Article by PrivCom
The Office of the Privacy Commissioner (PrivCom) is pleased to announce an exciting partnership with the IASME Consortium to support small and large organisations as they prepare for compliance with privacy rules.
IASME is a United Kingdom-based organisation that has developed governance standards relating to cyber security and assurance. IASME is committed to helping businesses improve their cyber security, risk management, and good governance through an effective and accessible range of certifications.
The non-financial collaboration between PrivCom and IASME will support the development of a Bermuda-specific component of the Cyber Assurance and Privacy standard to help organisations certify their compliance with the Personal Information Protection Act (PIPA). This certification tool will help local organisations test and demonstrate their privacy and security practices by providing a framework for compliance with requirements and best practices.
IASME’s certification mechanism allows organisations to self-certify or to engage with a trained assessor to evaluate the organisation and provide a third-party certification.
To support the growth of data privacy and cybersecurity expertise in the Bermuda community, IASME will offer local training to individuals interested in becoming assessors for certification standards. This two-day training will take place in July 2023 and will be facilitated by IASME trainers visiting Bermuda. Further details will be provided in the coming weeks, though PrivCom is pleased to share at this time that the Association of Bermuda Insurers and Reinsurers (ABIR) will sponsor the venue for this July 2023 cohort.
In July, IASME and PrivCom will also coordinate a virtual event for introductory meetings and interviews between the UK-based Certification Bodies and local, trained assessors. There is an opportunity for trained Bermudian assessors to work both locally and abroad with current IASME certification bodies in the UK, US, and Europe. At this time, the groups plan to continue the Bermuda assessor training twice per year.
In addition, IASME aims to support the Bermuda data privacy and cybersecurity industry by inviting Bermudian organisations to themselves become an IASME Certification Body. Certification Bodies are expert cyber security organisations with registered Assessors licensed to certify an organisation’s practices against IASME cyber security schemes, including IASME Cyber Assurance. Ceritification Bodies help organisations understand the assessment questions and prepare for certification. Another virtual meet-and-greet is planned for Bermuda-based organizations to learn more about Certification Bodies and to discuss potential partnerships with UK entities.
PrivCom and IASME will work together in 2023 to introduce any custom changes needed to the certification programmes to help organisations evaluate Bermuda-specific components of laws such as PIPA and other guidance.
For more information on receiving the certification or becoming a local certification body, we invite organizations of all sizes and across sectors to contact PrivCom at [email protected] or visit iasme.co.uk to learn more about eligibility requirements.
About the engagement, Privacy Commissioner Alexander White said: “This project will give all Bermudian organisations a framework to understand and explain their privacy and cybersecurity readiness. IASME is a recognized entity for their work in the UK to build cybersecurity maturity, making the process simpler and realistic even for small businesses. Plus, since this engagement will map Bermuda’s PIPA to IASME’s certification for the General Data Protection Regulation (GDPR), Bermudian businesses will be well placed to comply with privacy rules outside of Bermuda.”
Emma Philpott, CEO of the IASME Consortium, said: “IASME are excited to be working with PrivCom on this important project. It is fantastic to see such a proactive attitude to privacy and security and we are looking forward to training the first cohort of assessors.”
PrivCom’s Assistant Commissioner Cha’Von Clarke-Joell, who has coordinated PrivCom’s engagement with IASME, shared: “This is an exciting and significant development for Bermuda’s economy and the information privacy sector as local Assessors can register with Certification Bodies on the island, the UK, the US, and in Europe to offer services globally to any entity that uses the IASME standard while working virtually from Bermuda, thus contributing to the island’s economic growth with flexible and remote working conditions.”
Explainer: What is the IASME Cyber Assurance standard?
The IASME Consortium describes the IASME Cyber Assurance standard, formerly known as IASME Governance, as a comprehensive, flexible and affordable cyber security standard. It provides assurance that an organisation has put into place a range of important cyber security, privacy, and data protection measures.
The IASME Cyber Assurance standard was developed over several years during a UK government funded project to create a cyber security standard which would be an affordable and achievable alternative to other international standards. It allows small and medium sized enterprises in a supply chain to demonstrate their level of cyber security and data privacy for a realistic cost.
IASME Cyber Assurance offers smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost and compete with larger organisations for business.
A wide range of UK and international industry sectors now accept the Level 2 audited IASME Cyber Assurance certification as an alternative to other international standards.
The IASME Cyber Assurance certification includes privacy and security requirements and is available in two levels: Level 1 Verified Assessment and Level 2 Audited. There is a prerequisite to applying for IASME Cyber Assurance; you must hold a valid Cyber Essentials or IASME Cyber Baseline certificate before you can apply for IASME Cyber Assurance.
Organisations that complete the Cyber Assurance Level 1 self-certification on their own must repeat the process every year. Once the Level 1 certification is achieved an organisation can then progress to Level 2 certification. Level 2 certification entails an assessor conducting an audit against the Cyber Assurance standard. The Level 2 certification audit is conducted every 3 years.
In addition, IASME and PrivCom will be working together to develop PIPA-specficic sections of the certification.
Entities in the UK, Northern Ireland, US, and Europe support the IASME Consortium as “Certification Bodies” that manage the privacy and cyber security certification for organisations. Bermuda’s businesses and privacy experts have an opportunity to become Certification Bodies to expand their services in Bermuda – and further internationally anywhere IASME certifications are applied.