IASME is a maturity-based information assurance scheme for small businesses devised by The National Computing Centre, University of Worcester and Information Assurance Consultants.

Most small businesses now have digital information systems. Many are online, and taken together, SMEs form a large part of the national information infrastructure of the UK. However, the limited resources of smaller companies mean that they are often unable to focus as closely as they may wish on what may be perceived as peripheral activities, including information assurance. This is not advisable. What can be done?

• ISO/IEC 27001 although scalable is unapproachable by most SMEs.

• Larger suppliers (BAE, MOD, other departments, Local Government, etc.) need some sort of right-sized information assurance for their SME suppliers (some of which may be potential suppliers with no security credentials).
  
• The Information Commissioners Office may expect some evidence that SMEs are taking information security seriously

Local and National Issues

The lack of formalised information assurance is not just a problem for the SMEs themselves. A recent survey conducted by University of Worcester reinforced research previously conducted elsewhere, showing how a security vulnerability in one link can create vulnerability right across the supply chain.

There is evidence that focussed attacks on the nation's information infrastructure are already moving from the previous targets of larger companies (with dedicated resources for protection) to poorly defended SMEs who provide quicker wins.

The IASME Project

Development of an ISMS (information security management system) and certification to the International standard ISO/IEC 27001 is Internationally accepted good practice and provides the best possible information assurance for an organisation. However, it is time-consuming, expensive, and hard to scale to the SME business model.

The IASME project has addressed these major problems by identifying an intermediate level of information security controls and developing entry-level certification for SMEs, whilst encouraging working towards full compliance with the International standard where the opportunity arises.

The University of Worcester and independent consultants have carried out research to develop an information assurance model for SMEs. The accredited certification process is offered through the IASME Consortium and a mark of excellence has been developed for use in letterheads and publicity to demonstrate the level of assurance attained by a participating organisation.