Securing the Supply Chain

The refreshed IASME Cyber Assurance standard offers SMEs a comprehensive risk-based framework to demonstrate their security and compete for business

The Government’s Procurement Bill 2022 is passing through the parliamentary process and is due to come into law next year. It seeks to reform the UK’s public procurement regime to create a fairer and more transparent system. It also aims to support businesses by making public procurement more accessible to small businesses, and voluntary, charitable and social enterprises, by enabling them to compete for public contracts.

Over 95 per cent of all organisations in the UK are SMEs, many of whom are the most innovative organisations in their sector. The new procurement bill is a positive sign that SMEs are being welcomed and encouraged into supply chains and allowed to compete with larger organisations for business.

supply chain
Most organisations rely on suppliers to deliver products, systems, and services. In the context of cybersecurity, a supply chain includes hardware and software, cloud or local storage and distribution mechanisms. Even if an organisation has strong cyber security basics in place, cyber criminals will try and find their way into a system by using the weakest link in the chain. This could be via a third party such as a contractor, or any supplier with security vulnerabilities.

Oversights can include failing to fully or correctly configure cloud service accounts or key staff members being inadequately trained on their responsibilities. Most companies have remote workers using BYOD and interacting with company data, yet may not have consistent and strict security controls and policies in place. Any business that has weaknesses in their cyber security can present a cyber risk not only to themselves and their customers, but to the whole supply chain that does business with them.
Unaddressed risks can become supply chain threats such as ransomware attacks, security breaches, malware infection, process disruptions, intellectual property theft, and non-compliance with regulatory security standards.

A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. Business to business assurance is now vital to winning new business within a supply chain, and more and more contracts are mandating cyber security.

Security standards
UK businesses are increasingly setting minimum security standards for their suppliers. A security review process is not uncommon when bidding for new business where a prospective supplier will be asked if they hold an accreditation through a recognised scheme, or to fill out a security questionnaire so that potential risks can be understood.

To simplify this process, many contracts simply mandate a recognised security certification such as the international standard, ISO 27001. Yet for small businesses, ISO 27001 can be difficult to achieve, not because they don’t have the governance in place, but because of the cost and extra staffing requirements. A flexible and more affordable alternative is gaining prominence and recognition.

The IASME Governance standard was compiled back in 2010, originally with the support of the Technology Strategy Board (now Innovate UK) and was the basis for the creation of the IASME Consortium organisation founded in 2012. It was designed by SMEs for SMEs to provide a comprehensive, flexible and affordable cyber security standard that was neither too prescriptive nor too simple. The IASME Governance certification provided assurance that an organisation had put in place a range of important cyber security, privacy and data protection measures and offered smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost.

This year, the standard has been refreshed and rebranded and is now called the IASME Cyber Assurance Standard. The new version (6) of the IASME Cyber Assurance Standard has been updated to build upon the solid foundations of the original IASME Governance standard. It includes relevant changes to reflect the move that many businesses have made from on-premise infrastructure to the cloud as well changes to business practices such as working from home and the increased use of mobile and personally owned devices.

Certification
The IASME Cyber Assurance certification is available in two levels – verified assessment and audited.

For Level 1 – verified assessment, organisations access a secure portal to answer around 160 questions about their security. The assessment is marked by a Certification Body and a pass or fail is returned to the organisation.

For Level 2 – audited, an independent Assessor conducts an on-site audit of the controls, processes and procedures covered in the IASME Cyber Assurance standard. The audited version gives a higher level of assurance and is pass or fail.

A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This is a significant step towards reducing barriers to entry for smaller organisations in a supply chain as IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance.

Certification Manager, Samantha Alexander heads up the Cyber Assurance scheme at IASME. Sam brings a wealth of experience in leading and developing information assurance schemes and has worked closely with membership organisations. She says, “IASME Cyber Assurance is a well-established and unique certification scheme starting to play a key role in securing supply chains in the UK and abroad”.

The IASME Cyber Assurance standard covers all the important cyber and information security measures, key resilience strategies and data protection methods. As far as we know, the IASME Cyber Assurance standard is still the only cyber security certification scheme which has been specifically designed to be affordable and achievable for small organisations.

Going through a recognised scheme is an easy way to benchmark the security posture of your organisation and reassure other businesses as well as customers. IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance when responding to contracts carrying out due diligence. By providing an up-to-date IASME Cyber Assurance certificate, an organisation can give assurance that they have been audited by security experts using a detailed and relevant framework.