IASME Cyber Assurance Explained for UK SMEs

What Is IASME Cyber Assurance?

IASME (Information Assurance for Small and Medium Enterprises) is a UK body that developed a cybersecurity certification specifically designed for SMEs. IASME Cyber Assurance — sometimes called the IASME Gold standard — covers 149 controls across five domains: governance and risk management; information security policies; information security management; asset management; and technical security controls.

Importantly, IASME Cyber Assurance includes GDPR data protection controls as part of its framework, making it a single certification that addresses both cybersecurity and data protection obligations simultaneously. This makes it particularly relevant for businesses that process personal data and face both cybersecurity and compliance challenges.

How IASME Differs from Cyber Essentials

Cyber Essentials focuses on five specific technical controls — the controls needed to defend against the most common commodity cyber attacks. It does not address security governance, risk management, policies, or business continuity. IASME Cyber Assurance covers all of this — making it a more comprehensive certification that demonstrates not just that the right technical controls are in place, but that the organisation approaches security in a structured and managed way.

A business could hold Cyber Essentials (technically protecting itself) but have no written security policies, no risk assessment process, and no business continuity plan. IASME Cyber Assurance requires all of these, giving customers and partners greater confidence in the organisation's overall security maturity.

IASME Cyber Assurance vs ISO 27001

ISO 27001 is the international information security management standard and the gold standard for demonstrating security maturity. It is comprehensive, well-recognised globally, and highly credible — but it is also complex and expensive to achieve and maintain. For many SMEs, ISO 27001 is disproportionately demanding relative to their size and risk profile.

IASME Cyber Assurance provides approximately 70% of ISO 27001 coverage, scoped appropriately for SMEs. It is significantly less expensive to achieve and maintain, and the assessment process is more proportionate. For businesses that need to demonstrate security maturity to customers or supply chains but for whom ISO 27001 is excessive, IASME Cyber Assurance is frequently the right choice.

For businesses that plan to pursue ISO 27001 in the future, IASME Cyber Assurance provides a practical preparatory framework — implementing the policies, governance structures, and risk management processes that ISO 27001 will later require.

The Assessment Process

IASME Cyber Assurance is assessed via an online questionnaire reviewed by an IASME-approved assessor. The questionnaire covers all 149 controls, and responses must be supported by evidence — policies, procedures, records of training, and technical configuration documentation. Where evidence is not provided or controls are not in place, the assessor will identify gaps that need to be addressed before certification is awarded.

An independently verified version of IASME Cyber Assurance is also available, where an assessor conducts a more detailed review of evidence and may interview staff or review systems. This provides higher assurance and is appropriate for businesses with more demanding customer or regulatory requirements.

Key Considerations for UK SMEs

• IASME Cyber Assurance includes Cyber Essentials — achieving IASME Cyber Assurance also covers the CE requirements
• GDPR controls are embedded in the standard — IASME Cyber Assurance supports both security and data protection compliance
• Evidence is required — start gathering policy documents, training records, and risk assessments before attempting the questionnaire
• Certification takes longer to achieve than Cyber Essentials — AMVIA recommends allowing eight to twelve weeks for businesses starting from scratch
• Annual renewal is required, but maintaining the underlying governance framework makes renewal less burdensome each year

How AMVIA Can Help

AMVIA supports UK businesses through IASME Cyber Assurance as part of its managed cybersecurity service. AMVIA implements the technical controls required, assists with policy development, and guides businesses through the evidencing and questionnaire process. For businesses pursuing IASME as a pathway to ISO 27001, AMVIA's approach builds the foundation that ISO 27001 will later build on — avoiding the need to start again. Contact AMVIA on 0333 733 8050 to discuss IASME Cyber Assurance for your business.