Versions Compared

Version Old Version 1 New Version 2
Changes made by

Samantha Alexander (Deactivated)

Samantha Alexander (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

History of key revisions:

Date issued:

Author:

Description:

First Introduction

Internal audit history

Date:

Conducted by:

Link to IA:

Certification Body Security Requirements

...

Revisions:

...

Date:

...

Author:

...

Description:

  1. Introduction

IASME are committed to achieving a consistent high standard across companies and systems that assess and certify IASME Cyber Baseline compliance
This document sets out the security requirements for all Certification Bodies (CBs) delivering IASME Cyber Baseline.

These requirements are in addition to the Certification Body (CB) achieving the security certifications detailed in the Certification Body Criteria.

  1. Security Principles

All CBs must, at minimum, meet the following 10 security principles which are directly linked to the UK NCSC 10 Steps to Cyber Security guidance. Achievement of the IASME Cyber Assurance standard or ISO27001 for the whole organisation will usually be sufficient to demonstrate achievement of these principles.

2.1. Risk Management

The CB must carry out regular, at least annually, risk assessments that are linked to the company’s information assets. The CB must embed a Risk Management Regime across their organisation, supported by the board and senior managers.

2.2 Secure Configuration

The CB shall install all high-risk and critical patches for application software and operations systems within 14 days of the patch being released.

The CB must keep an accurate record of business information assets, including ownership and disposal shall be maintained. Each information asset (hardware or data) shall have a named custodian who shall be responsible for the information security of that asset. When hardware is no longer required by the business, all data shall be securely wiped from it using an industry standard tool.

Where possible, the CB shall identify particularly valuable or sensitive information assets through the use of data classification.

In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards. Physical security accreditation should be applied if necessary.

Only authorised personnel who have a valid and approved business need shall be given access to areas containing information systems or stored data

2.3 Network Security

CBs shall have firewalls at the boundaries to all networks and shall ensure that firewalls are managed properly including ensuring that only necessary ports are opened and that firewall management interfaces are appropriately protected.

2.4 Managing user privileges

Access to information shall be based on the principle of “least privilege” and restricted to authorised users who have a business need to access the information.

2.5 User Education and Awareness

Information security awareness training shall be included in the staff induction process and shall be carried out on an ongoing basis for all staff.

An on-going awareness programme shall be carried out in order to ensure that staff awareness of information security is maintained and updated as necessary.

The CB shall maintain and regularly review (at least annually) a security policy which sets out the rules governing the secure management of CB information assets and, in particular, the IASME Cyber Baseline data. This policy should apply to all information/data, information systems, networks, applications, locations and staff of the CB or supplied under contract to it.

2.6 Incident management

The CB shall establish an incident management capability including incident management plans.

If required as a result of an incident, data must be isolated to facilitate forensic examination. Information security incidents shall be recorded in a Security Incident Log and investigated to establish their cause and impact with a view to avoiding similar events. The organisation shall ensure that incident management plans are produced for all mission critical information, application, systems and networks.

IASME must be notified immediately about security incidents that affect (or are likely to affect) Cyber Essentials data. The CB shall in the first instance contact IASME’s CEO, CTO or COO using the main telephone number (03300 882752) or using relevant mobile numbers. If the CB is unable to contact IASME via this method, then the CB must attempt to contact IASME using all other reasonable methods.

The CB must provide sufficient resource and cooperation to support IASME’s investigation of any security incidents relating to the CB.

2.7 Malware prevention

The CB shall have malware protection in place across all devices (servers, laptops, desktops, phones and tablets) in accordance with the IASME Cyber Baseline anti-malware requirements.

2.8 Monitoring

The CB shall review regularly the access logs and alerting provided by all hardware firewalls, servers, anti-virus solutions and, where possible, all cloud-based services containing sensitive data

The CB shall have a yearly vulnerability scan carried out by an external body. The business shall act on the recommendations of the external company following the vulnerability scan in order to reduce the security risk presented by any significant vulnerabilities

2.9 Removable media controls

The CB shall control all access to removable media and limit media types and usage to only those required for the business.

2.10 Mobile and Home Working

The CB shall provide guidance and train staff on mobile working. All data must be protected at rest and in transit.

  1. Additional security requirements

3.1 Data Storage

All IASME Cyber Baseline Data must be stored in accordance with the relevant data protection and privacy legislation. This must be agreed with the client prior to work commencing.

3.2 Supply Chain

All suppliers and contractors to the Certification Body should attain the IASME Cyber Baseline certificate unless agreed with IASME.

3.3 Data Retention

The CB shall only retain data relating to the IASME Cyber Baseline scheme for the following timeframes:

  • IASME Cyber Baseline Level 1 feedback report - 18 months from final report generated (pass or fail)

  • IASME Cyber Baseline Level 2 assessment report - 18 months from final report generated (pass or fail)

  • Declarations and Branding agreements - 18 months from final report generated (pass or

    fail)

    Data within the Pervade Assessment platform will be subject to these timeframes automatically.

    Data held by the CB outside the Pervade Assessment Platform shall be securely deleted using an industry standard tool according to the timeframes above.

    A set of anonymised data to assist with research and analysis of the scheme will be taken automatically from every assessment at the time of the final report and stored in a separate research database. The timeframes for retention of this data will be decided by IASME.

3.4 Social Media

The Certification Body shall have a social media policy which is shared with all staff. Through this policy the Certification Body must aim to prevent social media posts from staff or contractors which may bring the IASME Cyber Baseline scheme or IASME into disrepute.

3.5 Confidentiality

...

  1. Introduction

1.1 This schedule sets out

1.1.1  IASME’s requirements for the provision of Management Information (MI) from the IASME Cyber Baseline Certification Bodies; and

1.1.2  the Key Performance Indicators (KPIs) to be met by the IASME Cyber Baseline Certification Bodies.

  1. Management Information (MI)

2.1 IASME shall ensure that appropriate records and management information relating to the operation and delivery of the IASME Cyber Baseline Scheme are gathered and maintained in an industry recognised format, where applicable delegating responsibilities to the Certification Body. These records should include but may not be limited to the following:

2.2 Application Information: IASME shall collect, maintain and report on information obtained from its Certification Bodies relating to applications from Organisations for Certification Services, including but not limited to:

  1. Unique Business ID;

  2. the company name (aligned with Companies House or Charity Registration);

  3. the business sector;

  4. the number of employees in the company (denoting size);

  5. Country/Town/City/Region & Postcode;

  6. Applicant Role;

  7. Certification Level;

  8. Certification Type (1st time/renewal);

  9. Application Status (Pass/Fail/Pending);

  10. Certification Body;

  11. Scope of system to be certified

2.3  Certification Information: IASME shall collect, maintain and report on information obtained from its Certification Bodies relating to the certification of Organisations, including but not limited to:

  1. Unique Business ID;

  2. the company name (aligned with Companies House or Charity Registration);

  3. the business sector;

  4. the number of employees in the company (denoting size);

  5. Country/Town/City/Region & Postcode;

  6. Applicant Role;

  7. Certification Level;

  8. Certification Type;

  9. Unique Certification ID;

  10. Certification Body;

  11. Scope of system certified;

  12. Recommended renewal date.

2.4  Customer Satisfaction Information: IASME shall collect, maintain and report on customer satisfaction information obtained from Organisations, including but not limited to:

  1. unique Business ID

  2. the company name (aligned with Companies House or Charity Registration);

  3. the business sector;

  4. where they heard about the IASME Cyber Baseline Scheme;

  5. why did they decide to engage with the IASME Cyber Baseline Scheme;

  6. cost of Certification;

  7. feedback on how easy and intuitive they found the consumer journey;

  8. comments on their experience in applying for IASME Cyber Baseline;

  9. comments on their experience in using the IASME Cyber Baseline Scheme.

2.5  Reasons for Failure: IASME shall collect information on 'reasons for failure' of Organisations to achieve IASME Cyber Baseline certification.

2.6  Additional Feedback: IASME shall collect, maintain and report on the following information obtained from its Certification Bodies:

  1. Common vulnerabilities;

  2. Common attacks.

  3. Organisations that haven’t chosen to renew

2.7  Web Stats: IASME shall collect, maintain and report on the following information obtained from its website statistics, including but not limited to:

  1. Sessions;

  2. Bounce rate/time spent on site;

  3. Site content;

    1. Dwell time analytics;

    2. How many people are going through to use the Certification Search function;

    3. How many people are clicking through to “Getting Certified”;

  4. Where traffic to the website has arrived from.

3. Key Performance Indicators (KPIs)

3.1 IASME shall agree appropriate KPIs and/or service levels to be used to monitor the performance of the IASME Cyber Baseline Certification Bodies. Such KPIs and service levels may include measures of performance relating to:

  • Management of Certification Body Relationships

  • Improvements to the Service;

  • Resolution of complaints;

  • Timeliness and quality of monthly reporting