Certification

IASME Cyber Assurance Explained for UK SMEs

IASME Cyber Assurance is a UK cybersecurity certification scheme designed specifically for SMEs — covering governance, risk management, and security practices beyond the purely technical focus of Cyber Essentials. It is the recommended stepping stone toward ISO 27001 for businesses that need a structured security framework.

Overview

IASME Cyber Assurance is a UK cybersecurity certification covering technical controls, governance, risk management, policies, and GDPR. It is designed for SMEs as an accessible alternative to ISO 27001 and includes Cyber Essentials within its framework. IASME is the NCSC's certification delivery partner.

Learn about Cyber Essentials

What is IASME Cyber Assurance?

IASME Cyber Assurance is a comprehensive UK security standard for small and medium businesses, spanning 149 controls across five domains: governance and risk management, information security policies, security management, asset management and technical controls. Unlike Cyber Essentials, it tests whether you *manage* security, not just whether the technology is switched on.

It also embeds GDPR data protection requirements, so one certification covers both your cybersecurity and your data protection obligations. That dual focus is why it sits a clear step above the purely technical schemes — it asks who is accountable, what the policies say, and how risk is assessed. If you want the parent picture of how this fits a wider programme, see AMVIA's managed cybersecurity pillar.

Governance gaps — not single technical failures — drive a large share of UK incidents. The Cyber Security Breaches Survey 2025 found 43% of UK businesses experienced a breach or attack in the past 12 months (DSIT 2025), and many lacked the policies and risk processes IASME Cyber Assurance is designed to enforce.

How does IASME relate to Cyber Essentials?

IASME runs the Cyber Essentials scheme under licence from the NCSC and also owns the broader Cyber Assurance standard. Cyber Essentials covers five technical controls; Cyber Assurance includes all five and layers governance, policy, risk management and GDPR on top.

Cyber Essentials focuses on firewalls, secure configuration, access control, malware protection and patch management — strong cover against commodity attacks, achievable at any size. There were 49,248 Cyber Essentials certifications in 2025 according to the NCSC. But it does not address security policies, business continuity, risk management or data protection.

Cyber EssentialsIASME Cyber Assurance
Five technical controlsYesYes (included)
Security policies & governanceNoYes
Risk management & risk registerNoYes
GDPR data protection controlsNoYes
Independent verification optionNoYes
Designed forAny sizeUK SMEs

A business can hold Cyber Essentials yet have no written policies, no risk process and no documented data protection approach. IASME Cyber Assurance requires all of it, giving customers, partners and regulators far greater confidence in your security maturity.

What does the IASME Cyber Assurance standard cover?

The standard spans five domains. Together they prove security is managed as an ongoing responsibility, not a one-off tick-box exercise — the gap that catches most growing SMEs.

  • Governance and risk management — regular risk assessments, a maintained risk register and documented incident response. Only 14% of UK businesses have a formal incident response plan (DSIT 2025); IASME requires one.
  • Information security policies — written, communicated and enforced policies covering acceptable use, access control and data handling.
  • Security management — assigned responsibilities, regular effectiveness reviews and threat-landscape awareness.
  • Asset management — a current inventory of devices, software, data stores and cloud services, classified by sensitivity.
  • Technical controls — the five Cyber Essentials controls plus encryption, backup and monitoring. With 85% of breaches involving phishing (DSIT 2025, Cyber Security Breaches Survey), this section hardens email, access and endpoints. AMVIA pairs this with vulnerability management to keep controls evidenced year-round.

How does IASME Cyber Assurance compare to ISO 27001?

ISO 27001 is the international information security management standard — comprehensive, highly credible, and the global benchmark. It is also complex and costly: extensive documentation, internal audits, management reviews and surveillance audits by accredited bodies. For many SMEs that is disproportionate to their size and risk.

IASME Cyber Assurance provides approximately 70% of ISO 27001 coverage, scoped and priced for SMEs, with a more proportionate assessment and lower cost. The average cost of a data breach for UK organisations was £3.58 million (IBM 2024) — structured security management is a cost-effective way to reduce that exposure.

For firms planning ISO 27001 later, IASME Cyber Assurance is the ideal stepping stone. The policies, governance and risk processes it requires form the foundation ISO 27001 builds on, so you do not start from scratch. AMVIA delivers it as part of its managed cybersecurity service.

How does the assessment process work?

IASME Cyber Assurance is assessed via an online questionnaire reviewed by an IASME-approved assessor. The questionnaire covers all 149 controls, and answers must be backed by evidence — policies, training records, risk assessments, asset inventories and configuration documentation.

An independently verified version is also available for businesses with more demanding customer or regulatory needs. In that route the assessor reviews evidence in depth and may interview staff or inspect systems directly, providing the strongest evidence of security maturity.

How much does IASME Cyber Assurance cost?

The certification fee for most SMEs falls in a typical UK 2026 range of £500 to £1,500, depending on organisation size and the level of assessor involvement. That is the assessment fee alone. Implementing missing controls, writing the required policies and preparing evidence are additional and depend on your starting position.

AMVIA recommends allowing eight to twelve weeks for a business starting from scratch. A readiness assessment shows exactly where you stand and what to fix before the formal assessment, so you do not pay for a failed first attempt.

How does AMVIA support IASME certification?

AMVIA guides UK businesses through IASME Cyber Assurance as part of its managed cybersecurity service: implementing the technical controls, assisting with policy development and risk documentation, and managing the questionnaire and evidencing process. One provider, security-first, Microsoft-certified engineers.

For businesses treating IASME Cyber Assurance as a stepping stone to ISO 27001, AMVIA builds the governance foundation systematically — so the investment directly supports future ISO 27001 work rather than running as a parallel project. Where a control gap is technical, AMVIA closes it with services such as penetration testing and GDPR-focused cybersecurity.

Readiness checklist

  • Written information security policy documented and communicated to staff
  • Risk assessment conducted and documented, with a maintained risk register
  • Asset inventory maintained — all devices, software and cloud services recorded
  • Staff security awareness training evidenced
  • GDPR controls in place — privacy notices, consent management, breach response

Key Points

What UK businesses need to know about IASME Cyber Assurance.

Beyond Technical Controls

IASME Cyber Assurance covers policies, governance, risk management, and GDPR compliance — not just the five technical controls of Cyber Essentials.

SME-Focused Design

Unlike ISO 27001, IASME Cyber Assurance is scoped and priced for SMEs — assessed via questionnaire with optional independent verification.

NCSC Recognised

IASME is the NCSC's certification delivery partner. IASME Cyber Assurance is widely recognised as a credible UK cybersecurity certification.

Pathway to ISO 27001

IASME Cyber Assurance covers approximately 70% of ISO 27001 requirements, making it an effective stepping stone toward full ISO 27001 certification.

IASME Cyber Assurance Readiness Checklist

Written information security policy documented and communicated to staff

Risk assessment conducted and documented

Asset inventory maintained — all devices and software recorded

Staff security awareness training evidenced

GDPR data protection controls in place — privacy notices, consent management, breach response

Frequently Asked Questions

Achieve IASME Cyber Assurance

AMVIA guides UK businesses through IASME Cyber Assurance certification — implementing controls, developing policies, and managing the assessment process.