Criteria for Assured Service Provider

Assured Service Provider Criteria 

Assured Service Providers are organisations that are authorised to offer Incident Exercising services under the NCSC Cyber Incident Exercising Scheme.  In order to be an Assured Service Provider companies must be able to demonstrate to IASME’s satisfaction that they: 

• Have good cyber security and can keep client data secure (security requirements) 

• Are committed to achieving an excellent and consistent client experience by using a quality management system (quality requirements) 

• Meet, and maintain compliance with, the NCSC CIE Technical Standard. 

1. Assured Service Provider Security requirements 

1. All Assured Service Providers must provide independently verified evidence that they have achieved and maintain Cyber Essentials.   
2. The Assured Service Provider must also : 

...

The scope of all these certifications must cover all areas of the business that will be involved in Incident Exercising activities or that will hold data that relates to these activities. ISO 27001 certification must be attained through a UKAS Accredited Certification Body or an International Accreditation Forum (IAF) recognised equivalent. 

2. Assured Service Provider Quality Requirements 

All Assured Service Providers must commit to achieving and maintaining a good quality management system. 

...

ISO9001 certification must be through a UKAS Accredited Certification Body; or; an International Accreditation Forum (IAF) recognised equivalent. 

3. NCSC CIE Technical Standard 

Assured Service Providers will be assessed against the requirements in the Technical Standard the Assured Service Provider evaluation process, which is detailed in separate documentation.  

...