IASME

IASME is an information assurance standard managed by The IASME Consortium that is particularly suitable for Small and medium-sized enterprises (SMEs).

It was originally developed as an academic-SME partnership and has attracting interest among decision-makers within the UK small business community.^[1] IASME controls are aligned with the Cyber Essentials scheme and certification to the IASME standard usually includes certification to Cyber Essentials.

Background

Research towards the IASME model was undertaken in the UK during 2009-10,^[2] after an acknowledgement that the current international information assurance standard (ISO/IEC 27001:2013) was complex for resource-strapped SMEs, providing a weakness in the supply chain. IASME was developed during 2010-11. It was launched later that year,^[3] and has been regularly revised to keep pace with changes in the information risk ecosystem. The development process with SMEs was explained in a published international SME conference paper.^[4]

The IASME standard follows the same implementation pattern used by the international standards community including PDCA (Plan-Do-Check-Act) principles ^[5] and the Information Security Management System (ISMS) which provides a management framework. Both are refined and expressed in business terms recognizable by most organisations.

The IASME standard was developed and piloted with the help of small businesses mostly in the West Midlands of the UK with encouraging results,.^[6][7] However, IASME is applicable and useful to any small or medium-sized business, whether in the UK, or beyond.^[8] It was designed for and is particularly useful for SMEs that make up part of a supply chain. An article explaining the supply chain benefits has been written by its developer, David Booth.^[9] Larger businesses could also use the IASME certification as an alternative to the ISO/IEC 27001 standard.

Usage of the standard

The standard is managed by The IASME Consortium Ltd who operate a network of around 80 Certification Bodies^[10] who are licensed to certify candidate organisations.

The standard is available at two levels of assurance:

• Verified Self-assessment - candidates complete an online questionnaire with around 150 simple questions about their organisation. This is marked by a Certification Body who awards the certification if all of the answers given are compliant with the standard.
• Audited (IASME Gold) - the candidate organisation is visited by an IASME Certification Body who verifies compliance with the standard and, if appropriate, issues certification.

In 2017 the standard was updated to include additional questions to help organisations comply with the General Data Protection Regulations (GDPR). These questions are currently optional.

Popularity and awards

The IASME standard has become a focus of attention, as the information security threat to UK businesses continues to increase, and vulnerabilities in their systems continue to cause expensive data breaches and system failures. The increasing number of newspaper and journal articles on this subject reflect an increased security awareness, and several are included here.^[11][12] The standard is useful in assisting organisations to comply with data protection legislation.

IASME was specifically mentioned in a keynote speech at the Infosec Europe 2013 event held in London^[13] and received an innovation award from Computer Weekly Europe shortly afterwards.^[14]

See also

• Cyber Essentials

References

External links

• More about The IASME Process and Standard at http://iasme.co.uk.
• Research on the need for IASME at http://staffweb.worc.ac.uk/hensonr/iasmeesearchfindingsnov10.pdf
• Research on IASME development at http://eprints.worc.ac.uk/1600/
• Webinar: "Are you or have you ever been a vulnerability to your customers" at https://connect.innovateuk.org/web/iasme-webinar