Introduction
With an ever increasing dependency on technology , information security is more critical than ever. Cyber Essentials can act as a great starting point for most organisations, but what’s next? In this blog, we explore how IASME Cyber Assurance goes beyond Cyber Essentials and can be a great step for organisations looking for more comprehensive security. We explain how an organisation can choose to implement the measures based on its size and risk appetite. We also show how IASME Cyber Assurance can support other frameworks such as ISO 27001 and the UK government code of practice.
What Is IASME Cyber Assurance?
IASME Cyber Assurance is a flexible and affordable information security standard, designed with smaller organisations in mind. It builds on Cyber Essentials and covers 14 themes that are aimed at making organisations more cyber resilient. Each theme has a set of requirements (security measures) that can be applied based on organisational size and risk. IASME Cyber Assurance can therefore be ideal for small to medium-sized organisations looking for an alternative, or the next step towards ISO 27001. There are two levels to the IASME Cyber Assurance scheme:
- Level One involves a verified self-assessment
- Level Two is an independent audit, involving a detailed review of security policies, procedures, and controls
- Both levels go well beyond Cyber Essentials (with Cyber Essentials being a valid prerequisite) and can help organisations further demonstrate their commitment to information security.
- Certification can be gained for both levels of the scheme
| Feature | IASME Cyber Assurance Level One | IASME Cyber Assurance Level Two |
| Assessment | Verified self-assessment | Audit |
| Testing | Assessor reviews self-assessment | The assessor carries out the audit, and the IASME moderator reviews |
| Controls | 14 themes | Same 14 themes |
| Certification | 12-month certificate | 3-year certificate, with annual (Level One) renewals |
This table shows the key differences between IASME Cyber Assurance Level One and Two
Why choose IASME Cyber Assurance?
- Cyber Essentials can be a great starting point; however, organisations often look beyond that scheme for more security measures (based on risk) – examples include:
- Data Backup
- Asset Management
- Business Continuity and Disaster Recovery
- Legal and Regulatory
- Organisations can benefit from the (very clear) guidance provided through the IASME Cyber Assurance scheme, which can help reduce uncertainty and set out each requirement in detail
- Organisations often consider ISO 27001, then realise the benefits of IASME Cyber Assurance as either a next step or a pragmatic alternative
What does IASME Cyber Assurance cover?
- IASME Cyber Assurance covers 14 themes
- Each theme has some requirements (security measures)
- An organisation can choose to implement the requirements, based on size and risk
| Themes | Further insight into the aim of the theme | Number of requirements |
| Planning | Consider information security for day-to-day activities and projects | 1 |
| Organisation | Have a clear structure and foundation for effective security | 4 |
| Assets | Understand what you have and how to protect it | 6 |
| Legal and Regulatory | Consider contractual obligations, data protection requirements, and more | 4 |
| Risk | Identify threats, treat and manage them appropriately | 9 |
| Physical and environmental | Prevent theft, loss, or damage and ensure protection from temperatures or humidity | 7 |
| People | Consider education, awareness, training, and least privilege | 4 |
| Policy | For ‘right-sized’ security controls | 7 |
| Managing Access | Implement appropriate access to resources and data | 4 |
| Technical Intrusion | Leverage tools to detect and prevent unauthorised access | 2 |
| Change Management | Control and manage key changes | 1 |
| Security Operations | Take action based on warnings and alerts | 5 |
| Backups and Restores | Have regular and segregated data backups – test to ensure recovery | 4 |
| Resilience | Business continuity, incident management, and disaster recovery | 7 |
The table shows the 14 themes, along with a brief outline of the aim of each theme, and shows the number of requirements for each theme
How is IASME Cyber Assurance applied?
- Depending upon organisational size and risk appetite, each of the 14 themes, with their detailed security controls, will be applicable.
- The latest version of the standard (V7) provides a set of mandatory requirements, based on organisational size.
- A risk assessment can be carried out to determine whether the non-mandatory controls should also be applied.
| Number of employees | Mandatory Requirements | Non-Mandatory Requirements (considered based on risk) |
| 1 – 2 people | 20 | 45 |
| 3 to 9 people | 32 | 33 |
| 10 – 49 people | 48 | 17 |
| 50 or more people | 65 | 0 |
This table shows how the total number of requirements can be applied, based on organisational size
How does IASME Cyber Assurance compare with other frameworks?
- Cyber Essentials is a valid prerequisite for IASME Cyber Assurance and covers just 5 technical requirements, compared to 14 themes for IASME Cyber Assurance and up to 65 requirements
- ISO 27001: a mapping exercise from 2022 shows how version 6 of the IASME Cyber Assurances covers all the ISO 27001 requirements (at an achieved or partially achieved level) and almost all the ISO 27002 controls (either explicitly or implicitly)
- UK Government Code of Practice: a mapping exercise from 2025 recognises how IASME Cyber Assurance meets the requirements of the Cyber Governance Code of Practice
How RB Consultancy Ltd Help?
As an Assessor and Certification Body for IASME Cyber Assurance, we carry out assessments and issue certificates for both levels of the scheme. Holding a Certified Information Systems Security Professional (CISSP) certification, we can also help organisations implement the security measures and provide support through the process. We have templates and documentation to leverage that can also assist with each theme, and can therefore provide completed packages to support.
Conclusion – how Cyber Assurance goes beyond Cyber Essentials
IASME Cyber Assurance can be a great next step beyond Cyber Essentials. It provides additional confidence and assurance that a variety of security measures are in place to protect organisations. These security measures can be applied based on organisational size and risk. Mapping exercises carried out show how IASME Cyber Assurance can support ISO 27001 and the UK Government Code of Practice. With our credentials and experience, we help organisations through both levels of the scheme and issue the associated certificates. If you would like more information or any support with IASME Cyber Assurance, please contact us.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.
FAQs
- What’s the difference between IASME Cyber Assurance Level One and Two?
Level One is a verified self-assessment, and Level Two is an audit - How long does certification take?
Timescales can vary significantly, depending on organisational size, priorities, and preparedness. - What does a Level 2 audit involve?
Testing includes reviewing evidence, carrying out interviews, and ensuring processes are in place. - Can RB Consultancy Ltd help?
Absolutely! RB Consultancy Ltd provides expert guidance and support. Contact us for more information.