Versions Compared

Version Old Version 4 New Version Current
Changes made by

Madeleine Laband

Kate McKenzie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Document number:

SCH-00X-XXXXXX019-Schedule 9 - ASP Code of Conduct

Document type:

Schedule

Responsibility for implementation & training:

CIE Manager

CB contract doc/ schedule:

YES

Scope:

NCSC Cyber Incident Exercising 

Reason for change:

Initial version

Approved by:

Jamie Randall

Approved date:

Next review:

Review and consultation process:

Reviewed Annually by CIE manager

Associated documentation:

N/A

Distribution:

Controlled copy in Confluence Quality Management System.

Any other Copies will not be deemed control copies

Code of Conduct for Assured Service Providers

Revisions: 

Date: 

Author: 

Description: 

Jonathan Ellwood

First Version Published 

  • 1. Introduction 

  • 2. Supporting staff to meet the six principles  

  • 2.1. Supportive environment 

  • 2.2. Reporting incidents 

  • 2.3. Share with IASME 

  • 3. Examples of how to apply this code of conduct within an Assured Service Provider 

  • 4. Signatures  

  • 4.1 Your signature below indicates your acceptance of this code on behalf of your organisation.

...

Download PDF Here

Table of Contents

1.   Introduction 

This document sets out the six ethical principles that must be followed by Assured Service Providers (ASPs), that are part of the NCSC Cyber Incident Exercising  Scheme. 

...

Adherence to these principles by the ASPs is an important part of the Contract with IASME.  If an ASP or its agents including Team Leads and other staff, are found to be acting in a way that does not conform to this Code, the ASP may have to cease being on the scheme and the contract cancelled.  

2.   Supporting staff to meet the six principles 

Assured Service Providers must meet the following requirements in order to ensure that their staff can easily meet the six ethical principles. 

2.1. Supportive environment 

Assured Service Providers must provide an environment in which staff can easily follow the six ethical principles. 

...

  • ensuring that staff are empowered to make decisions regarding engagements in line with the six ethical principles 

  • ensuring that staff are given sufficient time and resources to follow the six ethical principles throughout their engagement with clients 

  • Identifying any business activities that might conflict with the staff members obligation to follow the six principles and ensuring that the business is structured such that the activities do not influence staff or place them under undue pressure. This might involve: 

  • ensuring sales objectives do not influence the advice given 

  • ensuring advisor appraisals and career progression are not related to sales activities 

  • statements from the leadership team/owner to all staff or contractors to endorse the six principles and emphasise their importance 

  • ensuring that all staff or contractors who have direct involvement in engagement and all managers/owners within the business unit that deals with engagements are aware of the six ethical principles and incorporate them into their day-to-day activities 

  • providing suitable training to all staff or contractors regarding their obligations in relation to the code of conduct 

  • update relevant policies and processes to ensure the six ethical principles are embedded within them 

  • ensuring that supporting activities to engagements, including marketing, sales, and finance, are in compliance with the ethical principles and support them 

2.2. Reporting incidents 

Assured Service Providers must provide a method for staff or contractors to report a situation where the ethical principles are not being followed. 

  • Ideally, the method should allow anonymous reporting of any issues, although this may not always be practical, particularly in smaller organisations 

  • There must be no negative repercussions for any member of staff or contractors reporting such a situation and this must be made clear to staff or contractors 

  • Existing “whistle-blowing” processes used to identify bad practice can be used to meet this requirement 

2.3. Share with IASME 

Assured Service Providers must provide a process to deal with and record any situations where the ethical principles were not followed (or may not be in the future) 

  • Details of such incidents must be shared with IASME along with details of how the incident will be addressed and prevented from reoccurring in future 

3.   Examples of how to apply this code of conduct within an Assured Service Provider 

The UK Cyber Security Council provides examples for cyber security organisations and professionals of how to deal with potential ethical conflicts here https://www.ukcybersecuritycouncil.org.uk/ethics/ethics-scenarios/   

4. Signatures  

4.1 Your signature below indicates your acceptance of this code on behalf of your organisation.  

 

IASME 

Assured Service Provider 

Signature: 

 

 

Print Name: 

 

 

Job Title: 

 

 

Date: 

 

 

...

© The IASME Consortium Ltd 2022 2023 All rights reserved