keepmesafe • 31 July 2020

Renewing your Cyber Essentials and IASME certification - Case Study

Acorn Fostering is a fostering services provider headquartered in Leicester. Local Authorities in need of placing young people in care use Acorn Fostering’s services to find the most appropriate fostering environment to nurture these vulnerable young people. In this activity, Acorn Fostering manage a significant amount of sensitive personal information relating to the young people in care, as well as the foster carers they work with.

The initial certification for Cyber Essentials has proved to be a valuable tool when tendering for Local Authority contracts. More emphasis has been placed on Data Protection in these contracts since the enactment of the Data Protection Act 2018 (DPA2018), which put the General Data Protection Regulation (GDPR) into UK law.

Acorn Fostering have a long-standing relationship with Guardian Saints having utilised their online safety training services for a number of years. Consequently, when Acorn Fostering wished to extend their certification to include IASME Governance combined with the annual renewal of Cyber Essentials they had full confidence in Guardian Saints to provide the necessary support. 

Acorn Fostering relied upon Guardian Saints sector specific expertise to support them through the certification audit assessment to ensure a successful conclusion.
           

About - Cyber Essentials and IASME Governance Standard

Cyber Essentials is a UK Government information assurance scheme operated by the National Cyber Security Centre (NCSC). The scheme certifies organisations who have implemented good practice with information security. Its aim is to support those organisations to implement basic technical controls providing protection against cyber-attacks, demonstrating to their customers that they take cyber security seriously.

The IASME Governance Standard is particularly suitable for Small and Medium-sized Enterprises (SMEs)

The Governance assessment model evaluates against both the Cyber Essentials criteria as well as GDPR compliance requirements. This standard looks at organisation’s governance controls across a number of key areas, including:
  • Risk assessment
  • Business continuity
  • Policies and Procedures
  • Incident management
  • Operational management
  • Data protection
This standard is recognised as an affordable and achievable alternative to the International Standard, ISO27001.

Gaining Cyber Essentials Certification along with IASME Governance, is a simple yet an effective way for organisations to demonstrate their commitment to cyber security and that they take Data Protection regulation seriously.

With cyber threats increasing in both volume and sophistication, Cyber Essentials and IASME Governance demonstrates that a business has introduced proven cyber security and information assurance controls that help protect against a wide range of the most common internet based cyber threats.

Challenge 

With an established process to comply with the Cyber Essentials certification requirements, IASME certification requires a more in-depth view of corporate governance, with a stronger emphasis on Data Protection. To achieve successful certifications for both Cyber Essentials and IASME Governance Standard these specific requirements in the Data Protection Act (2018) and the GDPR must be met.

In a consultative role, working collaboratively with Acorn Fostering, Guardian Saints established new working practices, which applied greater emphasis on risk assessment, process controls and monitoring. An in-depth understanding of data lifecycles and the contractual obligations of third parties provided the opportunity to grow Acorn Fostering’s approach to data protection and security into a robust ‘business as usual’ defence strategy. 

Solution Provided by Guardian Saints

Following attendance at one of Guardian Saints Data Protection workshops, Guardian Saints were invited to provide Data Protection and Cyber Security Awareness sessions at Acorn’s headquarters in Leicester. Following these, Acorn’s Board of Directors have continued to be diligent, supportive and demonstrate their commitment to maintaining compliance with the data protection law.

Consequently, they sought to add IASME Governance certification to their burgeoning trophy cabinet,. As a consequence, Guardian Saints were required to explore the maturity of current processes i.e. Asset Management, Business Risk Assessment, Business Continuity, Data Protection Impact Assessment (DPIA) and procedures to manage the rights of data subjects.

Although some areas were under control, the GDPR required specific activities for compliance. Guardian Saints provided additional in-depth analysis and guidance on various processes e.g., Asset Management, DPIA and the maintenance of the library of template documents to help bring processes into a logical structure. Of course, documents alone cannot protect information, so through diligent consultation, these processes have become embedded within Acorn Fostering’s operational activities.

Guardian Saints are a Certification Body for the National Cyber Security Centre’s Partner, The IASME Consortium. enabling them to consolidate both consultation and support through to final certification of the Cyber Essentials qualification.

Support Services included:
  • Pre-submission review of assessment responses, alongside provision of constructive feedback.
  • Where practicably possible, translation of technical terms into ‘Plain English’.
  • Guidance on the implementation of requirements.
  • Provision of template documents including: 
  • DPIA (Data Protection Impact Assessment)
  • Data Mapping
  • Risk Assessment
  • Data Subjects’ Rights
  • Review of existing documentation where required
  • Benefits
The key benefit of gaining certification to the Cyber Essentials Scheme, is that it demonstrates that Acorn Fostering take data protection seriously, providing assurance to both their clients and foster carers that their data is being protected in line with best practices alongside the requirements of the Government National Cyber Security Centre standards.

A significant benefit of completing the IASME Governance Standard is that it provides reassurance that Acorn Fostering has in place documented and structured processes, which ensure that Data Protection and Cyber Security are embedded in all organisational processes and continue to remain a key focus in their business objective.

Having secured certification for the Cyber Essentials Scheme, Acorn Fostering has benefited from the cyber insurance cover provided free through IASME’s insurance partner, which provides vital incident response services.


Outcomes 

These included:

  • A more comprehensive understanding of the requirements for Cyber Essentials and IASME Governance by Acorn Fostering, enabling them to continually improve their cyber security and data protection strategies
  •  Acorn Fostering were awarded certification for both the Cyber Essentials Scheme and the IASME Governance Standard.
  • Establishment of well-structured and documented process set, ensuring that Acorn Fostering have applied the cyber security and data protection best practices to protect them as an organisation as well as the young people in care, carers, staff members and suppliers (their data subjects).
  • A defined measure of confidence for Acorn Fostering’s management team, which evidences that the organisation has achieved a national standard of compliance.
  • Demonstrable historic evidence of a continuous quality of service.

It has been a great pleasure to be associated with Guardian Saints.  We at Acorn have been working with Guardian Saints for a few years now. Our association started when we used their training expertise for our staff and foster carers in the area of online safety. This led to us attending their workshop on GDPR and subsequently they provided training to our staff team on the provisions of GDPR.


When we wanted to gain Cyber Essential and IASME Certification, we asked for their guidance and this was the best decision we made. They are the experts in the field and we experienced this at every stage of the process. The team is highly knowledgeable, experienced, thorough and approachable.  Their assistance has proven to be invaluable.  We feel confident in our systems and processes relating to data protection which are embedded in our day to day practice.


We at Acorn feel that we can approach Guardian Saints anytime to seek guidance when in doubt and we are never disappointed.


As said before, it has been a great pleasure to be associated with Guardian Saints.



Kshama S

Director

HR, IT and Policies