What is the IASME Cyber Assurance framework?
What is the IASME Cyber Assurance framework?
Cyber security has become a cornerstone of operational resilience in UK organisations, regardless of size or sector. For companies seeking to demonstrate robust information security practices, the IASME Cyber Assurance framework provides a practical, risk-based alternative to global standards like ISO 27001. Tailored to the needs of small and medium-sized enterprises, IASME Cyber Assurance allows organisations to show accountability and diligence across key governance and technical domains.
Organisations are often faced with overlapping questions when considering security certification. What are the key requirements for achieving Cyber Essentials certification? What if the business requires more than the basics? The IASME Cyber Assurance framework fills that gap, building on the technical foundation of Cyber Essentials while addressing wider organisational governance.
A step beyond Cyber Essentials
While Cyber Essentials is an excellent foundation, focused on five core technical controls, the IASME Cyber Assurance framework expands into broader operational territory. Areas covered include data protection, risk assessment, incident management, legal compliance, and ongoing improvement.
This means businesses can not only answer “How can I prepare my small business for Cyber Essentials assessment?” but also ensure they have a structured, documented approach to wider cyber and information governance.
Why IASME created the framework
IASME developed the Cyber Assurance standard to offer a UK-based alternative to larger international frameworks that may be out of scope for smaller firms. Unlike ISO 27001, which requires considerable investment and documentation, IASME Cyber Assurance is designed to be proportionate, achievable, and auditable, without sacrificing rigour.
The framework aligns well with the expectations of UK government tenders, NHS DSP Toolkit alignment, and industry suppliers seeking supply chain assurance. It also helps firms prepare for evolving regulation, including GDPR compliance and emerging UK legislation.
Certification structure: Level 1 and Level 2
The IASME Cyber Assurance framework offers two levels of certification:
- Level 1 (Self-assessment): Provides organisations with a structured way to review their internal policies, procedures and controls.
- Level 2 (Audited): Builds on Level 1 with an independent on-site or remote audit from a licensed Certification Body. This is often required for higher-assurance supply chain participation.
Organisations wondering “Can I renew my Cyber Essentials certification through an online service?” will be pleased to know that both IASME Cyber Assurance and Cyber Essentials renewals are streamlined through IASME’s platform, making re-certification easy for growing businesses.
What’s inside the IASME Cyber Assurance framework?
The framework is broken into several control areas, including:
- Asset Management: Inventory and tracking of all information assets, devices and software
- Risk Management: Identification, evaluation, and mitigation of cyber-related risks
- Access Control: Defining user privileges, managing authentication, and reducing unauthorised access
- People and Policy: Governance, training, HR screening, and acceptable use policies
- Security Monitoring and Logging: Logging access and activities to detect suspicious behaviour
- Backup and Business Continuity: Safeguarding data and maintaining operations in the event of an attack
- Incident Response: Defining and testing the ability to respond to a breach or cyber event
- Data Protection: Aligning with GDPR principles, ensuring lawful, fair and secure handling of personal data
Key benefits of the framework
- Affordability and scalability: Perfect for SMEs that need to demonstrate commitment without the overheads of ISO standards
- Supply chain recognition: Increasingly required in public sector procurement and supplier due diligence
- Structured governance: Encourages documentation and accountability around cyber risk
- Improved resilience: Focuses on both prevention and recovery
- Regulatory alignment: Supports GDPR compliance and the UK’s data protection expectations
Governance meets practicality
SMEs often lack the resources for complex governance frameworks. IASME Cyber Assurance meets that need with templates, guidance and practical support. Whether you’re tackling data mapping or creating incident response playbooks, the framework empowers you to show due care and structure without overwhelming red tape.
Supporting tools and services
Organisations frequently ask, What software solutions support compliance with Cyber Essentials standards? While Cyber Essentials and IASME Cyber Assurance are policy- and process-driven, several tools help support evidence gathering, documentation, and policy management:
- Secure Configuration Management Tools (e.g., Microsoft Intune, JAMF)
- Policy Management Platforms (e.g., Drata)
- Endpoint Protection Solutions (e.g., Sophos, SentinelOne)
- Audit Preparation Tools (e.g., compliance checklists, asset inventories, template-based evidence)
Consultants also play a key role in helping organisations prepare their documentation and align with audit expectations.
Choosing a certification partner
Navigating certification can be tricky without the right support. That’s why many businesses ask: Which companies provide Cyber Essentials certification services in the UK? or Which UK-based firms offer Cyber Essentials consultancy services?
The IASME Consortium maintains a list of licensed certification bodies, many of whom provide additional services like:
- Policy drafting and alignment
- Cyber risk assessments
- Gap analysis for IASME Cyber Assurance or ISO 27001
- Assistance with evidence gathering for audits
It’s not just about achieving the badge, it’s about making sure that cyber maturity becomes a living, breathing part of your organisational culture.
IASME vs ISO 27001: complementary or competitive?
While IASME Cyber Assurance and ISO 27001 cover similar domains, their structure, scope, and complexity differ significantly. ISO 27001 offers a globally recognised ISMS framework, but many small businesses feel it is too heavy for their needs.
IASME Cyber Assurance, on the other hand, can be implemented faster, with clearer pathways for SMEs, especially those needing to demonstrate maturity to UK clients. However, the standards are not mutually exclusive. Many organisations begin with IASME, then scale into ISO 27001 later.
Future-proofing through audit readiness
Preparing for any cyber security audit means ensuring evidence is current, policies are understood and practiced, and awareness is maintained across the workforce. Organisations asking How can I prepare my small business for Cyber Essentials assessment? will also find that IASME’s framework strengthens long-term audit posture.
Periodic internal audits, stakeholder reviews, and policy refresh cycles are encouraged in the framework, building resilience and repeatability.
Summary: Who benefits most from IASME Cyber Assurance?
- SMEs looking for a structured, auditable framework without ISO overheads
- Supply chain organisations that need more than Cyber Essentials
- Public sector suppliers aligning with local procurement frameworks
- Startups wanting a roadmap to responsible cyber practices
- Firms targeting ISO 27001 in future but needing a scalable starting point
The IASME Cyber Assurance framework brings governance, technical control, and practicality together, ensuring UK businesses can demonstrate real, measurable steps towards security maturity.
For those ready to take the next step, it’s a powerful tool in both risk management and stakeholder assurance.
What are the key requirements for achieving Cyber Essentials certification?
- Secure configuration
- Boundary firewalls and internet gateways
- Access control
- Malware protection
- Patch management
How can I prepare my small business for Cyber Essentials assessment?
- Identify and list all internet-connected devices
- Ensure supported operating systems and patching are in place
- Implement access control and MFA
- Review antivirus or endpoint protection
- Ensure no unsupported software is present
What software solutions support compliance with Cyber Essentials standards?
- Antivirus and endpoint protection tools
- Operating system security configuration
- Firewall and VPN controls
- Mobile device management (MDM) platforms
Can I renew my Cyber Essentials certification through an online service?
Yes. IASME offers online self-assessment for Cyber Essentials and renewal is done annually via its web portal.
Which companies provide Cyber Essentials certification services in the UK?
- IASME Certification Bodies (including UK Cyber Security, URM, Bulletproof, etc.)
- NCSC listed service providers
Which UK-based firms offer IASME Cyber Assurance and Cyber Essentials consultancy services?
- UK Cyber Security Group Ltd
- Pentest People
- Cyber Tec Security
- TSG
UK Cyber Security Group Ltd is here to help
For more information, please do get in touch.
Please check out our Free Cyber Insurance
Other blog posts, Your Cyber Essentials Questions Answered, Cyber Hygiene 101: Essential Habits for Safe Online Activities,
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks.
