Basket £ 0.00 (0 items)
You are here: HomeArticle › Information - lifeblood of the organisation

Information - lifeblood of the organisation

managing information risk

Information is an organisation’s most valuable asset. However, it is often neglected in favour of protecting material assets, maintaining cashflow and the like when considering the organisation’s long-term future. This is usually because assigning a value to information is much more difficult than valuing buildings, stock, people and the other more tangible assets in an organisation. So, just how does a small business approach managing information risk? Ian Jones takes a look at the NCC’s new certification programme, IASME.

A study by the University of Worcester shows that nearly 60% of SME businesses polled currently have no security policy in place and are ill-prepared to meet the real threats to their business information. The research also shows how businesses who fail to maintain adequate information security measures are also putting their supply chain partners at risk.

There are methods of providing assurance of the protection of information; the most prominent is certification to the international information security standard ISO27001. Unfortunately, the process to establish and certify an information security management system to the ISO27001 standard is often perceived to be too complex, too time consuming and too expensive for smaller organisations.

Smaller, dynamic businesses and organisations differ from their larger, more structured counterparts in a number of ways when considering information security provision. NCC research during the development of the IASME standard found that SMEs are, not unsurprisingly, extremely sensitive to cost, need simple processes, and prefer and thrive best with an informal culture.

Information Assurance for Small to Medium-sized Enterprises (IASME) is intended to provide the SME with an assessment and formal certification of the level of maturity of the protection of its business information that can be used to assure itself and others in accordance with their business needs. The process is based on international standards and EU guidance, and is simple, quick and cost-effective. IASME certification stands a business in good stead if it wishes to progress to certification to other standards.

What chance the small business when corporate organisations have teams dedicated to governance, risk and compliance, specialists in information and computer security, and budgets for all these? The criminal fraternity is going to have to put in some effort to cream off the saleable items posing as information. The persistent ones will remain a threat to the well defended as recent attacks on major brands have shown, but, on the whole, they will go for the easier targets…

Worse still, the resources of SMEs may be the portal through which the criminals get access to the big companies, hiding their tracks and consuming someone else’s resources. And whilst all this is going on, the small business is chasing payments, enticing customers, warding off the bank manager and coping with all the realities of staff absences. Who’s got time to become an IT expert?

Here’s a quick assessment of what’s bothering customers…their information is in your hands…

A ‘top 10’ look at what’s bothering customers. Their information in your hands…

  1. Mobile devices
    As our reliance on mobile devices grows, how soon before we suffer a hostile takeover?
  2. SCADA systems
    Another hostile takeover. We’ve been saying it for years, but now the evidence is there: have we traded the accessibility of SCADA systems for their security?
  3. Consumerisation…ownership…what’s on personal devices?
    As more personal devices connect to corporate systems and workflow is done by email, who owns what…from a practical stance, never mind the legal protection?
  4. Blurring of tools and defences
    Now that the bad stuff is masquerading as security tools, how does the user tell friend from foe?
  5. Backup…basic activity…but what’s the scope?
    Backup is a basic activity…or is it? What’s the scope and how do you scrape it in? Data on the network, data in the cloud, server in Newport, data in Athens, you’re in Manchester with data on an enduser device!
  6. What’s the master data? Which is the copy?
    Is it the attachment, the database, the print?
  7. Time is money; social networking can be theft…data leakage
    Time is money; social networking, when you’re employed to do a day’s work, is really theft. I think therefore I am…not going to post this. Data leakage – ‘you can’t undisclose a disclosure’.
  8. Classification of information Establish the risk before shooting technology.
    Information assurance maturity should be a licence to handle.
  9. Being in a state of forensic readiness
    Bad stuff happens. The bad guys may well be on your network already. Be in a state of forensic readiness.
  10. Your people – consistency with permanent and temporary staff, contractors, etc – insider threats
    The ‘thing between chair and keyboard’ remains a threat. Policies must fly from the page and become behaviours. Balance the risk appetite of the community with the risk attitude of the individuals. And be consistent: permanent and temporary staff, contractors, etc – think insider threats too.

IASME is a national programme that provides qualifying SMEs (fewer than 250 staff) with certification that has been specifically designed with the small business in mind. The programme is well grounded in international standards and has credibility and affordability built in.

IASME checklist

How IASME works

IASME applies a balanced set of controls to all types of SME and adjusts their implementation in relation to a business risk profile. The process involves continuous assessment, starting with the initial cycle leading to the first certification, and continuing with intermediate assessments annually and re-assessment after three years.

IASME expects a set of documentation that is right-sized for you. This includes a security policy statement, a business continuity plan, and a simple senior-level endorsement and management plan. These will be individual and customised to what you do. However, if you need a starting point, IASME will give you templates to work on. The documentation shows commitment at the top level, clear accountability and responsibility, and a benchmark for your certification. Risk is assessed and your security controls are weighted in a balanced scorecard. How well you apply the security controls is measured in terms of maturity. The IASME process is documented, objective and repeatable while retaining flexibility and scalability.

Controls are the practical measures that you put in place to protect your information. Each control addresses one or more aspects of information security detection, prevention or recovery. Controls are selected based on the risk to your business and not the size of the business.

How does this relate to my business?

Good information security is an asset that is as valuable as your more tangible assets, such as your staff, hardware, software, manufacturing plant or other materials. A lack of information security is a liability for you and a risk that your customers may not want to take. Coupled with potential fines of six figures or more – on top of the damage to your reputation and the cost to sort out an incident – the financial impact can be catastrophic.

IASME will help to reassure your customers that you manage their information securely, and provide the credentials you need to form supply chains and partnerships for effective and successful business deals. And it will provide you with the framework for effective and efficient information security practices.

More details on the IASME standard can be seen at

The author

Ian Jones is head of research and content at the National Computing Centre.

ITAdviser 67 Autumn 2011



For more information about The National Computing Centre and our services, please contact us at the details below:

Telephone: +44 (0)870 908 8767
Fax: +44 (0)870 134 0931

Click here for more contact information

TwitterFollow us on Twitter
Linked InJoin our LinkedIn Group
FBLike us on Facebook


Management Guidelines

NCC Guidelines Vol 5 No 1

more in Management Guidelines


Professional Development

Cloud Computing

more in Professional Development


Analyst Digest

September 2016 Bulletin published

more in Analyst Digest