IASME Cyber Assurance Explained for UK SMEs
IASME Cyber Assurance is a UK cybersecurity certification scheme designed specifically for SMEs — covering governance, risk management, and security practices beyond the purely technical focus of Cyber Essentials. It is the recommended stepping stone toward ISO 27001 for businesses that need a structured security framework.
Overview
IASME Cyber Assurance is a UK cybersecurity certification covering technical controls, governance, risk management, policies, and GDPR. It is designed for SMEs as an accessible alternative to ISO 27001 and includes Cyber Essentials within its framework. IASME is the NCSC's certification delivery partner.
Learn about Cyber EssentialsWhat is IASME Cyber Assurance?
IASME Cyber Assurance is a comprehensive UK security standard for small and medium businesses, spanning 149 controls across five domains: governance and risk management, information security policies, security management, asset management and technical controls. Unlike Cyber Essentials, it tests whether you *manage* security, not just whether the technology is switched on.
It also embeds GDPR data protection requirements, so one certification covers both your cybersecurity and your data protection obligations. That dual focus is why it sits a clear step above the purely technical schemes — it asks who is accountable, what the policies say, and how risk is assessed. If you want the parent picture of how this fits a wider programme, see AMVIA's managed cybersecurity pillar.
Governance gaps — not single technical failures — drive a large share of UK incidents. The Cyber Security Breaches Survey 2025 found 43% of UK businesses experienced a breach or attack in the past 12 months (DSIT 2025), and many lacked the policies and risk processes IASME Cyber Assurance is designed to enforce.
How does IASME relate to Cyber Essentials?
IASME runs the Cyber Essentials scheme under licence from the NCSC and also owns the broader Cyber Assurance standard. Cyber Essentials covers five technical controls; Cyber Assurance includes all five and layers governance, policy, risk management and GDPR on top.
Cyber Essentials focuses on firewalls, secure configuration, access control, malware protection and patch management — strong cover against commodity attacks, achievable at any size. There were 49,248 Cyber Essentials certifications in 2025 according to the NCSC. But it does not address security policies, business continuity, risk management or data protection.
| Cyber Essentials | IASME Cyber Assurance | |
|---|---|---|
| Five technical controls | Yes | Yes (included) |
| Security policies & governance | No | Yes |
| Risk management & risk register | No | Yes |
| GDPR data protection controls | No | Yes |
| Independent verification option | No | Yes |
| Designed for | Any size | UK SMEs |
A business can hold Cyber Essentials yet have no written policies, no risk process and no documented data protection approach. IASME Cyber Assurance requires all of it, giving customers, partners and regulators far greater confidence in your security maturity.
What does the IASME Cyber Assurance standard cover?
The standard spans five domains. Together they prove security is managed as an ongoing responsibility, not a one-off tick-box exercise — the gap that catches most growing SMEs.
- Governance and risk management — regular risk assessments, a maintained risk register and documented incident response. Only 14% of UK businesses have a formal incident response plan (DSIT 2025); IASME requires one.
- Information security policies — written, communicated and enforced policies covering acceptable use, access control and data handling.
- Security management — assigned responsibilities, regular effectiveness reviews and threat-landscape awareness.
- Asset management — a current inventory of devices, software, data stores and cloud services, classified by sensitivity.
- Technical controls — the five Cyber Essentials controls plus encryption, backup and monitoring. With 85% of breaches involving phishing (DSIT 2025, Cyber Security Breaches Survey), this section hardens email, access and endpoints. AMVIA pairs this with vulnerability management to keep controls evidenced year-round.
How does IASME Cyber Assurance compare to ISO 27001?
ISO 27001 is the international information security management standard — comprehensive, highly credible, and the global benchmark. It is also complex and costly: extensive documentation, internal audits, management reviews and surveillance audits by accredited bodies. For many SMEs that is disproportionate to their size and risk.
IASME Cyber Assurance provides approximately 70% of ISO 27001 coverage, scoped and priced for SMEs, with a more proportionate assessment and lower cost. The average cost of a data breach for UK organisations was £3.58 million (IBM 2024) — structured security management is a cost-effective way to reduce that exposure.
For firms planning ISO 27001 later, IASME Cyber Assurance is the ideal stepping stone. The policies, governance and risk processes it requires form the foundation ISO 27001 builds on, so you do not start from scratch. AMVIA delivers it as part of its managed cybersecurity service.
How does the assessment process work?
IASME Cyber Assurance is assessed via an online questionnaire reviewed by an IASME-approved assessor. The questionnaire covers all 149 controls, and answers must be backed by evidence — policies, training records, risk assessments, asset inventories and configuration documentation.
An independently verified version is also available for businesses with more demanding customer or regulatory needs. In that route the assessor reviews evidence in depth and may interview staff or inspect systems directly, providing the strongest evidence of security maturity.
How much does IASME Cyber Assurance cost?
The certification fee for most SMEs falls in a typical UK 2026 range of £500 to £1,500, depending on organisation size and the level of assessor involvement. That is the assessment fee alone. Implementing missing controls, writing the required policies and preparing evidence are additional and depend on your starting position.
AMVIA recommends allowing eight to twelve weeks for a business starting from scratch. A readiness assessment shows exactly where you stand and what to fix before the formal assessment, so you do not pay for a failed first attempt.
How does AMVIA support IASME certification?
AMVIA guides UK businesses through IASME Cyber Assurance as part of its managed cybersecurity service: implementing the technical controls, assisting with policy development and risk documentation, and managing the questionnaire and evidencing process. One provider, security-first, Microsoft-certified engineers.
For businesses treating IASME Cyber Assurance as a stepping stone to ISO 27001, AMVIA builds the governance foundation systematically — so the investment directly supports future ISO 27001 work rather than running as a parallel project. Where a control gap is technical, AMVIA closes it with services such as penetration testing and GDPR-focused cybersecurity.
Readiness checklist
- Written information security policy documented and communicated to staff
- Risk assessment conducted and documented, with a maintained risk register
- Asset inventory maintained — all devices, software and cloud services recorded
- Staff security awareness training evidenced
- GDPR controls in place — privacy notices, consent management, breach response
Key Points
What UK businesses need to know about IASME Cyber Assurance.
Beyond Technical Controls
IASME Cyber Assurance covers policies, governance, risk management, and GDPR compliance — not just the five technical controls of Cyber Essentials.
SME-Focused Design
Unlike ISO 27001, IASME Cyber Assurance is scoped and priced for SMEs — assessed via questionnaire with optional independent verification.
NCSC Recognised
IASME is the NCSC's certification delivery partner. IASME Cyber Assurance is widely recognised as a credible UK cybersecurity certification.
Pathway to ISO 27001
IASME Cyber Assurance covers approximately 70% of ISO 27001 requirements, making it an effective stepping stone toward full ISO 27001 certification.
IASME Cyber Assurance Readiness Checklist
Written information security policy documented and communicated to staff
Risk assessment conducted and documented
Asset inventory maintained — all devices and software recorded
Staff security awareness training evidenced
GDPR data protection controls in place — privacy notices, consent management, breach response
Frequently Asked Questions
It is broader. IASME Cyber Assurance includes the five Cyber Essentials technical controls plus governance, risk management, policies and GDPR. Whether it is "better" depends on your goal: government contracts usually specify Cyber Essentials, but to prove overall security maturity to customers and supply chains, Cyber Assurance is the more credible standard.
Most UK government contracts specify Cyber Essentials as the minimum. IASME Cyber Assurance includes Cyber Essentials, so it meets and exceeds that bar. However, tenders often name Cyber Essentials specifically, so confirm with the contracting authority before relying on Cyber Assurance alone. AMVIA helps you check the requirement before you certify.
For most SMEs the assessment fee falls in a typical UK 2026 range of £500 to £1,500, set by the certifying body and varying by assessor. That is the certification fee only. Implementing missing controls, writing policies and AMVIA's preparation support are additional. Contact AMVIA for a tailored quote based on your current position.
AMVIA recommends allowing eight to twelve weeks for a business starting from scratch. The timeline covers implementing missing technical controls, developing policies, completing a formal risk assessment, building an asset inventory and gathering evidence. Businesses that already hold Cyber Essentials or have mature documentation can move considerably faster.
Yes. IASME Cyber Assurance embeds GDPR data protection requirements within its framework, so one certification addresses both cybersecurity and data protection obligations. It is not a substitute for legal advice, but it gives structured evidence — privacy notices, consent management and breach response — that supports your wider compliance position.
No. IASME is an independent organisation that runs the NCSC's Cyber Essentials scheme under licence and owns the separate Cyber Assurance standard. The NCSC sets the national guidance; IASME delivers the certifications and approves the assessors who review your evidence.
Achieve IASME Cyber Assurance
AMVIA guides UK businesses through IASME Cyber Assurance certification — implementing controls, developing policies, and managing the assessment process.
Protect your business → Get Cybersecurity Assessment