What is the difference between the Cyber Essentials Scheme and the IASME Governance Scheme?

The Cyber Essentials Scheme is a Government scheme that helps organisations to guard against the most common cyber threats from the internet and demonstrate commitment to cyber security. It covers five main technical controls which will protect companies against an estimated 80% of common internet threats. The controls are:

  • Secure your Internet connection (Firewalls and routers)
  • Secure your devices and software (Secure configuration)
  • Control access to your data and services (Access control)
  • Protect from viruses and other malware (Malware protection)
  • Keep your devices and software up to date (Software updates)


IASME Governance certification is aligned to the Government’s Ten Steps to Cyber Security and includes Cyber Essentials certification as well as controls around people and processes. It also covers the General Data Protection Regulation (GDPR) requirements. IASME Governance is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized organisations to implement.

The cost of Cyber Essentials certification is £300 + VAT

The cost of basic IASME Governance certification is £400 + VAT

Is IASME Governance Audited the same as Cyber Essentials PLUS?

No – Cyber Essentials Plus is an audited level of the Cyber Essentials assessment, testing the 5 Cyber Essentials controls only. IASME Governance Audited (sometimes known as IASME Gold) is an independent on-site audit of the level of information security provided by your organisation, against the IASME Governance standard. It is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized organisations to implement.  The standard includes GDPR requirements and adds additional topics that mostly relate to people and processes, for example:

  • Risk assessment and management
  • Training and managing people
  • Change management
  • Monitoring
  • Backup
  • Incident response and business continuity

When I apply to do Cyber Essentials and IASME Governance together, can I do IASME Governance at a later date?

We would normally require the Cyber Essentials and IASME Governance to be assessed at the same time, but they can be done separately provided that the IASME Governance is completed within 6 months of the Cyber Essentials certification. The cost for doing this separately would be £500 + VAT (an additional £100 to doing them at the same time). Please contact IASME if you require the assessments to be completed this way.

Is it £400 in total for IASME Governance (including Cyber Essentials) or is it £300 + VAT plus £400 + VAT?

IASME Governance includes Cyber Essentials and so the cost for both is £400 + VAT in total.

How does IASME Governance map to other standards including ISO 27001?

We have mapped IASME Governance to a variety of standards including ISO 27001. For more information please click here.

How much does it cost for a basic level Cyber Essentials Assessment?

It costs £300 + VAT for each assessment. You can choose to assess your whole company in one go, however large it is, and this would be just £300 + VAT.

As soon as you have paid we will send you login details for your online assessment portal. You will have 6 months to complete your assessment before your account is archived. Unfortunately we cannot issue a refund if this happens so please do not apply until you think you are ready for the assessment.

Where can I find the document which describes the full Requirements for the Cyber Essentials Scheme?

You can download the requirements from the UK Government website here.

You can see our overview here.

Which UK government contracts will I need Cyber Essentials certification for?

You can see the note to UK Government Procurement Officers which specifies Cyber Essentials mandated in many cases for suppliers to all central government departments here.

From 1st January 2016 the Ministry of Defence mandated Cyber Essentials for all its new suppliers and also their relevant supply chain. 

In July 2016 the UK Government Department of Health, National Data Guardian (NDG) published  “Review of data security, consent and opt-outs” which recommended “All health and social care organisations should provide evidence that they are taking action to improve cyber security, for example through the ‘Cyber Essentials’ scheme. The ‘Cyber Essentials’ scheme should be tested in a wider number of GP practices, Trusts and social care settings.”  We are now seeing an increasing number of health care organisations being required to have Cyber Essentials or Cyber Essentials Plus for NHS contracts.

How much does it cost for a Cyber Essentials Plus assessment?

The Cyber Essentials Plus assessments have to be quoted for individually. You can submit some details via the form here and two Certification Bodies will email a quote to you.

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will test a random sample of these systems in line with the test specification and then decide whether further testing is required

The audits are currently all being run remotely.

As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400. Our certification bodies aim to minimise the cost to your company.

Is there a vulnerability scan required as part of the Cyber Essentials basic level?

The basic level assessment of Cyber Essentials only requires a self-assessment. No additional vulnerability scan, test or third party verification is needed.  However, one of your Board members will have to sign a declaration that all the answers you have entered are true.

As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400. Our certification bodies aim to minimise the cost to your company. 

Can I see the self-assessment questions before I pay for an assessment?

You can download all the self assessment questions in pdf format here. If you would like them in an Excel worksheet which is easier to work with then please contact us and we will email it to you. 

What is involved in a Cyber Essentials Plus assessment ?

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.

The Cyber Essentials question set is part of the Cyber Essentials Plus certification process.  If you have achieved the basic level Cyber Essentials certification less than 3 months before certifying to Cyber Essentials Plus you will not need to repeat the self-assessment questions stage. 

All audits are being run remotely at the moment and so there is no need for the assessor to visit your organisation.

The full test specification which all the Accreditation Bodies work to can be downloaded (Cyber Essentials Plus Common Test Specification) from the NCSC website here.


How many of the questions do I need to get right to pass?

You need to get nearly all the questions right (compliant) to pass the Cyber Essentials assessment. You do need to be controlling all these aspects of your system to be certified. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.

Are there any automatic fail questions?

Any company using unsupported software in the scope of the assessment, such as Windows 7, will probably fail to achieve Cyber Essentials certification.

If I fail will I get feedback about why I failed?

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a pdf of all the answers you gave and comments from the assessor against any that were considered non-compliant. If you fail the assessment this feedback should help you improve your security so you can pass in the future.

Where can I get more information about the included Cyber Insurance?

We have a separate set of frequently asked questions and answers about the included insurance here.  For further information contact [email protected] or call +44 (0)1905 21681.

If I fail will I have to pay another £300 to take the assessment again?

If you fail we allow you two working days to examine the feedback from the assessor and change any simple issues with your network and policies. You can then update your answers and the assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

I am not sure I understand the questions - where can I get help?

If you have any questions about how to meet the Cyber Essentials or IASME Governance requirements we have a LinkedIn group called “Cyber Essentials Advice Group” where you can post your questions and we will give you free advice. You can join this group here.

If you need more in-depth help then any of the regional companies we have trained as our assessors (Certification Bodies) are ideally placed to support you. Please contact them for help.

How can I become an Assessor?

To become an IASME Certification Body and Assessor someone from your company will need to attend and pass the relevant assessor courses.  More details about requirements for assessors can be seen here. We work with companies of all sizes.  Micro companies / one man bands are welcome partners.

Where can I find information about securing my company?

You can see links to some excellent websites which will help you here.

How quickly can I get certified to Cyber Essentials?

We always do our best to get the Cyber Essentials assessment results back to you as quickly as possible. It usually takes us 1 – 3 working days from the time you submit your assessment. If you have a tight deadline please let us know and we can try to fast-track your assessment.

How long does the certification last before I have to renew my Cyber Essentials certification?

Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months. We remove companies from the UK Government’s ‘certified organisations’ list if they have not been certified in the past year.

How long will I have to complete and submit my assessment?

You will have 6 months from date of application to complete and submit your assessment. After this time your account may be closed. You would have to apply and pay again if you wanted to be assessed.

How can I remember to re certify within a year?

We will email you with a reminder roughly a month before you have to be re certified.

When I re certify will I have to re-enter all the information again?

You currently do need to re enter all the information again and the questions have been updated and so have changed a bit (hopefully improved). However, you can copy and paste the majority of your answers from last years submission if you have not changed things in your company over the previous year.  Please remember to keep a copy of your answers when you submit so you can work with them when you re-certify the following year.

Find Out More

Have a look at our Frequently Asked Questions or speak to our team