Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Revisions:

 

Date:

Author:

Description:

March 2020

Craig Wooldridge

First Version Published

December 2020

Craig Wooldridge

Change to clarify that the scope of the code covers other job functions as well as assessors. Addition of clause 4 “Unacceptable Behaviours”

Download PDF Here

1 Introduction

IASME are committed to delivering a high quality, consistent and fair experience for customers who want to gain certification to Cyber Essentials and IASME’s other certifications.

To achieve this, all IASME assessors are required to operate with the highest level of ethical conduct.

This Code of Conduct document sets out the principles, behaviour and outcomes that Cyber Essentials Assessors must follow to avoid conflict of interest, ensure good customer experience and uphold the integrity of the scheme.

Such a code of conduct must be signed up to individually by every Cyber Essentials assessor. The adherence by assessors to this Code of Conduct forms part of the Contract between IASME and the Certification Body. If any assessor is found to be acting in a way that does not conform to this Code, the assessor may have to cease being an assessor on the scheme or the Certification Body may lose the CB contract.

Although the term 'Assessor' is used throughout this Code, the same principles apply to any other job function, contractors or third parties that may be involved in supporting delivery of the Cyber Essentials scheme. Examples may include sales personnel or contracted marketing services

2 Ethical Principles

All assessors must use the following ethical principles to guide their decisions in relation to assessments, customers and operating the scheme:

1. Integrity – Act in accordance with the law and consistently exercise the highest moral principles

2. Honesty – Present facts clearly and truthfully

3. Objectivity – Perform all duties and make all decisions in relation to the scheme based on facts, not personal feelings or commercial concerns

4. Professional competence and due care – Render only those services which you are fully competent and qualified to perform

5. Confidentiality – Limit access to information to protect the interests of customers, partners and employees

3 Behaviour and Outcomes

The following behaviour and outcomes are expected under each ethical principle

3.1 Integrity

Assessors must work with care, skill and diligence in a safe and professional manner

All actions carried out by an assessor must comply with UK law and guidance issued by IASME. In particular, appropriate consent must be agreed with customers prior to an engagement

Through their words or actions, assessors must not damage the reputation of IASME, NCSC, or the Cyber Essentials Scheme and not attract adverse publicity to the scheme

The Assessor must never accept gifts or additional payment to look favourably on an assessment situation or divert from the assessment guidance.

If the assessor makes a mistake or error of judgement which affects the outcome of an assessment they must immediately report this to IASME

If the assessor makes a mistake or error of judgement in relation to advice or the assessment of a client they must inform that client

3.2 Honesty

Assessors must ensure that all claims about their skills and expertise are accurate, clear and up-to-date When discussing the benefits of certification assessors must accurately present the facts in a way the client can understand.

3.3 Objectivity

Assessments must be performed with independence and honesty to ensure a fair and true outcome.

When marking assessments or carrying out in-person audits, assessors must make decisions about compliance based solely on factual information, not hearsay, rumour or sentiment.

Assessors must be independent and free from outside influence when making decisions about a client’s compliance to the standards

Where organisations provide cyber security services in addition to certification to the same client, particular effort must be taken to ensure that commercial drivers do not influence the objectivity the assessment process. IASME may ask for evidence of the steps taken to ensure this objectivity at any time.

The assessor must declare any commercial relationship with a product or service before recommending it to a client. In these cases they must recommend at least one other product and allow the client to make the decision.

3.4 Professional competence and due care

Assessors must maintain their knowledge of the Cyber Essentials scheme and good information security practice. Assessors must use all tools made available to them by IASME to achieve this, including webinars, Yammer, and regular Certification Body meeting training sessions

Assessors must at all times commit sufficient time, effort and attention to their work to ensure that they always deliver a high-quality service.

Where a situation occurs where an assessor does not have sufficient knowledge or competency, they must seek guidance and direction from IASME

Assessors must feedback to IASME on any new insight or knowledge they gain from their involvement with the scheme to enable IASME to improve the body of knowledge for all assessors

The assessor must make clear to the client which security improvements or investments are required to pass Cyber Essentials and which additional ones they are recommending for more general security.

3.5 Confidentiality

Assessors must act in accordance with data protection legislation and confidentiality agreements with customers.

Assessors must only share information about clients using secure methods. IASME provides tools and services to enable assessors to achieve this.

Assessors must only use tools authorised by IASME to record and mark assessments.

Assessors must follow all requirements set by IASME around the use, storage, retention and deletion of customer information

4 Unacceptable Behaviours

Participation in this scheme requires that the CBs and their employees and contractors meet the Standards of conduct at all times.

This Code imposes a high standard of honesty and integrity. CBs are contractually responsible for ensuring that their Assessors and other employees and contractors are fully aware of this and for ensuring compliance by their Assessors, employees and contractors.

Behaviours that threaten the reputation of the Scheme (or IASME) will be in breach of the Agreement.

CBs are responsible for ensuring these principles are taken into account by all employees or contractors. This may, for example, include those individuals or third party organisations that are responsible for the CBs marketing and sales activities.

IASME considers that the following behaviours (amongst others) are likely to amount to a breach:

Excessive or persistent scraping of personal data relating to staff within customer organisations from online sources in order to solicit business.(IASME does not post the contact details of staff within a customer organisation). Excessive or persistent will be defined as IASME receiving two or more, or one serious, complaint(s) from recipients of any such communications.

Exploiting the database of certified organisations for purposes of marketing and sales. This online database is for the purpose of validating that an organisation is certified to Cyber Essentials or Cyber Essentials Plus. It must not be proactively used to identify an organisation’s recertification date for sales and marketing purposes.

Failing to communicate in a transparent way with organisations. (You must be clear and honest about how you identify your company, your pricing and other key issues to customers. You must establish clarity and honesty at the outset and maintain it throughout your dealings with them). You must always provide a clear opt out and a process to ensure that those who opt out do not receive any future communication.

Masquerading as another organisation. (Note, for example, that IAMSE Consortium Limited is a corporate body and no CB or Assessor is entitled to indicate or suggest that they are part of, or agents for, IASME.)

In addition, cold calling a competitor's customer in order to solicit business is actively discouraged and that in any event persistent cold calling risks bringing the Scheme into disrepute and could therefore amount to a breach. (By cold-calling we mean telephoning or emailing them or otherwise approaching them with unsolicited marketing material. In order to solicit business CBs may use postal services (ie hardcopy)).

IASME will take action against any CB or Assessor found to be in breach of their contractual obligations.

Ultimately, any investigation of a suspected breach can result in the termination of a CB's appointment. A single breach (if serious enough) may be enough to justify termination. We are currently investigating a small number of alleged breaches arising in the context of marketing to potential customers.

5 Situations where an Assessor or Certification Body should not conduct the assessment

In some situations, the conflict of interest is such that assessors should not undertake an assessment for a client. These situations include the following:

The assessor is an employee, director or shareholder of the company they are assessing

The assessor has a financial interest (investment) in the company they are assessing

A family member of the assessor is a director or shareholder of the company they are assessing

The Certification Body is owned or owns the company they are assessing.

6 Examples of how to apply this code of conduct

The following are examples of common situations that may be encountered by assessors together with examples of how to apply the relevant rules set out above.

6.1 An assessor is working with a client to provide guidance and support to improve
security.

The assessor then carries out a Cyber Essentials assessment for the same
client.

Its important to note that the overall aim of Cyber Essentials is to encourage and
educate organisations towards the implementation of the five technical controls, so
providing guidance and support to clients on how to implement the controls is
encouraged by both IASME and NCSC.

In this situation, the following should be considered:

Integrity

Only provide guidance to clients to the extent that you are knowledgeable about the
subject. For instance, if the client needs to configure a complicated Cisco firewall and
you understand the principles of firewalls but don’t have in-depth knowledge of Cisco,
you should explain this clearly to the client and direct them to a suitably trained Cisco
expert.

Honesty

If the client asks whether Cyber Essentials will keep them secure from all cyber attacks,
you must explain that the limitations of the scheme and that it is only aimed at reducing
the impact from commodity cyber attacks via the internet.

Objectivity

When carrying out the Cyber Essentials assessment the client asks if they can remove
from scope some old Windows 7 desktops that are rarely used but are connected to the
main office network. The requirements of Cyber Essentials are that all internet-connected machines inside the boundary of scope (ie the office network) must be
included in the assessment.

In this situation, in order to retain objectivity, you may offer your guidance and support
to the client to decommission the Windows 7 desktops. Once this has been completed
you can continue the assessment and pass the client.

If the client does not want to decommission the Windows 7 desktops you should advise
the client that the machines cannot be removed from scope as they are part of the main
office network they must be included in the assessment. The client will then fail the
assessment due to unsupported software.

6.2 A Certification Body wants to grow its business and attract new clients for Cyber Essentials certification

Certification Bodies are free to pursue their own commercial strategy to attract clients. However, their conduct must comply with the requirements of this code of conduct.

In this situation, the following should be considered:

Integrity

The Certification Body should only use marketing methods that would be considered acceptable and reasonable by an independent person. So, for example, direct targeted marketing to customers of other Certification Bodies that makes or hints at malicious or false claims about the competency of other Certification Bodies, would be unacceptable and could risk damaging the reputation of the scheme. However, an advert in a trade magazine for a particular business sector stating the benefits of using a particular certification body and providing a special offer on pricing would be acceptable.

Confidentiality

Certification Bodies must comply with relevant data protection legislation. Marketing information should only be sent to customers who have given consent in accordance with your country’s data protection legislation. Obtaining marketing lists of customers that have been obtained from data breaches would not be in compliance with such legislation.

6.3 An assessor is carrying out a CE+ assessment for a client, finds a critical vulnerability in a desktop. The client’s technical manager questions the assessor’s judgement and demand the vulnerability not be noted in the CE+ report.

In this situation, the following should be considered:

Professional competence and due care

The assessor should ensure they have acted with due care in this situation by re-running any tests that are in dispute and checking any guidance provided by IASME to ensure they have come to the correct decision.

Objectivity

The assessor’s decision must not be influenced by the client. The assessor must ensure they have sufficient factual information about the issue and can ask the client for further information if needed to clarify any relevant points. The assessor can also choose to refer the factual information to IASME and ask IASME for a view on compliance. The assessor can then share IASME’s view with the client. In our experience, this has proved to be a very effective way to deal with this situation and retain objectivity.

It is vital that any relevant vulnerabilities identified are noted in the assessment report together with any decisions taken and advice given by IASME. This provides a clear record of actions to help support the assessors claims of objectivity in the event of a later query.

© The IASME Consortium Ltd 2020 All rights reserved

  • No labels