Cyber Essentials logo

Frequently Asked Questions

Why do I want this certification for my product?

Certification shows your customers that their device is in line with UK law to protect their data, but it also shows you take any potential cyber security risks seriously and are doing everything you can to protect customer data.

How long does certification last?

Certification must be renewed annually. We will aim to use the same Certification Body for re-assessment, allowing manufacturers to maintain a relationship with their Certification Body. Should you want a different Certification Body, please contact us and it can be arranged.

We are only a startup, is this scheme affordable?

The scheme is costed to make it accessible to any company making IoT devices, whether you’re a huge multinational corporation or a startup of 1. Our scheme costs just £450 + VAT for a micro business or £500 + VAT for other businesses.

On your website for IoT, I see Baseline or Assurance. What’s the difference?

The Baseline scheme is compliant with the top three requirements of the ETSI EN 303 645 standard and the new Product Security and Telecommunications Infrastructure Act 2022, the minimum standard as required by UK Law. The Assurance scheme covers all 13 requirements of the ETSI EN 303 645 and the IoTSF’s Security Compliance Framework.
The level 2 audited level of the Assurance scheme has been identified by Secured by Design (a Police Crime Prevention Initiative) as one of the ways for manufacturers to confirm their products have the highest level of cyber security.

What’s the difference between IoT Cyber Assurance level one and level two?

Our level One scheme is a verified assessment. The applicant answers a set of questions, using IASME’s online portal, about the security controls in place on a connected device and any associated services. A board member or equivalent must sign a declaration to confirm that all the answers are accurate. The answers to this assessment are then reviewed by one of IASME’s IoT trained Assessors.
Level Two is a hands-on audit of the device that includes an interview and a full review of the supporting documentation.

Do I have to pay for the scheme before I know what questions I will be asked?

The question set for level one of the scheme is available to download free of charge from our website. This covers both Baseline and Assurance. You can also map the questions against EN 303 645 and the IoT Security Compliance Framework.

How long do I have to complete my assessment after I have paid?

When your payment is received, we will send you login details to access the on-line assessment platform to enable you to begin your certification, you will then have 6 months to complete the assessment.

My company doesn’t have a vulnerability policy as we are only just starting out, can you help?

Yes, we specialise in helping SMEs and on our website, you can download a free vulnerability policy and a free security policy. These can be personalised to your specific company specifications. They contain everything from asset management to managing a cyber security incident.

If I don’t pass on the first attempt do I have another chance?

Yes, if you fail on your first attempt you are allowed a free submission but this must be completed within 30 days.

I’m unsure whether my device is suitable for the IoT assessment, is there anything I can do?

Yes, please email our scheme manager [email protected] to discuss your concerns and we will discuss the scope of the assessment prior to purchasing.

Can I just apply straight for level two of the scheme?

No, holding a level one certification is a prerequisite for applying for level two.

If I fail will I get feedback about why I failed?

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a report including all the answers you gave and comments from the assessor against any that were considered non-compliant. If you fail the assessment this feedback should help you improve your security so you can pass in the future.

My company makes multiple IoT devices, do I have to certify each device?

Yes, each device will be assessed on its own merits and need its own certification. However, discounts could be available, depending on the number of devices needing to be certified. Please contact the IoT Scheme manager to discuss. His email is [email protected] 

My company wants to become a Certification Body for the IoT Cyber Scheme, how do I do that?

We are always looking for new Certification Bodies, please contact our IoT Scheme manager and discuss your query, He will be more than happy to answer any questions you might have. His email is [email protected]

The IASME Consortium Ltd
Wyche Innovation Centre
Upper Colwall
Malvern
WR13 6PL

Company number: 07897132

Email us at [email protected]

Call us on 03300 882 752

Subscribe to our newsletter