Blog
You are here: / / / / What is needed to pass IASME Cyber Assurance?
,

What is needed to pass IASME Cyber Assurance?

What is needed to pass IASME Cyber Assurance?

What is needed to pass IASME Cyber Assurance?

The demand for cybersecurity compliance is growing across all sectors. The IASME Cyber Assurance framework has emerged as a leading UK-standard alternative to the internationally recognised ISO 27001. For many businesses, particularly SMEs, it provides a more practical pathway to demonstrating robust security practices. However, passing this audit isn’t just a box-ticking exercise, it’s a process that involves strategy, clarity, and preparation.

To understand what is truly needed to pass IASME Cyber Assurance, we’ll explore its structure, essential controls, governance components, and how it aligns with your existing cybersecurity measures.

Understanding the IASME Cyber Assurance journey

A practical framework for UK businesses

IASME Cyber Assurance was developed to create a realistic and achievable cybersecurity governance model. Unlike ISO 27001, which can sometimes be overwhelming for small teams, IASME balances technical controls with policy and governance. It suits organisations that want structure without excess complexity.

The scheme offers two levels:

  • Level 1: Self-assessed and independently reviewed.
  • Level 2: Audited by an IASME certification body.

Level 2 is where most businesses aim when working with supply chain partners, public sector contracts, or regulated environments.

Core documentation required

To pass IASME Cyber Assurance, organisations must demonstrate documented evidence across several areas of cybersecurity, including:

Governance, risk and policy

  • A written information security policy approved by senior leadership.
  • An information asset inventory that details hardware, software, and data assets.
  • Evidence of regular risk assessments and a method for assigning risk levels.
  • Board-level ownership of cybersecurity responsibilities.

People and awareness

  • Records of employee onboarding and offboarding processes.
  • A documented security awareness training programme.
  • Evidence of disciplinary procedures in place for non-compliance.

Technical controls

  • Secure configuration of firewalls, software, and operating systems.
  • Regular patching of critical systems within industry-accepted timeframes.
  • Endpoint protection on all company devices.
  • Role-based access control aligned with the principle of least privilege.

How does IASME relate to Cyber Essentials?

Many organisations begin their compliance journey with Cyber Essentials. It’s a foundational scheme that addresses five technical controls. IASME Cyber Assurance builds upon this by introducing a broader risk-based governance model.

It’s important to remember:

  • To certify to IASME Cyber Assurance, you must also hold a valid Cyber Essentials certificate.
  • That means your business must already comply with the following key requirements:

What are the key requirements for achieving Cyber Essentials certification?

  • Secure boundary firewalls.
  • Secure configuration of systems.
  • Access controls and user privilege management.
  • Patch management.
  • Malware protection.

You’ll need clear evidence that these controls are in place and maintained.

Steps to prepare for the audit

Assigning ownership

Without clearly assigned responsibility, compliance efforts stall. You should appoint a named individual who coordinates documentation, liaises with auditors, and ensures timely actions are taken. This may be your IT manager, compliance lead, or a third-party consultant.

Conduct a gap analysis

Run an internal assessment using the IASME template or work with an accredited certification body. The goal is to highlight missing controls, outdated documentation, or inconsistent processes.

Review your risk register

Many businesses fail to pass their audit because they either lack a risk register or use one that’s too generic. It must reflect your unique business context, think about your sector, technology stack, and threat exposure.

Create a policy suite

IASME Cyber Assurance requires policies covering areas such as:

  • Information security
  • Data protection
  • Access control
  • Mobile device usage
  • Supplier management
  • Business continuity
  • Security incident response

These documents should be reviewed annually and approved by leadership.

Software that can support compliance

Most SMEs don’t need enterprise-grade tools to achieve certification. However, having the right platforms in place can reduce manual work, enforce controls, and simplify evidence collection.

What software solutions support compliance with Cyber Essentials standards?

  • Asset management systems like Lansweeper or InvGate
  • Patch management tools such as Automox or ManageEngine
  • Endpoint protection platforms like ESET or CrowdStrike
  • Mobile device management (MDM) solutions such as Microsoft Intune
  • Documentation tools like Confluence or OneNote

Integrating these solutions can also help you demonstrate continual improvement.

Understanding audit scope and outcomes

Audit timing and format

Once you’re ready, the Level 2 audit is typically conducted remotely, though it can be on-site depending on your context. Auditors will review documents, ask follow-up questions, and sample specific controls.

What auditors are looking for

  • That policies exist, are relevant, and are enforced.
  • That risk assessments are genuine, not generic templates.
  • That employee training is recorded and reviewed.
  • That there is traceability in incident response logs.

If you’re unsure whether a control applies, your auditor can provide context, but they will expect justification for exclusions.

Renewal and ongoing improvement

Can I renew my Cyber Essentials certification through an online service?

Yes. The annual renewal process for Cyber Essentials can be completed online via any accredited provider. Since a valid Cyber Essentials certification is required for IASME Cyber Assurance, maintaining this baseline is non-negotiable.

Providers and partners to support you

There are numerous organisations across the UK offering both certification and consultancy services for Cyber Essentials and IASME Cyber Assurance.

Which companies provide Cyber Essentials certification services in the UK?

There are over 250 IASME-approved certification bodies. Reputable examples include:

  • UK Cyber Security, which provides tailored audits, online portal-based assessments, and expert consultancy.
  • Secarma, known for its penetration testing and support for regulated industries.
  • Bulletproof, specialising in managed services and security certification.

Which UK-based firms offer Cyber Essentials consultancy services?

Some consultancy firms help businesses implement the controls before they certify:

  • UK Cyber Security offers step-by-step guidance for SMEs, from gap analysis to documentation packs.
  • Tiberium provides support for compliance across Cyber Essentials, IASME, and ISO 27001.

Employee training and culture shift

Passing IASME isn’t just about policy, it’s about people. You need a culture of security. Key elements include:

  • Onboarding that includes clear cybersecurity expectations.
  • Regular awareness refreshers.
  • Phishing simulations or email awareness exercises.
  • Documented incident response testing.

Working with suppliers

If you handle third-party data or rely on partners for key services, IASME requires evidence of supplier risk assessments. You should:

  • Maintain a supplier list.
  • Risk-rank each supplier.
  • Include cybersecurity clauses in contracts.
  • Request evidence of Cyber Essentials or similar standards where appropriate.

The benefits of achieving IASME certification

Once certified, your organisation will benefit from:

  • Increased trust from clients, regulators, and partners.
  • Readiness for government tenders requiring cyber assurance.
  • A clear internal structure for improving security practices.
  • Alignment with wider standards such as ISO 27001 and GDPR.

The audit also acts as a checkpoint, helping identify areas to improve before they result in a breach or failure.

Final checklist before the audit

Before the Level 2 audit, ensure you:

  • Have an up-to-date Cyber Essentials certificate.
  • Can produce all policy documents.
  • Have evidence of your risk assessment and asset inventory.
  • Can show incident logs, access control reviews, and training records.

Make sure your nominated representative is available to support the auditor and answer questions on process.

 

UK Cyber Security Group Ltd is here to help

For more information, please do get in touch.

Please check out our Free Cyber Insurance

Other blog posts, Your Cyber Essentials Questions AnsweredCyber Hygiene 101: Essential Habits for Safe Online Activities,

If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks.

You might also like
Using ISO 27001 to Bridge the Gap Between Technical Teams and LeadershipUsing ISO 27001 to Bridge the Gap Between Technical Teams and Leadership
H.E.A.T in Education: Supporting Student Mental Health and EngagementH.E.A.T in Education: Supporting Student Mental Health and Engagement
How can a company reach maximum technological security?How can a company reach maximum technological security?
The 10 Most Common Cyber Attacks and How To Prevent Them - A Comprehensive Guide by UK Cyber Security GroupThe 10 Most Common Cyber Attacks and How To Prevent Them – A Comprehensive Guide by UK Cyber Security Group
Beyond Firewalls: Using Honeypots to Strengthen Your Security PostureBeyond Firewalls: Using Honeypots to Strengthen Your Security Posture
Preparing for a Cyber Security Audit: What UK Companies Need to KnowPreparing for a Cyber Security Audit: What UK Companies Need to Know
Are You At Risk of A Cyber Attack? Here Are The Top 5 Ways To Stay SaferAre You At Risk of A Cyber Attack? Here Are The Top 5 Ways To Stay Safer
Augmenting AI with Emotion: How H.E.A.T Humanises TechnologyAugmenting AI with Emotion: How H.E.A.T Humanises Technology

You can trust us with your cyber security

Our Certifications

 
PreviousNext
12
uk cyber security ltd logo footer

Follow us Online

UK Cyber Security Group Ltd
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.