Cyber Essentials and IASME governance standards ensure security against cyber-attacks. However, the difference is apparent in the purpose, security measures, requirements and validity of each rule.
The UK based government scheme, Cyber Essentials, has an eloquent statement containing basic controls for organisations, through which the risk from internet-based threats can be lessened. Once implemented, certification provided by Cyber Essentials, allows the organisation’s clientele to see that the precautions are in place.
The set of controls provide organisations with the necessary protection against threats that have low proficiency in attacking skill and, are relatively common over the internet. An organisation that faces more advanced, targeted attacks cannot solely rely on Cyber Essentials and must procure other additional measures.
The Information Assurance for Small to Medium-sized Enterprises (IASME) Governance standard, is an affordable, achievable substitute to the ISO 27001. As compared to the Cyber Essentials, it is suitable for all organisations, but SMEs in particular.
Through IASME, organisations can identify potential risks and hence take preventive measures to keep the risk at a moderate level. Self-assessment is an integral part of IASME, and it allows the organisations to judge the efficiency of their security strategy. IASME focuses on guiding SMEs and then assessing the level of information security.
Cyber essentials consist of only the essential and necessary steps that can lessen the risk of threats:
- Only recognises if basic controls are implemented
- Does not include commands that can detect defects that can lead to attacks
- Does not have restrictions that can recover after a security attack
- Does not need a management regime that can maintain controls.
IASME, on the other hand, requires controls that can:
- Identify areas that need security
- Protect and prevent attacks
- Detect problems that might lead to attacks and previous incidents where safety has been compromised
- Respond and recover from security incidents
- Controls are only possible if an organisation has a management regime
The requirement to acquire a standard
Self-assessment is the only requirement for Cyber Essentials, and the Government does not require a vulnerability scan either, although other bodies involved in the accreditation process might demand it.
Similarly, IASME only requires self-assessment as well, but an organisation may choose to answer optional questions regarding data protection and their inclination towards the General Data Protection Regulation (GDPR).
After the self-assessment level is passed, organisations can choose to have their responses verified by an auditor. It provides further proof to the clientele and investors of an organisation that the requirements set forth by each standard are met. Within 3 months, organisations are expected to attain audited certification.
Cyber Essentials certificates do not state expiry date. However, it is recommended that certification is renewed annually. The certification confirms that the organisation is fulfilling the recognised minimum standards, on the day of assessment. The certification does not assure that the controls will be maintained and that they will be able to counter any attacks that are beyond the most basics ones.
The validation period of IASME self-certified is one year, whereas the Audited certificate is valid for up to 3 years, depending on the annual self-assessments.