Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Current »

Criteria for Assured Service Provider

Revisions: 

Date: 

Author: 

Description: 

Jonathan Ellwood

First Version Published 

Download PDF Here

Assured Service Provider Criteria 

Assured Service Providers are organisations that are authorised to offer Incident Exercising services under the NCSC Cyber Incident Exercising Scheme.  In order to be an Assured Service Provider companies must be able to demonstrate to IASME’s satisfaction that they: 

  • Have good cyber security and can keep client data secure (security requirements) 

  • Are committed to achieving an excellent and consistent client experience by using a quality management system (quality requirements) 

  • Meet, and maintain compliance with, the NCSC CIE Technical Standard. 

1. Assured Service Provider Security requirements 


1. All Assured Service Providers must provide independently verified evidence that they have achieved and maintain Cyber Essentials.   
2. The Assured Service Provider must also : 

-Achieve and maintain independently verified ISO 27001 certification,  


or

-Achieve and maintain audited IASME Cyber Assurance Level 2 certification 

The scope of all these certifications must cover all areas of the business that will be involved in Incident Exercising activities or that will hold data that relates to these activities. ISO 27001 certification must be attained through a UKAS Accredited Certification Body or an International Accreditation Forum (IAF) recognised equivalent. 

2. Assured Service Provider Quality Requirements 

All Assured Service Providers must commit to achieving and maintaining a good quality management system. 

 This can be demonstrated through one of the following: 

  • Achieving and maintaining independently verified ISO 9001 certification 

  • Achieving and maintaining a compliant mark on all of the IASME Cyber Assurance Quality Principles as part of a successful IASME Cyber Assurance Level 2 Certification 

  • Achieving and maintaining the QG Quality Fundamentals+ certification 

  • Achieving and maintaining appropriate ISO 17000 series certification through UKAS assessment 

The scope of all these certifications must cover all areas of the business that will be involved in Incident Response and/or Incident Exercising activities or that will hold data that relates to these activities 

ISO9001 certification must be through a UKAS Accredited Certification Body; or; an International Accreditation Forum (IAF) recognised equivalent. 

3. NCSC CIE Technical Standard 

Assured Service Providers will be assessed against the requirements in the Technical Standard the Assured Service Provider evaluation process, which is detailed in separate documentation.  

The Assured Service Provider must demonstrate that they meet the Technical Standard, including the provision of a suitable Team Lead, to the satisfaction of IASME before being onboarded onto the scheme.

© The IASME Consortium Ltd 2023 All rights reserved

 

  • No labels