IASME & ADVANCED ASSURANCE
What is IASME Cyber Assurance — and how does it differ from Cyber Essentials?
A buyer has asked for IASME Cyber Assurance, or you have been told it is the right next step after Cyber Essentials. Here is what it actually involves, how it differs from CE, and whether your organisation needs it.
What IASME Cyber Assurance is
IASME Cyber Assurance is a UK cyber security certification scheme developed by the IASME Consortium — the same organisation that administers Cyber Essentials on behalf of the UK Government. It is designed for small and medium-sized organisations that need to demonstrate a broader security posture than Cyber Essentials alone covers.
Where Cyber Essentials focuses on five specific technical controls, IASME Cyber Assurance covers a wider governance and risk management framework — including policies, risk assessment, incident management, staff awareness, data backup, and supply chain security, in addition to technical controls.
Level 1 and Level 2
IASME Cyber Assurance has two levels. Level 1 is self-assessed. You complete a detailed questionnaire covering the full scope of the framework and submit it for review by an accredited Certification Body. It is significantly more detailed than the Cyber Essentials questionnaire.
Level 2 is independently assessed. An auditor reviews your evidence, interviews key personnel, and assesses whether your documented controls are genuinely implemented. It is broadly analogous to what an ISO 27001 surveillance audit involves, but calibrated for smaller organisations.
How IASME Cyber Assurance differs from Cyber Essentials
The key differences are scope and depth. Cyber Essentials is a technical baseline — five controls, clearly defined, with a binary pass or fail. IASME Cyber Assurance is a governance framework — it asks not just whether controls are in place, but whether your organisation manages its cyber risk in a structured, documented, and repeatable way.
IASME Cyber Assurance also covers areas that Cyber Essentials does not: data backup and recovery, physical security considerations, incident response planning, supply chain risk, and staff training and awareness.
Does IASME Cyber Assurance include Cyber Essentials
Yes. IASME Cyber Assurance Level 1 and Level 2 both include Cyber Essentials as a component. Achieving IASME Cyber Assurance means you also hold Cyber Essentials — you do not need to certify separately.
IF A BUYER HAS ASKED FOR IASME
Confirm whether they are asking for IASME Cyber Assurance Level 1 or Level 2 — and whether Cyber Essentials alone would satisfy the requirement. IASME Cyber Assurance includes Cyber Essentials, so it always exceeds the baseline. But the two levels have meaningfully different assessment processes and timelines.
ASKED FOR IASME CYBER ASSURANCE?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.