IASME
Cyber Assurance

The IASME Cyber Assurance standard is a comprehensive, flexible, and affordable way to achieve cyber resilience.

It demonstrates that an organisation has put into place a range of important controls related to cyber security and data protection.

Explore The Standard

Accessible
Cyber Assurance

Framed for each size of business

Governance
And Control

Robust policy and procedural frameworks

Tailored To Your Company

Cyber assurance and governance standards have historically been structured towards the shape and staffing of large complex organisations.

The IASME Cyber Assurance standard is accessible for all industries.
The standard is crafted to adjust to your organisation size, with only the relevant components being are applied dependent on the size and complexity.

The Cyber Assurance Themes

The IASME Cyber Assurance standard is comprised of 14 Themes, each representing a crucial discipline in a robust business assurance program.
We break these down here, theme by theme:

Identify and Classify

Identifying and Protecting Assets

Having a good understanding of your key information assets is essential in order to know what you need to protect.

Legal and Regulatory Landscape

Be aware of legal obligations, contractual requirements and agreements and ensure you are fulfilling your responsibilities.

Risk Assessment

To effectively apply the correct controls to protect your business assets, it's important to understand what risks your business faces and how to manage them to an acceptable level to you, your customers and supply chain.

Organisation

A clear structure within your organisation is the foundation for effective and successful security. This should include who is responsible for making information safe and who is accountable when incidents happen.

Planning

It is important to include information security considerations within your planning. Also consider security when planning projects, procurement, suppliers, and when dealing with 3rd parties.

Protect

Physical Protection

Protection your information assets from physical threats such as theft or loss and environmental harm such as damage from temperature or humidity.

Training People

Thorough and consistent measures are required to screen and train all staff to enable them to understand and comply with the security responsibilities of their jobs.

Policies and Procedures

Policies specify the rules, guidelines, and regulations that you require people to follow. They also reflect the values and ethics that are at the heart of your business.

Managing Access

Best practice access control utilises the law of 'least privilege' meaning only giving users access to the resources and data necessary for their roles, but nothing more.

Technical Intrusion

It is important to develop capabilities to monitor and respond to unauthorised access and usage.This includes anti-malware solutions and measures to prevent insider threats.

Change Management

Implementing a well-documented procedure for operational and technological changes ensures smooth transitions and helps maintain business continuity.

Deter and Detect

Monitoring

Creating processes to track and monitor information systems is important for identifying threats and responding to them effectively.

Respond and Recover

Backup and Restore

Regularly backing up information, and having the ability to restore the backup, may be one of the most effective methods of protecting your business from the effects of accidental or malicious tampering.

Resilience

A resilient company is one that is able to respond to an incident, keep operating through it, and eventually recover.

Frequently Asked Questions

What is IASME Cyber Assurance (ICA) and who is it for ?

IASME Cyber Assurance is a UK-recognised cybersecurity standard designed to help organisations demonstrate good cyber security and data protection practices. It is suitable for organisations of all sizes, including SMEs, charities, and larger organisations that want an assurance framework aligned to UK regulatory expectations.

How is IASME Cyber Assurance different from Cyber Essentials ?

Cyber Essentials focuses on a defined set of technical controls, whereas IASME Cyber Assurance is broader. It covers governance, risk management, policies, people, and processes, as well as technical security. Many organisations use Cyber Essentials as a baseline and IASME Cyber Assurance as a more comprehensive next step.

Does IASME Cyber Assurance cover data protection and GDPR ?

Yes.
IASME Cyber Assurance includes data protection requirements that align closely with UK GDPR principles. It helps organisations demonstrate appropriate organisational and technical measures for protecting personal data, although it is not a legal substitute for GDPR compliance.

Is IASME Cyber Assurance suitable for supply chain and procurement requirements ?

Yes.
Many organisations use IASME Cyber Assurance to demonstrate supply chain security maturity. It is increasingly recognised in procurement processes where buyers want assurance beyond basic technical controls but without the overhead of large international standards.

How much work is involved to achieve certification ?

The effort required depends on organisational maturity. For some, it involves formalising existing good practice into documented policies and processes. For others, it may require addressing gaps in governance, risk management, training, or technical controls.

Do we need specialist technical staff to achieve IASME Cyber Assurance ?

Not necessarily. While technical input is helpful, IASME Cyber Assurance is designed to be accessible. Many organisations work with an independent advisor or certification body to interpret requirements and implement proportionate controls.

Can IASME Cyber Assurance be aligned with other frameworks or standards ?

Yes.
The scheme aligns well with recognised frameworks such as ISO 27001, NIST CSF, and the NCSC Cyber Assessment Framework. This makes it useful as a stepping stone or complementary assurance for organisations on a longer security maturity journey.

How long does IASME Cyber Assurance certification last ?

Certification is valid for 12 months.
Organisations must renew annually, which encourages continuous improvement rather than a one-off compliance exercise.

How does the ICA compare to ISO27001 ?

Cyber Assurance and ISO 27001 are aligned in intent but differ in scope and complexity. ISO 27001 is an international information security management standard with significant documentation, governance, and audit overhead. IASME Cyber Assurance provides a proportionate, UK-focused alternative that delivers meaningful assurance without the same level of cost or administrative burden.

If we already have ISO 27001, do we still need IASME Cyber Assurance ?

Organisations certified to ISO 27001 can achieve and utilise the certification.

The scheme can be invaluable for companys looking to apply governance throughout their supply chains without subjecting smaller firms to obtain ISO27001 certification.

In contexts where buyers explicitly recognise IASME or compliant schemes, the ICA can serve as a lighter-touch, UK-recognised assurance scheme preferred for specific clients, subsidiaries, or contracts.

Obtaining Certification

Certification to the standard can be achieved through two levels.
Level One is a Verified Self-Assessment (VSA) where applicants complete an online questionnaire, reviewed and graded by LANDR Security as an accredited certification body.

Applicants can only apply for Level Two certification after successfully completing the Level One assessment. This elevated standing is a comprehensive, in-depth independent audit of the applicants Level One submission.

Start your certification process with LANDR Security today.

Contact Sales

IASMECyber Assurance

AccessibleCyber Assurance

GovernanceAnd Control