Frequently Asked Questions

The pricing of IASME Cyber Assurance has a tiered structure based on organisation size. Prices start from £320 + VAT for an assessment for micro-organisations. Small, medium and large organisations pay a little more, on a sliding scale up to a maximum of £600 + VAT which aims to reflect the complexity involved in assessing larger organisations. The pricing structure uses the criteria used by the UK Government which defines the size of an organisation based on number of employees:

A micro-organisation has between 0-9 employees – IASME Cyber Assurance will cost £320 + VAT.

A small organisation has between 10-49 employees – IASME Cyber Assurance will cost £440 + VAT.

A medium organisation has between 50-249 employees – IASME Cyber Assurance will cost £500 + VAT.

A large organisation has 250 employees or more – IASME Cyber Assurance will cost £600 + VAT.

IASME Cyber Assurance is a cyber security standard and certification scheme designed to help organisations demonstrate their cybersecurity posture and improve their resilience to cyber threats. Available at two levels, IASME Cyber Assurance is more flexible and less prescriptive than other standards, making it a great option to provide smaller organisations with a ‘right-sized’ approach.

Organisations seeking certification under the IASME Cyber Assurance scheme must complete Level One which is a verified self-assessment reviewed by an independent Assessor. They can then continue to Level Two which is a technical audit of their systems to verify that the standard’s requirements have been correctly implemented.

Important cyber security measures are included such as:

• Assessing and managing risk
• The implementation of technical controls to protect against cyber threats
• Training people
• Setting practical policies and procedures
• Key resilience strategies such as backing up data, business continuity planning and incident response
• The management of cybersecurity risks associated with third-party suppliers and service providers
• Legal and regulatory requirements such as your country’s implementation of GDPR (in the UK this is the Data Protection Act)

There are also helpful templates available for many of the policies, procedures and trackers required in IASME Cyber Assurance. Applicants can download them for free.

For Level One certification, the requirement is an annual resubmission of the IASME Cyber Assurance verified self-assessment using the online portal, and maintenance of the prerequisite scheme (Cyber Essentials).

The IASME Cyber Assurance Level Two audit is valid for three years but requires the Applicant to achieve Cyber Essentials and IASME Cyber Assurance Level One annually – to ensure the controls are in place in the interim years. This ‘soft-check’ is part of what helps keep the cost of IASME Cyber Assurance more affordable than schemes that require a yearly audit.

If your organisation is outside the UK, please contact [email protected] to discuss the prerequisite certification.

It is a good idea to download the question set in advance (available for free from the website here) and prepare the answers before applying. By doing this, you can ensure that there are no unexpected aspects that may take a significant amount of time to comply with. As soon as you have paid, we will send you login details for your online assessment portal.  You will have six months to complete your assessment before your account becomes invalid and unfortunately, we cannot issue a refund if this happens.

If you have prepared your answers in advance, filling out the self-assessment might only take about an hour. Once the questions have been submitted, most Assessors will aim to get the results back to you within three days.  If you have not been successful, you will then have two working days to address the issues, update your answers and resubmit.  The Assessor will then aim to take no more than three days to remark the assessment. If you have not included enough information for the Assessor to be able to mark a question, they will return it to you asking for more information.  This step will also take a few days.

A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This can make the supply chain more accessible to smaller organisations and give a way for these companies to meet the contractual requirements needed for contracts, which then leads to more commercial opportunities.

IASME Cyber Assurance Level One is an online verified self-assessment. The question set is available to download online free of charge for preparation purposes and can then be completed within the assessment portal.

IASME Cyber Assurance Level Two is an audit. It follows the completion of IASME Cyber Assurance Level One and must be achieved within six months. The Assessor will look at documentation, interview key staff and observe activities. This can be done in person or sometimes remotely (such as via a video call). The Assessor will then create an Audit Report which will be shared with IASME and go through IASME’s moderation process. The information evidenced within the report will be evaluated to assess whether the Applicant has achieved Level Two standard.

The cyber security measures for Level One and Level Two are exactly the same but the level of assurance is different. IASME Cyber Assurance Level Two offers a higher level of assurance as the technical audit of an Applicant organisation’s systems verify that the cyber security processes, policies and controls are in place and properly implemented.

The audit involves the organisation demonstrating activities and providing documentary evidence to support their answers to the IASME Cyber Assurance verified self-assessment question set.   

In preparation, the Assessor and Applicant will establish the key personnel in the organisation, so that they can conduct interviews and review the documentation and systems and security practice. 

Some examples of documents that will be reviewed by the Assessor to ensure they are compliant with the scheme would include: 

• Administrator Access Tracker 
• Business Continuity Plan 
• Information Asset Register 
• Physical Asset Register 
• Risk Assessment 
• Security Improvement Plan 
• Security Incident Tracker 
• Security Policy 

Before certifying to IASME Cyber Assurance, Applicants will first need to demonstrate that their organisation has got the basics in place.

Cyber Essentials represents the government-approved minimum standard of cyber security for organisations of all sizes in the UK and Crown Dependencies. It consists of five technical controls that will reduce the impact of common cyber-attack approaches by up to 80%

If your organisation is based in the UK, Cyber Essentials is your prerequisite.

Cyber Essentials can be achieved by any organisation in the world provided they have access to a Certification Body based in the UK. Upon application, overseas organisations will be automatically allocated a Certification Body in the UK.

The pricing structure for Cyber Essentials certification is based on the size of your organisation.

If your organisation is outside the UK, please contact us at [email protected] to discuss the prerequisite certification.

Both standards have a tiered pricing structure and are chargeable separately.

If your organisation is outside the UK, please contact us at [email protected] to discuss the prerequisite certification.

No.  Both Cyber Essentials and IASME Cyber Assurance Level One have a tiered pricing structure and they are charged separately.

If your organisation is outside the UK, please contact us at [email protected] to discuss the prerequisite certification.