Many of the firm’s customers are large corporations looking for help in data warehousing, data mining and building business intelligence dashboards. But clients such as these typically want proof of a rigorous audit process.
As part of the tender process, they often want to know how suppliers will handle their data and what security measures are in place.
“It can be difficult for SMEs to win work with this type of client,” says Hollie Whittles, director at Shropshire-based Purple Frog Systems.
Corporations and SMEs alike increasingly require suppliers to demonstrate they are competent, professional and do not pose a risk.
“Operating in a highly competitive market, we wanted to demonstrate that we took information security seriously,” says Whittles.
Read more about information assurance
- Territorial Army on the hunt for information assurance professionals
- How to negotiate and assure cloud services
- CESG certification for Information Assurance and cyber security unveiled
- Five steps to an improved data quality assurance plan
- NIATEC director on fostering an information assurance training program
- Information assurance training programs create new cadre of IT security pros
Purple Frog Systems recognised that having an independent certification would benefit the business and went through the AccreditUK certification process.
While this is an independent mark of quality for SME IT suppliers to show they have the right business processes in place and are competent, it offers no assurances on sensitive data.
“Because we handle a lot of sensitive client data, we wanted to do more in this area to prove to our corporate customers and their auditors that we can handle their data securely,” says Whittles.
Information security standards
Initially, Purple Frog Systems considered the ISO 27001 international standard for information security, but this standard was too complex and costly for an organisation of its size.
Through AccreditUK, the firm was introduced to the IASME information assurance standard for small to medium businesses, which was a much better fit.
“IASME was the best affordable solution to us as an SME,” says Whittles.
IASME started as a Technology Strategy Board part-funded project managed by The National Computing Centre, and involving the University of Worcester and information assurance consultants.
IASME addresses the complexity and relevance of applying ISO 27001 information security controls to SMEs by identifying an intermediate level of controls and developing entry-level certification for SMEs.
The IASME enables SMEs in a supply chain to demonstrate their level of cyber security and that they can properly protect their customers’ information.
The certification process is provided through accredited assessors and is moderated by IASME as a mark of excellence to demonstrate the level of assurance attained by the organisation.
IASME certification process
The scheme was piloted with a number of SMEs in the Midlands in early 2011. Purple Frog Systems became one of the first to receive a Gold Award under the scheme.
“The IASME process was very thorough and encouraged us to document everything that was in our heads,” says Whittles.
“We knew what our disaster recovery plan was, but we hadn’t written it down.”
As well as recognising good practice in information assurance, IASME also provides a good framework for continuous improvement for SMEs.
“The benefits of IASME include peace of mind to ourselves and also to our clients that our information security policies are fully up to date and that there are no loop holes,” says Whittles.
When going to tender, the IASME accreditation also means Purple Frog Systems can easily demonstrate its procedures and guarantee its processes comply with requirements.
“It is hard to evaluate whether we would have won contracts without having IASME, but we feel that it adds another string to our bow and is something that sets us apart from our competitors,” says Whittles.
Large organisations that rely on SMEs in their supply chain increasingly require them to prove they operate according to information assurance best practice.
Apart from providing a competitive edge, the standard is also useful tool to help SMEs improve their data protection capabilities.
Wider benefits of IASME certification
SMEs form a large part of the national information infrastructure of the UK.
Regulatory bodies, including the Information Commissioners Office, expect evidence that SMEs are taking information security seriously. The EU is stepping up requirements for information security.
IASME certification aims at providing enterprise-class security to SMEs, which are at the heart of the UK economy, says Clive Longbottom, analyst at Quocirca.
“By doing so, not only are problems minimised within this core group, but they can also interact with large enterprises as peer, secure partners,” he says.
IASME is preparing for the expected push for better cyber security down the supply chain by training small businesses to become assessors for the IASME certification process.
IASME is also developing non-technical advice for better cyber security on its website and working with other groups to spread the benefits of good information security.