Continuing on from my post about Reaping the rewards of being a Cyber Essentials certified company I thought it was time to talk about the next level of securing SME’s through industry standards, this being through the use of the IASME standard which is available within the UK.
The IASME standard has been developed over a number of years and was formed during a Technology Strategy Board funded project to create an achievable cyber security standard for small companies. Designed to fall along the same lines as ISO 27001 but to be manageable for smaller companies. The standard comes in two flavours, the standard self-assessment and the Gold audited version, or the gold IASME standard. Achieving any two of these accreditations demonstrates to the customer or supplier that the company in question follows cyber security best practices as well as being in compliance for the most of it with the ISO 27001 standard.
IASME also allow you to download a free copy of the standard, which is available here: https://www.iasme.co.uk/the-iasme-standard/free-download-of-iasme-standard
Differences between Cyber Essentials and IASME?
The differences between cyber essentials and IASME are fairly easy to see when you get down into the detail of the differences.
The Cyber Essentials accreditation can be thought of as a low cost basic IT security health check-up, the business in question is doing the bare minimum to ensure that their systems are secured against any malicious attacks.
The IASME standard accreditation is defined more as a standard orientated approach, leaning towards ensuring that the business has all the standards and policies in place to eventually secure the business, but without all the pain and effort involved with ISO/IEC 27001.
Both accreditations have their basic/standard as well as their higher accreditations – Cyber Essentials Plus and IASME Gold, which both involve onsite auditing and vulnerability assessments of IT infrastructure.
Both of these accreditations can be filled in online through a specialised portal and assessed, if the assessor requires more information, you will be asked to provide or comment on various sections as and where needed.
Cyber Insurance Cover
A great thing about going down the IASME route if you are a small business is that, if you take either the Cyber Essentials or IASME standard accreditation you are automatically entitled to some Cyber Insurance cover, free of charge. More information on this can be found here: https://www.iasme.co.uk/cyber-essentials-scheme/automatic-insurance-cover
Differences between IASME and ISO 27001
The below table shows how the IASME standard falls in line with the ISO 27001.
Benefits of IASME
The benefit of using the IASME standard is that it provides you a standard that falls inline with ISO 27001 at a realistic cost and allows you to demonstrate to your suppliers and customers that you take cyber security seriously. Although people look for ISO 27001 accreditation when dealing with security matters, the practice of achieving this can be daunting for any small or medium business, not to mention that it could take months to achieve. Going with IASME allows the business to demonstrate that they are doing everything in their power to protect their assets (as well as the customers) but at a fraction of the cost and time.
An additional benefit is that if you go through IASME for your Cyber Essentials accreditation you can by default go and take the IASME accreditation at the same time, all that happens if that your self-assessment questionnaire is longer and more detailed.
You can find out more about IASME at: IASME standard.
Is it worth going for?
I think that this is certainly a worthwhile accreditation to go for. If your business is going to take cyber security seriously and wants to ensure your customers and suppliers that you are doing everything in your power, then this is an ideal accreditation to go for. Not only is it less heartache to obtain, but it is also cheaper and doesn’t require as much specialised help as ISO 27001 does.
I hope that you find this post, if you have any questions, please don’t hesitate to get in touch.