Governance · Service 09

IASME Cyber Assurance

Audited certification of how your security is actually run: governance, risk, data protection and resilience. We are a licensed certification body for the scheme. Assessed remotely anywhere in the UK, on site nationwide.

What this is

The audited standard between Cyber Essentials and ISO 27001.

Cyber Essentials certifies five technical controls. ISO 27001 certifies a full management system, at a cost and weight most smaller organisations cannot justify. IASME Cyber Assurance sits between them: an audited certification of how security is actually run, across fourteen themes covering governance, risk, people, operations, legal and regulatory compliance, backup, incident response and business continuity. It includes data protection, so certification also examines how you handle personal data against your UK GDPR obligations.

The standard is deliberately proportionate. The question set scales to your organisation's size, so a sole trader answers a fraction of what a fifty-person firm does, and nobody is asked to produce paperwork their business has no use for. It maps to the government's Cyber Governance Code of Practice, which makes it a recognisable answer to the supply chain questionnaires that increasingly ask about governance rather than just technology.

How certification works

Two levels. One certification body.

01

Cyber Essentials first

Cyber Essentials is the prerequisite for Cyber Assurance, and rightly: there is no point auditing governance over broken technical foundations. If you already hold it, you start here with a head start. If not, we certify that too, and the two make a natural sequence rather than two separate projects.

Prerequisite, not an obstacleWe certify bothOne sequence, not two projects
02

Level One: verified assessment

You answer the question set for your organisation's size, covering the fourteen themes. A director signs to confirm the answers are accurate, and a qualified assessor reviews and marks the submission. For many organisations Level One is the destination: audited-adjacent assurance at self-assessment effort.

Sized to your organisationDirector sign-offAssessor reviewed and marked
03

Level Two: audited

An assessor examines your documentation, interviews your people and observes how things actually work, remotely or in person. It is the difference between saying you have an incident response process and showing it running. Level Two is what serious supply chains and insurers increasingly mean when they ask for audited assurance.

Documentation examinedPeople interviewedRemote or in person
04

Certificate and badge

Certification comes with a verifiable digital badge usable with customers, insurers and tender panels. Because the standard covers data protection as well as security, one certification answers two categories of supply chain question at once.

Verifiable digital badgeSecurity and data protection coveredRecognised by supply chains
The honest bit

Three things we will tell you straight.

i

Start with Cyber Essentials

It is the prerequisite, and for many businesses it is also the sensible stopping point for a year. If Cyber Assurance is more than your market is asking for yet, we say so rather than sell it.

ii

Consultancy and certification stay separate

Where we have helped build your security, the certification assessment is kept properly independent. A certificate is only worth what its independence is worth, and we do not mark our own homework.

iii

Sometimes the answer is ISO 27001

If your customers or market specifically demand ISO 27001, Cyber Assurance will not substitute for it. We tell you which standard your obligations actually point at, and our ISO 27001 consultancy covers the other path.

Is this right for you?

When to consider Cyber Assurance.

The usual trigger is a questionnaire that Cyber Essentials alone no longer satisfies: a customer asking about governance, data protection, incident response or continuity. If you hold Cyber Essentials and those questions are arriving, Cyber Assurance is usually the proportionate next step.

Common triggers

  • Supply chain questionnaires asking about governance and data protection, not just technical controls
  • A customer or insurer asking for audited assurance beyond Cyber Essentials
  • You want independent confirmation that security is run properly, not just configured properly
  • ISO 27001 is more weight and cost than your organisation can justify
  • One certification needs to answer both security and data protection questions