IASME Cyber Assurance
Audited certification of how your security is actually run: governance, risk, data protection and resilience. We are a licensed certification body for the scheme. Assessed remotely anywhere in the UK, on site nationwide.
The audited standard between Cyber Essentials and ISO 27001.
Cyber Essentials certifies five technical controls. ISO 27001 certifies a full management system, at a cost and weight most smaller organisations cannot justify. IASME Cyber Assurance sits between them: an audited certification of how security is actually run, across fourteen themes covering governance, risk, people, operations, legal and regulatory compliance, backup, incident response and business continuity. It includes data protection, so certification also examines how you handle personal data against your UK GDPR obligations.
The standard is deliberately proportionate. The question set scales to your organisation's size, so a sole trader answers a fraction of what a fifty-person firm does, and nobody is asked to produce paperwork their business has no use for. It maps to the government's Cyber Governance Code of Practice, which makes it a recognisable answer to the supply chain questionnaires that increasingly ask about governance rather than just technology.
Two levels. One certification body.
Cyber Essentials first
Cyber Essentials is the prerequisite for Cyber Assurance, and rightly: there is no point auditing governance over broken technical foundations. If you already hold it, you start here with a head start. If not, we certify that too, and the two make a natural sequence rather than two separate projects.
Level One: verified assessment
You answer the question set for your organisation's size, covering the fourteen themes. A director signs to confirm the answers are accurate, and a qualified assessor reviews and marks the submission. For many organisations Level One is the destination: audited-adjacent assurance at self-assessment effort.
Level Two: audited
An assessor examines your documentation, interviews your people and observes how things actually work, remotely or in person. It is the difference between saying you have an incident response process and showing it running. Level Two is what serious supply chains and insurers increasingly mean when they ask for audited assurance.
Certificate and badge
Certification comes with a verifiable digital badge usable with customers, insurers and tender panels. Because the standard covers data protection as well as security, one certification answers two categories of supply chain question at once.
Three things we will tell you straight.
Start with Cyber Essentials
It is the prerequisite, and for many businesses it is also the sensible stopping point for a year. If Cyber Assurance is more than your market is asking for yet, we say so rather than sell it.
Consultancy and certification stay separate
Where we have helped build your security, the certification assessment is kept properly independent. A certificate is only worth what its independence is worth, and we do not mark our own homework.
Sometimes the answer is ISO 27001
If your customers or market specifically demand ISO 27001, Cyber Assurance will not substitute for it. We tell you which standard your obligations actually point at, and our ISO 27001 consultancy covers the other path.
When to consider Cyber Assurance.
The usual trigger is a questionnaire that Cyber Essentials alone no longer satisfies: a customer asking about governance, data protection, incident response or continuity. If you hold Cyber Essentials and those questions are arriving, Cyber Assurance is usually the proportionate next step.
Related capabilities
Penetration Testing
A penetration test answers one question: could a determined attacker do real harm to this business? Everything else (checklists, …
Read moreVulnerability Management
Penetration testing tells you what an attacker could do today. Vulnerability management tells you what’s changing, every …
Read moreFractional CISO & Information Security Manager
In most growing businesses, the person who answers for security is whoever is nearest. The managing director signs the Cyber …
Read more