard but is simpler and often cheaper for small and medium-sized organisation to implement.
The standard includes
All of the five Cyber Essentials technical topics and adds additional topics that mostly relate to people and processes, for example:
- Risk assessment and management
- Training and managing people
- Change management
- Incident response and business continuity
By gaining the Audited IASME Governance certificate your organisation is achieving IASME’s highest level of certification and providing assurance to customers and suppliers that your organisation’s security has been audited by a skilled, independent third-party.
How is the assessment carried out?
In order to achieve IASME Governance Audited standard, you must first pass the IASME Governance self-assessment.
On completion we will then discuss with you the scope of the assessment and arrange a mutually convenient time to visit your organisation’s head office to carry out an audit of your policies and process. This audit usually involves interviews with members of staff and a review of documentation and system configuration. It does not involve a technical assessment unless you are being assessed to Cyber Essentials PLUS at the same time, although it may be helpful to have technical staff available to provide evidence to the assessor of your system configuration. The assessor may also wish to visit branch offices or other locations in order to satisfy themselves that your good security practice is reflected across the organisation.
Once the audit has been completed, North Star Cyber Security will provide you with a written report of their findings and a recommendation of a pass or fail, which will then be ratified by IASME.
If you have passed the assessment, you will then be awarded a certificate and be authorised to display the Audited IASME Governance logo in association with your business (for example on your website, in correspondence and in marketing materials).
The audited certification is renewed at the end of years 1 and 2 by simply renewing the online IASME Governance assessment. At the end of year 3 a full audit, as described above, is required again to renew the certification.
Where is the Audited IASME Governance standard used?
The procurement teams of many large companies will accept the IASME Governance Audited standard as independent confirmation of good information and cyber security practice. This is extremely useful when trying to win tenders and renew contracts, particularly where supplier requirements mention ISO 27001.
For example, The Government of Jersey is one organisation that has specified IASME Governance Standard within its security standards document.