Schedule 4 – Security Requirements CIR level 2

Owned by Jonathan Ellwood
Last updated: Aug 22, 2024 by Kate McKenzie
4 min read

Revisions: 

 

 

Date: 

Author: 

Description: 

Nov 7, 2023

Jonathan Ellwood

First Version Published 

Download PDF Here

1. Introduction  

IASME is committed to achieving a consistently high standard across Assured Service Providers. This document sets out the security requirements for all Assured Service Providers (ASPs) licenced through the CIR Level 2 scheme.  

These requirements are in addition to the Assured Service provider achieving the security certifications detailed in the Assured Service Provider Criteria. These include Cyber Essentials plus certification and achievement of either IASME Cyber Assurance Level 2 or ISO27001 awarded by a third-party UKAS-accredited body.  

2. Security Principles 

All ASPs must, at minimum, meet the following 10 security principles which are directly linked to the NCSC 10 Steps to Cyber Security guidance. Achievement of the IASME Cyber Assurance level 2 certification or ISO27001 for the whole organisation will usually be sufficient to demonstrate the achievement of these principles.  

2.1. Risk Management  

The ASP must carry out regular, at least annual, risk assessments that are linked to the company’s information assets. The ASP must embed a Risk Management Regime across their organisation, supported by the board and senior managers.  

2.2 Secure Configuration  

The ASP shall install all high-risk and critical patches for application software and operations systems within 14 days of the patch being released.  

The ASP must keep an accurate record of business information assets, including ownership and disposal shall be maintained. Each information asset (hardware or data) shall have a named custodian who shall be responsible for the information security of that asset. When hardware is no longer required by the business, all data shall be securely wiped from it using an industry-standard tool.  

Where possible, the ASP shall identify particularly valuable or sensitive information assets through the use of data classification.  

In order to minimise loss of or damage to, all assets, and equipment shall be physically protected from threats and environmental hazards. Physical security accreditation should be applied if necessary.  

Only authorised personnel who have a valid and approved business need shall be given access to areas containing information systems or stored data  

2.3 Network Security  

ASPs shall have firewalls at the boundaries of all networks and shall ensure that firewalls are managed properly including ensuring that only necessary ports are opened and that firewall management interfaces are appropriately protected.  

2.4 Managing user privileges  

Access to information shall be based on the principle of “least privilege” and restricted to authorised users who have a business need to access the information.  

2.5 User Education and Awareness  

Information security awareness training shall be included in the staff induction process and shall be carried out on an ongoing basis for all staff.  

An ongoing awareness programme shall be carried out in order to ensure that staff awareness of information security is maintained and updated as necessary.  

The ASP shall maintain and regularly review (at least annually) a security policy that sets out the rules governing the secure management of ASP information assets and, in particular, any scheme data. This policy should apply to all information/data, information systems, networks, applications, locations, and staff of the ASP or supplied under contract to it.  

2.6 Incident management  

The ASP shall establish an incident management capability including incident management plans.  

If required as a result of an incident, data must be isolated to facilitate forensic examination. Information security incidents shall be recorded in a Security Incident Log and investigated to establish their cause and impact with a view to avoiding similar events. The organisation shall ensure that incident management plans are produced for all mission-critical information, application, systems, and networks.  

IASME must be notified immediately about security incidents that affect (or are likely to affect) scheme data. The ASP shall in the first instance contact IASME’s CEO or CTO using the main telephone number (03300 882752) or using relevant mobile numbers. If the ASP is unable to contact IASME via this method, then the ASP must attempt to contact IASME using all other reasonable methods.  

The ASP must provide sufficient resources and cooperation to support IASME’s investigation of any security incidents relating to the ASP.  

2.7 Malware prevention  

The ASP shall have malware protection in place across all devices (servers, laptops, desktops, phones, and tablets) in accordance with the Cyber Essentials anti-malware requirements.  

2.8 Monitoring  

The ASP shall review regularly the access logs and alerting provided by all hardware firewalls, servers, anti-virus solutions and, where possible, all cloud-based services containing sensitive data  

The ASP shall have a yearly vulnerability scan carried out by an external body. The business shall act on the recommendations of the external company following the vulnerability scan in order to reduce the security risk presented by any significant vulnerabilities  

2.9 Removable media controls  

The ASP shall control all access to removable media and limit media types and usage to only those required for the business.  

2.10 Mobile and Home Working  

The ASP shall provide guidance and train staff on mobile working. All data must be protected at rest and in transit.  

3. Additional security requirements 

3.1 Data Storage  

All scheme must be stored in the UK unless the Assured Service Provider has written permission from IASME  

3.2 Supply Chain  

All suppliers and contractors to the Assured Service Provider should attain the Cyber Essentials certificate unless agreed with IASME.  

3.3 Data Retention  

The ASP shall only retain data relating to the scheme for two years.  

3.4 Social Media  

The Assured Service Provider shall have a social media policy that is shared with all staff. Through this policy, the Assured Service Provider must aim to prevent social media posts from staff or contractors which may bring the scheme, NCSC, or IASME into disrepute.  

3.5 Confidentiality  

The ASP shall not disclose the details of organisations that IASME may be partnering with, locations of partner/client offices, or details of work carried out unless agreed in writing with IASME.  

 

© The IASME Consortium Ltd 2023 All rights reserved