Frequently Asked Questions

IASME Cyber Assurance

If you have a question about IASME Cyber Assurance that is not addressed below, please contact [email protected]

What is IASME Cyber Assurance?

IASME Cyber Assurance is a cyber security standard and certification scheme designed to help organisations demonstrate their cybersecurity posture and improve their resilience to cyber threats. Available at two levels, IASME Cyber Assurance is more flexible and less prescriptive than other standards, making it a great option to provide smaller organisations with a ‘right-sized’ approach.

Organisations seeking certification under the IASME Cyber Assurance scheme must complete Level One which is a verified self-assessment reviewed by an independent Assessor. They can then continue to Level Two which is a technical audit of their systems to verify that the standard’s requirements have been correctly implemented.

What is included in IASME Cyber Assurance?

Important cyber security measures are included such as:

  • Assessing and managing risk
  • The implementation of technical controls to protect against cyber threats
  • Training people
  • Setting practical policies and procedures
  • Key resilience strategies such as backing up data, business continuity planning and incident response
  • The management of cybersecurity risks associated with third-party suppliers and service providers
  • Legal and regulatory requirements such as your country’s implementation of GDPR (in the UK this is the Data Protection Act)

Why should I certify to IASME Cyber Assurance?

IASME Cyber Assurance is a great way to ensure and demonstrate that you hold and manage data in a secure and regulated way. You can give customers, stakeholders and partners peace of mind in knowing that you are meeting the scheme controls and taking GDPR and information security and management seriously.

Additionally, a wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This can make the supply chain more accessible to smaller organisations and give a way for these companies to meet the contractual requirements needed for contracts, which then leads to more commercial opportunities.

How is IASME Cyber Assurance associated with the IASME Governance standard?

IASME Cyber Assurance is the updated version of IASME Governance. The key controls are the same however the standard has been rearranged and organised into 13 themes- the goal to make it friendly, easy to understand and structured in a logical order.

What resources are there to help me certify to IASME Cyber Assurance?

Applicants can download the standard document, which forms the basis of the requirements i.e. what should be adhered to, in order to pass.

There are also helpful templates available for many of the policies, procedures and trackers required in IASME Cyber Assurance. Applicants can download them for free.

How does IASME Cyber Assurance map to other standards including ISO 27001?

We have mapped IASME Cyber Assurance to a variety of standards including ISO 27001. For more information please click here.

How often do I need to recertify my IASME Cyber Assurance certification?

For Level One certification, the requirement is an annual resubmission of the IASME Cyber Assurance verified self-assessment using the online portal, and maintenance of the prerequisite scheme (Cyber Essentials or IASME Cyber Baseline for organisations outside the UK).

The IASME Cyber Assurance Level Two audit is valid for three years but requires the Applicant to achieve Cyber Essentials (or IASME Cyber Baseline) and IASME Cyber Assurance Level One annually – to ensure the controls are in place in the interim years. This ‘soft-check’ is part of what helps keep the cost of IASME Cyber Assurance more affordable than schemes that require a yearly audit

How much does it cost for IASME Cyber Assurance Level One?

The pricing of IASME Cyber Assurance has a tiered structure based on organisation size. Prices start from £320 + VAT for an assessment for micro-organisations. Small, medium and large organisations pay a little more, on a sliding scale up to a maximum of £600 + VAT which aims to reflect the complexity involved in assessing larger organisations. The pricing structure uses the criteria used by the UK Government which defines the size of an organisation based on number of employees:

A micro-organisation has between 0-9 employees – IASME Cyber Assurance will cost £320 + VAT.

A small organisation has between 10-49 employees – IASME Cyber Assurance will cost £440 + VAT.

A medium organisation has between 50-249 employees – IASME Cyber Assurance will cost £500 + VAT.

A large organisation has 250 employees or more – IASME Cyber Assurance will cost £600 + VAT.

On average, how long does certification take to complete?

It is a good idea to download the question set in advance (available for free from the website here) and prepare the answers before applying. By doing this, you can ensure that there are no unexpected aspects that may take a significant amount of time to comply with. As soon as you have paid, we will send you login details for your online assessment portal.  You will have six months to complete your assessment before your account becomes invalid and unfortunately, we cannot issue a refund if this happens.

If you have prepared your answers in advance, filling out the self-assessment might only take about an hour. Once the questions have been submitted, most Assessors will aim to get the results back to you within three days.  If you have not been successful, you will then have two working days to address the issues, update your answers and resubmit.  The Assessor will then aim to take no more than three days to remark the assessment. If you have not included enough information for the Assessor to be able to mark a question, they will return it to you asking for more information.  This step will also take a few days.

Where can I find the document which describes the full requirements for IASME Cyber Assurance?

You can download the IASME Cyber Assurance standard here.

Which contracts accept IASME Cyber Assurance certification?

A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. Examples are the Ministry of Justice and the Government of Jersey. This can make the supply chain more accessible to smaller organisations and give a way for these companies to meet the contractual requirements needed for contracts, which then leads to more commercial opportunities.

IASME Cyber Assurance is recognised as one of the suitable ways for organisations in Bermuda to demonstrate compliance to the privacy legislation, Personal Information Protection Act (PIPA).

What's the difference between IASME Cyber Assurance Level One and Level Two?

IASME Cyber Assurance Level One is an online verified self-assessment. The question set is available to download online free of charge for preparation purposes and can then be completed within the assessment portal.

IASME Cyber Assurance Level Two is an audit. It follows the completion of IASME Cyber Assurance Level One and must be achieved within six months. The Assessor will look at documentation, interview key staff and observe activities. This can be done in person or sometimes remotely (such as via a video call). The Assessor will then create an Audit Report which will be shared with IASME and go through IASME’s moderation process. The information evidenced within the report will be evaluated to assess whether the Applicant has achieved Level Two standard.

The cyber security measures for Level One and Level Two are exactly the same but the level of assurance is different. IASME Cyber Assurance Level Two offers a higher level of assurance as the technical audit of an Applicant organisation’s systems verify that the cyber security processes, policies and controls are in place and properly implemented.

How much does it cost for an IASME Cyber Assurance audit?

As the Level Two audit needs more dedicated time from technical experts, it is more expensive than the verified assessment. The cost will depend on the size and complexity of the network.  IASME has a number of Certification Bodies who are trained and licensed to conduct the IASME Cyber Assurance audit. The Level Two audit has to be quoted for individually; Applicants can use the ‘get a quote’ page on our website.

What does the Level Two audit involve?

The audit involves the organisation demonstrating activities and providing documentary evidence to support their answers to the IASME Cyber Assurance verified self-assessment question set.   

In preparation, the Assessor and Applicant will establish the key personnel in the organisation, so that they can conduct interviews and review the documentation and systems and security practice. 

Some examples of documents that will be reviewed by the Assessor to ensure they are compliant with the scheme would include: 

  • Administrator Access Tracker 
  • Business Continuity Plan 
  • Information Asset Register 
  • Physical Asset Register 
  • Risk Assessment 
  • Security Improvement Plan 
  • Security Incident Tracker 
  • Security Policy 

Tell me more about the prerequisites for IASME Cyber Assurance

Before certifying to IASME Cyber Assurance, Applicants will first need to demonstrate that their organisation has got the basics in place.  

Cyber Essentials represents the government-approved minimum standard of cyber security for organisations of all sizes in the UK and Crown Dependencies. It consists of five technical controls that will reduce the impact of common cyber-attack approaches by up to 80% 

If your organisation is based in the UK, Cyber Essentials is your prerequisite. 

Cyber Essentials can be achieved by any organisation in the world provided they have access to a Certification Body based in the UK. Upon application, overseas organisations will be automatically allocated a Certification Body in the UK.  

The pricing structure for Cyber Essentials certification is based on the size of your organisation.  

IASME Cyber Baseline is an international cyber hygiene certification scheme that tackles the basic, but critical, cyber security protection measures. It can be used as a prerequisite for IASME Cyber Assurance for organisations outside the UK. Certification Bodies that assess against this scheme can be based anywhere in the world.  

The pricing structure for IASME Cyber Baseline certification is based on the size of your organisation.  

If you would like to discuss which certification is best for your organisation, please give us a call or email and one of our friendly staff will be happy to talk you through the options.  

Is a vulnerability scan required as part of IASME Cyber Assurance?

The verified self-assessment level of IASME Cyber Assurance does not include any additional test or vulnerability scan. However, one of your board members will have to sign a declaration to verify that all the answers you have entered are true.

Can I see the verified self-assessment questions before I pay for an assessment?

You can download all the verified self-assessment questions in pdf and excel format free of charge here.

If I fail, will I get feedback about why I failed?

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a report including all the answers you gave and comments from the Assessor against any that were considered non-compliant. If you fail the assessment, this feedback should help you improve your security so you can pass in the future.

If I fail, will I have to pay again to take the assessment again?

If you fail, we allow you two working days to examine the feedback from the Assessor and change any simple issues with your network and policies. You can then update your answers and the Assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

I am not sure I understand the questions - where can I get help?

You can contact an IASME Certification Body. They are trained and licensed by IASME to assess whether an organisation meets the criteria required for IASME Cyber Assurance certification and issue that certification. Certification Bodies also offer consultancy to help you understand the assessment questions and how they relate to your company.

How can I become an Assessor?

To become an IASME Certification Body and Assessor, someone from your company will need to attend and pass the relevant Assessor courses.  More details about requirements for Assessors can be seen here. We work with companies of all sizes; micro companies and sole traders are welcome partners.

How can I remember to recertify within a year?

We will email you with a reminder roughly a month before you have to be recertified. 

When I recertify will I have to enter all the information again?

You do need to enter all the information each time you certify. This serves as an annual review of your cyber security. Please note, some of the questions may have been updated and changed. Please remember to keep a copy of your answers when you submit so you can refer to them when you recertify the following year.

Can I apply to do Cyber Essentials (or IASME Cyber Baseline) and IASME Cyber Assurance together?

You can apply for Cyber Essentials (or IASME Cyber Baseline) and IASME Cyber Assurance at the same time. However, you cannot start your IASME Cyber Assurance application until you have successfully achieved Cyber Essentials (or IASME Cyber Baseline).

Both standards have a tiered pricing structure and are chargeable separately.

Does the price for IASME Cyber Assurance include the price of Cyber Essentials (or IASME Cyber Baseline) certification?

No.  Both Cyber Essentials (or IASME Cyber Baseline) and IASME Cyber Assurance Level One have a tiered pricing structure and they are charged separately.

Get IASME Cyber Assurance today

If you have any other questions and would like to chat with a member of our customer services team, please contact us today on 03300 882 752 or email us on [email protected]