10 minute read
CYBER SECURITY
The refreshed IASME Cyber Assurance standard offers SMEs a comprehensive risk-based framework to demonstrate their security and compete for business
SECURING THE SUPPLY CHAIN
The Government’s Procurement Bill 2022 is passing through the parliamentary process and is due to come into law next year. It seeks to reform the UK’s public procurement regime to create a fairer and more transparent system. It also aims to support businesses by making public procurement more accessible to small businesses, and voluntary, charitable and social enterprises, by enabling them to compete for public contracts.
Over 95 per cent of all organisations in the UK are SMEs, many of whom are the most innovative organisations in their sector. The new procurement bill is a positive sign that SMEs are being welcomed and encouraged into supply chains and allowed to compete with larger organisations for business.
SUPPLY CHAIN
Most organisations rely on suppliers to deliver products, systems, and services. In the context of cybersecurity, a supply chain includes hardware and software, cloud or local storage and distribution mechanisms. Even if an organisation has strong cyber security basics in place, cyber criminals will try and find their way into a system by using the weakest link in the chain. This could be via a third party such as a contractor, or any supplier with security vulnerabilities.
Oversights can include failing to fully or correctly configure cloud service accounts or key staff members being inadequately trained on their responsibilities. Most companies have remote workers using BYOD and interacting with company data,
yet may not have consistent and strict security controls and policies in place. Any business that has weaknesses in their cyber security can present a cyber risk not only to themselves and their customers, but to the whole supply chain that does business with them. Unaddressed risks can become supply chain threats such as ransomware attacks, security breaches, malware infection, process disruptions, intellectual property theft, and non-compliance with regulatory security standards. A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. Business to business assurance is now vital to winning new business within a supply chain, and more and more contracts are mandating cyber security.
SECURITY STANDARDS
UK businesses are increasingly setting minimum security standards for their suppliers. A security review process is not uncommon when bidding for new business where a prospective supplier will be asked if they hold an accreditation through a recognised scheme, or to fill out a security questionnaire so that potential risks can be understood.
To simplify this process, many contracts simply mandate a recognised security certification such as the international standard, ISO 27001. Yet for small businesses, ISO 27001 can be difficult to achieve, not because they don’t have the governance in place, but because of the cost and extra staffing requirements. A flexible and more affordable alternative is gaining prominence and recognition.
The IASME Governance standard was compiled back in 2010, originally with the support of the Technology Strategy Board (now Innovate UK) and was the basis for the creation of the IASME Consortium organisation founded in 2012. It was designed by SMEs for SMEs to provide a comprehensive, flexible and affordable cyber security standard that was neither too prescriptive nor too simple. The IASME Governance certification provided assurance that an organisation had put in place a range of important cyber security, privacy and data protection measures and offered smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost.
This year, the standard has been refreshed and rebranded and is now called the IASME Cyber Assurance Standard. The new version (6) of the IASME Cyber Assurance Standard has been updated to build upon the solid foundations of the original IASME Governance standard. It includes relevant changes to reflect the move that many businesses have made from on-premise infrastructure to the cloud as well changes to business practices such as working from home and the increased use of mobile and personally owned devices.
CERTIFICATION
The IASME Cyber Assurance certification is available in two levels – verified assessment and audited.
For Level 1 – verified assessment, organisations access a secure portal to answer around 160 questions about their security. The assessment is marked by a Certification Body and a pass or fail is returned to the organisation.
For Level 2 – audited, an independent Assessor conducts an on-site audit of the controls, processes and procedures covered in the IASME Cyber Assurance standard. The audited version gives a higher level of assurance and is pass or fail. A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This is a significant step towards reducing barriers to entry for smaller organisations in a supply chain as IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance. Certification manager, Samantha Alexander heads up the Cyber Assurance scheme at IASME. Sam brings a wealth of experience in leading and developing information assurance schemes and has worked closely with membership organisations. She says, “IASME Cyber Assurance is a well-established and unique certification scheme starting to play a key role in securing supply chains in the UK and abroad”.
The IASME Cyber Assurance standard covers all the important cyber and information security measures, key resilience strategies and data protection methods. As far as we know, the IASME Cyber Assurance standard is still the only cyber security certification scheme which has been specifically designed to be affordable and achievable for small organisations.
Going through a recognised scheme is an easy way to benchmark the security posture of your organisation and reassure other businesses as well as customers. IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance when responding to contracts carrying out due diligence. By providing an up-to-date IASME Cyber Assurance certificate, an organisation can give assurance that they have been audited by security experts using a detailed and relevant framework. L
FURTHER INFORMATION
You can view the IASME Cyber Assurance Standard and Question Set on the IASME website
If you would like any more information or to discuss the standard, please email us info@iasme.co.uk
Cyber and Information Security experts IASME are collaborating with Secured by Design, the official police security initiative, on their new Secure Connected Device accreditation
SECURE CONNECTED DEVICE ACCREDITATION
SMART BUT NOT NECESSARILY SECURE
Besides computers, tablets and mobile phones, many other objects connect to the internet. Bike locks, storage cupboards, security cameras and lights are examples of ‘connected’ or ‘smart’ devices, which are collectively known as the ‘Internet of Things’ (IoT). They enable the user to control their functions remotely, usually using a mobile phone app.
If a smart device can be accessed by the user online, there is also the possibility that other people may be able to access it, which raises both security and privacy concerns. Insecure devices can provide an access point for criminals on the internet to steal personal data, access microphones or cameras or hijack a device for ulterior motives. It is therefore important to ensure that all IoT products have the right security in place to protect consumers from becoming victims of cyber crime.
POLICE CRIME PREVENTION INITIATIVES
Secured by Design is the most well-known of the Police Crime Prevention Initiatives (Police CPI) portfolio. Secured by Design (SBD) operates an accreditation scheme on behalf of the UK Police Service to show that products or services have met recognised security standards. These products or services – which must be capable of deterring or preventing crime – are described as having achieved ‘Police Preferred Specification’.
There are currently many hundreds of companies who produce thousands of individual attack-resistant crime-prevention products that have met the exacting Police Preferred Specification. This includes doors, windows, external storage, bicycle and motorcycle security, locks and hardware, asset marking, alarms, CCTV, safes, perimeter security products and many others. SBD is the only way for companies
to obtain police recognition for security-related products in the UK.
This year, SBD launched a Secure Connected Device accreditation for companies providing internet connected products. Working closely with certifying bodies, who assess IoT products and services against the worldwide standard, ETSI EN 303 645, SBD’s IoT Device assessment framework identifies the level of risk associated with an IoT device and its ecosystem. They are then able to provide recommendations on the appropriate certification routes.
CYBER SECURITY FOR IOT
IASME helps businesses improve their cyber security, counter fraud and risk management through an effective and accessible range of certifications. The IASME IoT Cyber Assurance certification scheme gives manufacturers and people responsible for purchasing connected products a way to show due diligence in the selection of secure products.
IASME have been working in partnership with SBD to contribute to the Secure Connected Device accreditation. IASME’s IoT Cyber Assurance level 2 scheme certifies internet connected devices against the most important cyber security controls and makes up an essential part of the framework for the accreditation. The IASME IoT Cyber Assurance scheme aligns with all 13 provisions of the worldwide standard in IoT cyber security, ETSI EN 303 645 and with the imminent UK IoT security legislation and guidance. It is also mapped to the IoTSF Security Compliance Framework. The Level 2 scheme includes a hands-on audit of the device and provides the assurance of third-party testing and independent certification. The audit is managed by an Assessor, skilled in IoT cyber security, from one of IASME’s network of Certification Bodies. The scope of the certification includes the IoT device and any associated hub, app and cloud service the device relies upon to operate, the scheme is accessible to micro and small manufacturers, as well as to larger organisations.
RAISING THE BAR IN THE INDUSTRY
While certifying connected devices through the IoT Cyber Assurance scheme, IASME has worked with numerous manufacturers, many of whom are innovators in their field. They often express a desire to work together to raise the bar in the industry and hope that increased security will raise confidence in the market that it is safe to work with wireless systems. They say they found it useful to share the feedback given to them from the scheme Assessors with their customers as it helped demonstrate what they were doing. Many commenting that external certification served to reassure clients that they had a secure system that has been audited by a third party.
Once a product has been certified to IASME IoT Cyber Assurance level 2 and has met the physical security requirements of SBD, the company can apply to become SBD members. The product will receive the SBD Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certifications. SBD’s IoT Technical Officer, Michelle Kradolfer emphasised the importance of proving the security of IoT devices, “with the rise in IoT and smart devices being sold in the UK market, it’s important for companies to ensure that their IoT products are built as securely as possible and an integral part of doing so is getting their IoT products appropriately assessed and accredited”.
She goes on to say, “By obtaining our Secure Connected Device accreditation and undergoing a testing and certification process, companies are sending a clear message on the importance of IoT security for their products, which will make them stand out from the crowd and inspire confidence from their consumers.”
Dr Emma Philpott MBE, CEO of IASME, welcomes the partnership with SBD and the integration of the scheme as part of widespread and comprehensive accreditation. She says “IASME has developed the IoT Cyber Assurance scheme to provide an opportunity for manufacturers to improve the security of their internetconnected devices and to show they are compliant with best-practice security. The technical controls required for certification guard against the exploitation of common IoT cyber security vulnerabilities. Certification is a vital tool in enabling organisations to verify the security of connected devices in their own supply chain.” L
