IASME just dropped the May 2025 update to Cyber Assurance which is now on V7.0, and if you’re happy to think a bit conceptually you’ll find that this is a really useful resource for developing or improving your security function – it’s not just an assessment framework, it’s the way to actually make it happen. New varied requirements based on size, and clear housekeeping on IASME’s part has made the new update a robust and clear roadmap that you can use to take you from “we should probably do something about security” to “we’ve got a mature, validated security posture that our customers trust.”
The new update means it’s never been a better time to launch a concerted effort to achieve IASME Cyber Assurance as a next step from your Cyber Essentials experience, let’s talk about why and give a little context along the way.
A reminder on what Cyber Assurance is
IASME say that Cyber Assurance is “a comprehensive, flexible, and affordable way to achieve cyber resilience. It demonstrates that an organisation has put into place a range of important controls related to cyber security and data protection”. To be clear about what it is in real physical terms, it’s a collection of well-informed requirements that you can meet and be audited against as an organisation. The requirements for audit change based on your size, and in this way it becomes a useful way to start a predictable and growth friendly security journey. Equally, if you’re a larger organisation and meet the full requirements of the standard at the off – you can promote Cyber Assurance to your supply chain as a compatible framework that doesn’t punish smaller teams, and slots perfectly in with the controls and considerations you’ve already made.
Another way to actually ‘think’ about Cyber.
IASME Cyber Assurance organises everything you might need to think about into four logical categories that can be understood as a process to be considered in every day actions and activities.
Identify & Classify → Protect → Detect & Deter → Respond & Recover
There’s a bunch of different ways to think about cyber security, stemming mostly from different efforts to make frameworks for cyber maturity by different bodies the world over. Most of them agree that you begin with classification and identification of assets as a part of a concerted risk assessment process, and move on to identifying proportionate controls, and then have a detection and response function for incidents or disruptions. IASME’s approach is based on private sector research and some academic rigor to capture and design an approach that is tailored to the UK threat landscape.
Within these four categories, you’ve then got the 14 themes – smaller categories that provide focus on key subject areas in a structured way and provide guidance on producing relevant artifacts (Like risk registers, legal registers, security policies etc). Each theme is a concrete area you can tackle, tick off, and move on from.
Assessor’s Insight: This is why the organisations that do best with IASME Cyber Assurance are the ones that treat it as a journey. We’ve worked with companies that started with just the first few themes, building their confidence alongside their capabilities. Six months later, they’re tackling the more complex themes with ease because they’ve built that foundation properly.
Whilst we do think there should be a way to build out your core security function in tandem with Cyber Essentials, it does make sense that CE is a requirement to undertake IASME Cyber Assurance. Having these core non-negotiable controls in place is super useful in making sure that you develop your information security function from a place that has already tackled the controls needed to thwart 90% of the most common attacks. It also stops teams falling into management hell – and putting off conducting important meetings or risk assessments whilst vital controls are waiting to be implemented.
The Goldilocks approach to required controls
This is where things get really interesting. Rather than the one-size-fits-none approach we tend to see – biasing larger organisations usually, IASME Cyber Assurance adapts based on your organisation’s size:
| Version of the Standard | Requirements |
| IASME Cyber Assurance Standard – Sole Trader / 2 Person Partnership | 20 |
| IASME Cyber Assurance Standard (0 to 9 people excluding above) | 32 |
| IASME Cyber Assurance Standard (10 to 49 people) | 48 |
| Complete IASME Cyber Assurance Standard (50+ people) | 65 |
Now, this isn’t about letting smaller organisations off the hook. It’s about recognising that a freelance consultant working from their spare bedroom has fundamentally different risks and needs compared to a 50-person manufacturing firm. The standard creates what we like to call the “Goldilocks approach” – requirements that are just right for your situation.
Take Theme 7 (People) as an example. If you’re a sole trader, you simply don’t need formal recruitment requirements yet, so it would be foolish (and indeed a burden) to expect some fluffy policy template you’d never use to be put in place to meet that requirement. But when you start hiring your first employees however, suddenly those controls become relevant. Then this requisite policy or position would become a value-add, and therefore begins to come back into scope for assessment. The standard grows with you, which is exactly what real businesses need.
This scalability is a game-changer. It means you can start your security journey wherever you are right now, knowing the framework will support you as you grow – and that you’re not wasting energy on implementing things that you’ll be asked to change to meet a new requirement in the future. No more choosing between standards that are either too basic to be meaningful or too complex to be practical. Awesome for new decisions on hiring or tooling purchases.
Why Government Backing Matters More Than Ever
UK businesses – on average, have a cyber security problem. Both DSIT and the NCSC have been increasingly vocal about their concerns, and when you look at the statistics (Half of businesses and around a third of charities report having experienced some form of cyber security breach or attack in the last 12 months according to the Cyber security breaches survey 2024), you can see why.
This isn’t just hand-wringing from government departments. There’s a clear shift happening from “cyber security would be nice” to “cyber security is non-negotiable.” We’re seeing the early stages of what happened with health and safety regulations – voluntary guidelines gradually becoming mandatory requirements. There’s an appetite for a minimum viable security function from government, and we think DSIT and NCSC are going to arrive eventually at this being IASME Cyber Assurance.
IASME Cyber Assurance maps directly to DSIT’s Cyber Governance Policy, which is essentially the government’s vision for where UK organisations should be heading security-wise. This alignment surely isn’t accidental – it’s strategic positioning for what’s coming.
The government backing gives IASME Cyber Assurance weight. When you’re certified, you’re not just ticking boxes – you’re demonstrating alignment with national security expectations. In a world where cyber credentials increasingly open (or close) doors, that’s going to develop into a tangible commercial advantage.
Resources That Actually Accelerate Your Journey
IASME doesn’t just set requirements and leave you to figure things out. They provide proper resources – templates, guidance, the lot. All to be used in conjunction with a supporting consultant certification body. These aren’t generic documents that need hours of customisation. They’re practical tools designed specifically for IASME Cyber Assurance implementation.
You can download the complete question set for your organisation size before you even start. No surprises, no hidden requirements. This transparency helps you plan properly and budget accurately.
Of course, templates are just the beginning. Every organisation has its quirks, and that’s where professional support can make a real difference. Whether it’s interpreting requirements for your specific situation, developing policies that actually reflect how you work, or preparing for assessment, experienced guidance can save months of trial and error.
IASME Resource documents available
- Risk Assessment – A document that identifies, analyses, and evaluates potential cybersecurity threats and vulnerabilities to your organization.
- Security Improvement Plan – An action plan that outlines specific steps and timelines for addressing identified security gaps and enhancing your organization’s cybersecurity posture.
- Admin Access Register – A log that tracks and documents all administrative access privileges, including who has elevated permissions and for which systems.
- Asset Register – A comprehensive inventory of all IT assets including hardware, software, and data resources owned or managed by the organization.
- Business Continuity Plan – A documented strategy that ensures critical business operations can continue or quickly resume following a cybersecurity incident or other disruption.
- Physical Asset Register – A detailed record of all physical IT equipment and infrastructure components, including their location, condition, and ownership details.
- Security Incident Tracker – A log system for recording, monitoring, and managing all security incidents, breaches, and their resolution status.
- Vulnerability Policy – A formal policy that defines how the organization receives notice of identified vulnerabilities in their network.
- Security Policy – The overarching document that establishes the organization’s cybersecurity rules, procedures, and standards for protecting information assets.
- Glossary – A reference document that defines key cybersecurity terms and acronyms used throughout the IASME framework documentation.
In Our Experience: The IASME templates are solid, but knowing which ones need heavy customisation versus light touch adaptation makes all the difference. We help clients focus their efforts where it matters most. Why spend days perfecting a policy that can work almost out of the box when you’ve got others that need proper tailoring to your business?
The Collaborative Certification Journey
IASME Cyber Assurance assessments aren’t designed to catch you out. The whole approach is collaborative, which is a breath of fresh air if you’ve experienced the adversarial nature of some other audits.
The clever bit is their moderator system. Your assessor (That’s us by the way) acts as a guide, helping you understand requirements and improve your security. The actual certification decision sits with independent IASME moderators, which means assessors can provide genuine support without compromising the certification’s integrity or demonstrating any conflict-of-interest.
This creates a fundamentally different dynamic. Instead of playing cat and mouse with an auditor, you’re working with someone who genuinely wants to help you succeed – with no surprises at assessment time. Better security comes from understanding and engagement in a conversational way, not gotcha moments and box-ticking.
The assessment process itself is nicely structured. Level 1 is a verified self-assessment for organisations starting their formal security journey. Level 2 adds an independent audit for those needing additional assurance. Both are valid certifications; it just depends on your needs and what your customers expect.
Assessor’s Insight: The best assessments are conversations, not interrogations. When organisations understand why a control matters, implementation becomes so much more effective. We’ve had clients start with significant gaps but real commitment to improvement that is structured by the Assurance standard. Most of the time, you’re not submitting to assessment until you get an informal nod from your consultant and assessor anyway, based on their experience. How relaxing.
The three-year cycle for Level 2 is particularly sensible. Full audit in year one, then lighter-touch assessments in years two and three, before starting the cycle again. This maintains momentum and attention-to-detail without drowning you in annual audits.
Your Next Steps on the Security Journey
So you’re convinced IASME Cyber Assurance is worth exploring. What now? Well before anything, feel free to get in touch!
First up, sort your prerequisites. For UK organisations, that means Cyber Essentials. This foundational step ensures your technical basics are solid before you build the broader security management layer on top – if you meet the requirements, you can get badged up in 24 hours.
Next, download the requirements for your organisation size from IASME’s website. Have a proper read through – understanding what’s expected helps you plan realistically and spot where you might need support.
Then, tackle your risk assessment. This document drives pretty much everything else, so it’s worth getting right. The IASME template gives you a solid starting point, but remember to make it properly reflect your business.
Consider your approach. Some organisations prefer the DIY route, working through requirements independently using IASME resources. Others benefit from professional guidance to accelerate things and avoid common pitfalls. There’s no right answer – just what works for your situation and timeline.
Finally, remember this isn’t a one-and-done exercise. IASME Cyber Assurance is about embedding security thinking into how you operate. The real value is the confidence that comes from knowing you’re properly protected and know how to act and react in certain situations.
Ready to get started? As an IASME accredited Certification Body and consultancy, we’re here to help you navigate implementation and certification. We focus on practical solutions that respect both your business needs and your budget, ensuring you achieve genuine security improvement alongside that all-important certification.
Drop us a line for a no-obligation chat about your situation. You’ll speak directly with the consultant who’d support you – not a sales team, so you get practical advice from the word go.