Background
IASME Governance was originally developed as an academic-SME partnership that attracted a lot of interest from government and small businesses Research towards the IASME model was undertaken in the UK during 2009–10, after an acknowledgement that the current international information assurance standard (ISO/IEC 27001) was complex for resource-strapped SMEs, providing a weakness in the supply chain. IASME was developed during 2010-11 and was launched later that year. It has been revised regularly to keep pace with changes to the risk environment of SMEs. The development process with SMEs was explained in a published international SME conference paper. The IASME Governance standard follows the same implementation pattern used by the international standards community including PDCA (Plan-Do-Check-Act) principles and the Information Security Management System (ISMS) which provides a management framework. Both are refined and expressed in business terms recognisable by organisations of all sizes. The IASME Governance standard was developed and piloted with the help of small businesses mostly in the West Midlands of the UK with encouraging results. The standard has been shown to be useful to SMEs both in the UK and internationally. Large organisations can use the IASME Governance standard in their supply chains to understand and reduce supplier risk. An article explaining the supply chain benefits has been written by its developer, David Booth. Both large and small organisations can use the IASME certification as an alternative to the ISO/IEC 27001 standard.Structure of the standard
The standard is managed bTopics covered by the standard
The IASME Governance standard covers the following information security topics: * Managing Security * Information Assets * Cloud Services * Risk Management * Data Protection (including GDPR) * People * Security Policy * Physical and Environmental * Firewalls and Internet Gateways * Secure Configuration * Patches and Updates * Operations and Management * User Accounts * Administrative Access * Malware Protection * Vulnerability Scanning * Monitoring * Backup and Restore * Incident Management * Business ContinuityComparison with other standards
ISO/IEC 27001/2
IASME Governance is a risk-led standard with a similar set of controls to Annex A of the ISO/IEC 27001 standard.NCSC 10 Steps to Cyber Security
IASME Governance maps very closely to the UK Government's NCSC 10 Steps to Cyber Security. A mapping between the two standards is availableCyber Assessment Framework
The Cyber Assessment Framework (CAF) has been developed by the UK Government to allow organisations to demonstrate their compliance to the NIS Directive. The IASME Governance Standard maps closely to the CAF.NHS Digital Data Security and Protection Toolkit
The NHS Digital Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian's 10 data security standards. IASME Governance maps closely to the toolkit for the majority of topicsUsage of the standard and awards
The IASME standard has become a focus of attention, as the information security threat to UK businesses continues to increase, and vulnerabilities in their systems continue to cause expensive data breaches and system failures. The increasing number of newspaper and journal articles on this subject reflect an increased security awareness. It is recognised by theSee also
*References
{{ReflistExternal links
*The IASME Governance self-assessed question set (free to download)