We’re delighted to announce that we’ve recently completed an important internal project. We’ve now passed the IASME Standard assessment which includes GDPR requirements as well as Cyber Essentials. This demonstrates our on-going commitment to increasing our information security resilience and taking every step possible to protect the data that we hold.
Ever since the GDPR came into force in May 2018, we’ve made several changes to how we do things. But since becoming a supplier on the Crown Commercial Service’s framework agreement – Digital Outcomes and Specialists 4 – we needed to formalise our approach to meet certain requirements for certain projects. Hence, our decision to go for the IASME Governance, an alternative to ISO27001 for micro and small businesses. Going with the IASME turned out to be a great choice, as the National Cyber Security Centre recently announced that the IASME will take over full responsibility for Cyber Essentials delivery from the 1st April 2020.
Once we’d sourced a supplier, the excellent Assure Technical, and secured a Cyber Security Voucher from Scottish Enterprise we kicked-off with the project. This began by defining all the business information and personal data that we capture, control or process. We then did an audit of all our physical and digital systems and tools. This allowed us to map:
- When, how and what information we capture across the business.
- How we use it, store it, and how long we keep it.
Then we defined why we captured it, what was the legal basis for keeping it and, just as importantly, where each category of information (and any sub-records) were stored, and how it was used, throughout its life cycle. This led to a lot of a rationalisation, not just in terms of the information we captured and held, but also the tools we used. Now we have both reduced our risk and security footprint.
Once this process was complete, we put in place all the configuration settings and policies required to ensure our new processes and tools would be adhered to and used appropriately. We now have clearly defined policies and checklists for the following:
- Information Classification Policy
- Information Security
- Cyber Security
- Internet & Social Media
- Back-up Policy
- Retention & Erasure Policy
- Secure Destruction Policy.
Report a real or suspected security issue
Make a subject access request online
All these forms and updated policies are available from the Legal information and policies page.
These updates are clear progress in terms of improving our approach to privacy and security. However, the real benefit of meeting Cyber Essentials and GDPR requirements is that we now operate a much more secure business.
The real achievement is getting everyone involved, aware of the risks and issues, and most importantly buying in to the underlying principles we’ve set out. As ultimately, it’s our everyday behaviours and approach that are key to achieving our objective of running a secure and resilient business that maintains the highest possible standards in terms of the privacy and confidentiality of the data we hold. So, getting Cyber Essentials and meeting the IASME’s governance standard is now just a baseline for us – and we look forward to raising this bar year-on-year.