Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Current »

Revisions: 

Date: 

Author: 

Description: 

Jonathan Ellwood

First Version Published 

Download PDF Here

1.   Introduction 

This document sets out the six ethical principles that must be followed by Assured Service Providers (ASPs), that are part of the NCSC Cyber Incident Exercising  Scheme. 

The contents of this document are guided by the UK Cyber Security Council’s Ethical Declaration (https://www.ukcybersecuritycouncil.org.uk/ethics/ethical-declaration/ ). 

The six ethical principles are: 

  1. Integrity – Act in accordance with the law and consistently exercise the highest moral principles 

  2. Honesty – Present facts clearly and truthfully 

  3. Objectivity – Perform all duties and make all decisions in relation to the scheme based on facts, not personal feelings or commercial concerns 

  4. Professional competence and due care – Render only those services which you are fully competent and qualified to perform 

  5. Confidentiality – Limit access to information to protect the interests of customers, partners, and employees 

  6. Customer-Centric – Advise only what is in the best interest of the customer and not aspects motivated by the Advisor’s business objectives 

The six ethical principles must be followed by all ASPs in all  Incident Exercising engagements. 

Adherence to these principles by the ASPs is an important part of the Contract with IASME.  If an ASP or its agents including Team Leads and other staff, are found to be acting in a way that does not conform to this Code, the ASP may have to cease being on the scheme and the contract cancelled.  

2.   Supporting staff to meet the six principles 

Assured Service Providers must meet the following requirements in order to ensure that their staff can easily meet the six ethical principles. 

2.1. Supportive environment 

Assured Service Providers must provide an environment in which staff can easily follow the six ethical principles. 

This means: 

  • ensuring that staff are empowered to make decisions regarding engagements in line with the six ethical principles 

  • ensuring that staff are given sufficient time and resources to follow the six ethical principles throughout their engagement with clients 

  • Identifying any business activities that might conflict with the staff members obligation to follow the six principles and ensuring that the business is structured such that the activities do not influence staff or place them under undue pressure. This might involve: 

  • ensuring sales objectives do not influence the advice given 

  • ensuring advisor appraisals and career progression are not related to sales activities 

  • statements from the leadership team/owner to all staff or contractors to endorse the six principles and emphasise their importance 

  • ensuring that all staff or contractors who have direct involvement in engagement and all managers/owners within the business unit that deals with engagements are aware of the six ethical principles and incorporate them into their day-to-day activities 

  • providing suitable training to all staff or contractors regarding their obligations in relation to the code of conduct 

  • update relevant policies and processes to ensure the six ethical principles are embedded within them 

  • ensuring that supporting activities to engagements, including marketing, sales, and finance, are in compliance with the ethical principles and support them 

2.2. Reporting incidents 

Assured Service Providers must provide a method for staff or contractors to report a situation where the ethical principles are not being followed. 

  • Ideally, the method should allow anonymous reporting of any issues, although this may not always be practical, particularly in smaller organisations 

  • There must be no negative repercussions for any member of staff or contractors reporting such a situation and this must be made clear to staff or contractors 

  • Existing “whistle-blowing” processes used to identify bad practice can be used to meet this requirement 

2.3. Share with IASME 

Assured Service Providers must provide a process to deal with and record any situations where the ethical principles were not followed (or may not be in the future) 

  • Details of such incidents must be shared with IASME along with details of how the incident will be addressed and prevented from reoccurring in future 

3.   Examples of how to apply this code of conduct within an Assured Service Provider 

The UK Cyber Security Council provides examples for cyber security organisations and professionals of how to deal with potential ethical conflicts here https://www.ukcybersecuritycouncil.org.uk/ethics/ethics-scenarios/   

4. Signatures  

4.1 Your signature below indicates your acceptance of this code on behalf of your organisation.  

 

IASME 

Assured Service Provider 

Signature: 

 

 

Print Name: 

 

 

Job Title: 

 

 

Date: 

 

 

IASME and the NCSC reserve the right to update this Code of Conduct and require the Assured Service Provider to re-sign as a condition of their continued accreditation. 

 

© The IASME Consortium Ltd 2023 All rights reserved

  • No labels