In May this year, the IASME Cyber Assurance (ICA) standard underwent a full review and update. Responding to feedback about accessibility, IASME has improved and streamlined the scheme making it even more user-friendly, affordable and tailored for different sized organisations. While the ICA standard provides a framework for comprehensive cyber security, it goes beyond preventative measures to focus on long-term cyber resilience. This ensures a business can adapt, recover and continue to operate even in the face of a successful cyber attack.
Built around 14 core themes, the standard provides practical steps and key controls to help organisations identify, manage, and mitigate cyber risks effectively. One of the unique features of IASME Cyber Assurance is its tiered approach which adjusts requirements based on the size and complexity of your organisation. This ensures that achieving robust cyber security is both accessible and manageable for organisations of all sizes, making it a trusted choice for businesses and supply chains across industries.
Certification is available in two levels: Level One consists of a verified assessment reviewed by an independent Assessor and Level Two involves an audit of your processes, procedures and controls required by the IASME Cyber Assurance standard.
Key Updates to the IASME Cyber Assurance Scheme
1. Cyber Security Categories and Themes
One of the most notable changes is the reorganisation of cyber security categories. System development has now been established as a separate theme, reflecting its growing importance in the modern digital landscape. This change ensures that organisations can better address risks associated with software and system development.
2. Level One Question Set
The Level One question set has been condensed, reorganised, and clarified. The revised question set ensures that businesses can focus on the essentials of cyber resilience without being overwhelmed by unnecessary complexity.
3. Improved Alignment
The Level One sections have been aligned with standard themes, and the alignment has been further refined to reflect the details of each theme. This ensures a more cohesive and logical structure, making it easier for organisations to understand and implement the requirements.
4. Elimination of Duplication
Duplication within the standard requirements has been eliminated, and the alignment of requirements with the themes has been improved. This not only simplifies the certification process but also ensures that organisations can focus on meaningful actions that directly contribute to their cyber resilience.
5. Tailored Standards for Different Business Sizes
One of the most impactful updates is the introduction of tailored standards based on business size. The ICA standard now adjusts its requirements to reflect the size and complexity of an organisation:
Sole traders and two-person partnerships (1–2 people) need to meet just 20 requirements.
Micro businesses (3–9 people) face slightly more requirements, reflecting their increased complexity.
Small businesses (10–49 people) must address a broader set of controls.
Medium and large businesses (50+ people) are required to meet a comprehensive set of 65 requirements.
This tiered approach ensures that smaller organisations are not burdened with unnecessary requirements, while larger organisations can address their more extensive risk profiles.
6. Level Two Platform for Audits
The Level Two audit process has been modernised, moving from free-form written reports to structured fields within a platform. This change has streamlined the audit process, reducing assessor time and making it more efficient and accessible.
Milestones
As we approach the end of the year, we renew our commitment to supporting organisations on their journey to cyber resilience and celebrate the success of the IASME Cyber Assurance scheme. The updates introduced this year have not only improved the accessibility and scalability of the standard but have also reinforced its position as a trusted framework for achieving robust cyber security.
This year, the new and improved ICA standard has achieved:
Enhanced Accessibility
The introduction of tailored standards has made the ICA scheme more accessible to smaller organisations, including sole traders and micro businesses. By reducing the number of requirements for these groups, the standard acknowledges their unique challenges while maintaining a focus on critical aspects of cyber resilience.
Alignment with Government and Industry Standards
ICA provides an organisation with practical steps and key controls to help them become cyber resilient as highlighted within the DSIT Cyber Governance Code of Practice. This alignment establishes ICA as a comprehensive standard, enabling organisations to showcase their cyber security maturity to supply chains, especially within regulated sectors.
Positive Feedback from Organisations
Feedback from organisations has been overwhelmingly positive, with many praising the streamlined question set and improved alignment of requirements. These changes have made the certification process more manageable and relevant, particularly for smaller businesses.
Increased Adoption
The updates have contributed to a significant increase in the adoption of the ICA standard. Organisations across various industries have recognised the value of achieving certification, not only as a demonstration of their commitment to cyber security but also as a practical step towards long-term resilience.
Increased Engagement from Certification Bodies
IASME Certification Bodies or CBs, are specially trained cyber security companies that are licensed and assured by IASME to offer assessment and certification to cyber security standards such as IASME Cyber Assurance. Following this year’s scheme update and the launch of the new portal, ICA has experienced a significant rise in Certification Bodies onboarding. Aligning the structure of the two certification levels has streamlined the process, making it easier for Assessors to navigate both stages of the ICA journey.
Looking Ahead
With more than 5.45 million SMEs in the UK and growing pressure to secure supply chains, the need for demonstrable strong cyber security measures has never been greater. The ICA scheme provides a practical, scalable, and affordable solution for organisations looking to protect their reputation, safeguard sensitive data, and ensure business continuity.
“IASME Cyber Assurance builds on the foundation of Cyber Essentials, enabling organisations to focus on managing cyber risk and resilience. The latest version provides a pragmatic approach of aligning security measures with organisational size – striking a great balance of security, compliance, and operational efficiency. Reporting and supporting documentation has also been streamlined, setting clear expectations and enabling the assessment process to be quick and efficient.”
Remo Belisari, RB Consultancy Ltd (IASME Certification Body)
Next Steps
Find out more about IASME Cyber Assurance or apply for certification here
Find a Certification Body near you here
Contact IASME [email protected]