One question that we’re regularly asked concerns the credibility of self-assessed certifications, like IASME Governance and Cyber Essentials.
If you’ve achieved certification to these standards, or are considering it, your potential clients may be wondering the same thing. Having helped many other businesses achieve certification, as well as holding them ourselves, here are our views:
Why these certifications are so important
IASME Governance and Cyber Essentials certifications are both designed to protect businesses from the costs, disruption and damage a successful cyberattack can wreak. Although your clients may demand that you have certification, the real benefits of certification will be felt in your own business. We’re all subject to an increasing number of cyberthreats so it makes sense to do whatever we can to minimise these risks.
Why fudging answers is a false economy
We’ve never been asked to fudge answers, but, if we were, we’d have no hesitation in walking away, pausing only issue a warning that cutting corners in cybersecurity is a dangerous step to take. As the cost of a successful cyberattack outweighs the cost of compliance and certification, we always recommend that clients exceed requirements rather than being satisfied with a tick in the box.
We’d also point out that fudging answers involves committing fraud, a very risky thing for a company director to do, especially as there would be a good chance that any misrepresentation would be picked up during the assessment process. IASME run the scheme on behalf of the National Cyber Security Centre, so they take steps to make sure things are done properly! All IASME’s certification bodies are regularly assessed to ensure the integrity of the certification is upheld.
Ways to persuade your clients about your certifications’ credibility
Very often, concerns about certifications can be addressed by providing more information. Many procurement teams are unaware that IASME Governance is a credible alternative to ISO27001 for smaller businesses, offering c. 80% compliance with the ISO standard. It also meets the requirements of the 10 Steps to Cyber Security Guidance (as used by the majority of the FTSE350), the Cyber Assessment Framework and the NHS Data Security and Protection Toolkit. The IASME and Cyber Essentials websites are a good source of information, or you can win points by providing a bespoke FAQ about the content and benefits of your certifications.
Alternatively, we can talk to procurement teams on your behalf. As an independent business accredited to IASME Governance, Cyber Essentials, ISO27001 and ISO27701, we’ve found that our words carry a lot of weight. We can also ask your certification body to provide a quotation relating to your achievement or we can provide extracts from your IASME report.
Finally, if all else fails (and this is rare), you can pay to have both IASME Governance (IASME Gold) and Cyber Essentials (Cyber Essentials Plus) assessed by independent assessors or use IASME Governance as your stepping-stone to ISO27001.