What Is IASME Cyber Assurance Level 1?
IASME Cyber Assurance Level 1 is a self-assessed cyber security certification designed specifically for small and medium-sized businesses. It requires organisations to answer questions across 13 security themes, which are then verified by an approved IASME assessor.
The standard sits between Cyber Essentials and ISO 27001, making it the right choice for organisations that want to demonstrate a serious commitment to information security without the cost or complexity of a full ISO audit. It is aligned with the UK Government’s 10 Steps to Cyber Security and is recognised in government procurement frameworks.
To achieve Level 1 certification, your organisation must demonstrate controls across: planning information security, physical and environmental protection, technical intrusion prevention, organisational controls, people and awareness, backup and restore, asset management, policy realisation, secure business operations, legal and regulatory compliance, access management, resilience, and risk assessment and treatment.
What Is IASME Cyber Assurance Level 2?
IASME Cyber Assurance Level 2 is an independently audited certification that goes beyond the self-assessed Level 1 process.
Rather than validating your own answers, Level 2 involves a qualified IASME assessor reviewing your governance processes, security documentation and system configurations in detail – and where necessary, visiting your premises to verify that good security practice is embedded across your organisation.
Level 2 also includes a GDPR assessment, examining how your organisation collects, stores and manages personal data. This makes it particularly well suited to organisations that handle sensitive personal or financial information, or that operate in sectors where independent assurance carries significant commercial or regulatory weight.
Achieving Level 2 demonstrates to clients, partners and procurement teams that your security posture is not only documented but actively implemented and verified by an independent third party.
IASME Cyber Assurance is a government-backed standard that helps organisations demonstrate their commitment to data security without the complexity or cost of ISO 27001. Developed through a government-funded initiative, it provides a practical, affordable route to recognised certification - giving clients and partners confidence that sensitive information is protected, and opening doors to public sector contracts that require demonstrable security standards.
Save Money
You could save tens of thousands of pounds by opting for Cyber Essentials over ISO 27001.
Ensure Compliance
Our process includes GDPR requirements – show you're compliant by getting certified.
Win More Business
Achieving certification helps you to meet the requirements for more public sector contracts.
Demonstrate Your Commitment
Show your customers and supply chain that you take their data security seriously.
Identify Risks
The risk assessment phase of the certification helps to identify vulnerabilities in your cyber defences.
Build Trust
Your customers will feel more comfortable entrusting you with their sensitive data when they know you are keeping it safe.
Thousands of organisations across the UK trust us, here’s why…
CREST & CHECK Accredited
We are certified for both CREST and CHECK Green Light testing - an achievement not all testing companies can claim.
Clear and Concise Reports
We provide easy-to-understand reports with detailed findings and actionable recommendations.
CREST Infrastructure & App Testing
We are certified in both CREST Infrastructure and Application testing to the highest standards.
Specialised Testing Teams
Developer-trained testers deliver comprehensive app, API, and cloud testing for deeper, more effective results.
Experienced & Senior Consultants
Our team consists of highly experienced, senior consultants and penetration testers with over 15 years of expertise.
We Save You Time and Money
Clients consistently tell us that we deliver higher-quality testing in less time.
Outstanding Communication
We establish dedicated Teams or Slack channels to ensure seamless two-way communication between all.
Forward-Thinking Security
Our team goes beyond identifying vulnerabilities, offering proactive solutions to mitigate future risks.
IASME Cyber AssuranceLevel 1 vs Level 2
Level 1 is a verified self-assessment, completed through an online questionnaire covering 13 themes of information security. Your answers are reviewed and validated by a qualified IASME assessor, making it an accessible and cost-effective starting point for SMEs. Level 1 is ideal if you want to demonstrate strong security fundamentals to clients and prospects, or if you need to meet supply chain requirements without committing to a full audit process.
Level 2 introduces an independent, on-site audit conducted by an approved IASME assessor. The audit examines your governance, processes and security controls in detail, validating that your organisation genuinely practises what it documents. Level 2 also includes a GDPR assessment, making it the right choice for organisations handling sensitive data or operating in sectors where a higher level of independent assurance is required.
How Much Does IASME Cyber Assurance Cost?
The cost of IASME Cyber Assurance varies by level and by the size and complexity of your organisation. Level 1 is typically more affordable given its self-assessed nature, while Level 2 reflects the additional time involved in an independent audit and GDPR assessment. Speak with our team to understand what certification would involve and cost for your specific situation.
What is the Scope of IASME Cyber Assurance?
Both levels of IASME Cyber Assurance are built around the same 13 security themes, which together provide a comprehensive framework for protecting sensitive information and maintaining operational resilience. The difference between levels lies in how compliance is verified – through self-assessment at Level 1, and independent audit at Level 2.
The 13 themes cover: planning information security, physical and environmental protection, technical intrusion prevention, organisational controls, people and training, backup and restore, asset management, policy implementation, secure business operations, legal and regulatory compliance, access management, resilience, and risk assessment and treatment.
How Do We Achieve Certification?
Both levels of IASME Cyber Assurance are built around the same 13 security themes, which together provide a comprehensive framework for protecting sensitive information and maintaining operational resilience. The difference between levels lies in how compliance is verified – through self-assessment at Level 1, and independent audit at Level 2.
The 13 themes cover: planning information security, physical and environmental protection, technical intrusion prevention, organisational controls, people and training, backup and restore, asset management, policy implementation, secure business operations, legal and regulatory compliance, access management, resilience, and risk assessment and treatment.
Frequently Asked Questions
IASME Cyber Assurance is suitable for any UK organisation that wants to demonstrate a credible, recognised level of information security beyond Cyber Essentials. It is particularly relevant for SMEs supplying to the public sector, organisations handling sensitive personal or financial data, and businesses whose clients or partners require evidence of security standards.
Cyber Essentials focuses on five technical controls to protect against common cyber attacks. IASME Cyber Assurance is broader in scope, covering governance, people, processes and risk management across 13 themes. It requires Cyber Essentials or IASME Cyber Baseline as a prerequisite, building on that technical foundation with a more comprehensive organisational framework.
Level 1 is the right starting point for most SMEs – it demonstrates a credible commitment to information security without the overhead of a full audit. Level 2 is worth considering if your clients or sector require independent verification, if you handle significant volumes of sensitive personal data, or if you are looking to position your organisation as a high-trust supplier in competitive procurement processes. Our team can help you assess which level makes sense for where you are now and where you want to be.
Level 1 is a verified self-assessment reviewed by a qualified IASME assessor. Level 2 is an independent on-site audit that examines your governance, documentation and security controls in detail. Level 2 also includes a GDPR assessment. Both levels cover the same 13 security themes – the difference is in how your compliance is verified and the depth of scrutiny involved.
Yes. IASME Cyber Assurance Level 2 includes a GDPR assessment as part of the audit process, examining how your organisation handles personal data. This makes it one of the most comprehensive SME-focused certification standards available in the UK, combining information security and data protection in a single assessment.
Timescales vary depending on the level required and your existing security posture. Organisations with established policies and processes can often complete the Level 1 self-assessment within a few weeks. Level 2 takes longer given the audit and site visit requirements. Our team can give you a clearer picture once we understand your starting point.
Yes. IASME Cyber Assurance is aligned with the UK Government’s 10 Steps to Cyber Security and is recognised within government procurement frameworks. It is administered by IASME, the government-appointed body responsible for delivering the Cyber Essentials scheme.
Yes. CyberLab is an approved assessor for both IASME Cyber Assurance Level 1 and Level 2. Our team will guide you through whichever level is right for your organisation, from initial scoping through to certification.
What Our Customers Say
CREST, CHECK & Cyber Scheme Certified
CREST (the Council of Registered Ethical Security Testers) is an international accreditation with a strict Codes of Conduct and Ethics. CHECK is the Government-backed accreditation from the National Cyber Security Centre (NCSC) which certifies that a company can conduct authorised penetration tests of public sector systems and networks.
All our penetration testers are certified by CREST, with senior consultants certified by CREST to the highest CCT Level. Our testers are also either CHECK Team Leaders (CTL’s) or Team Members (CTM’s).
Security testers that pass the Cyber Scheme exams demonstrate ‘competence and skill at the highest levels’ as defined by the National Technical Authority for Cyber Security (NCSC).
Our team have decades of combined experience and take pride in operating at the highest level of the industry – conducting a broad range of government and commercial tests – and always aim to go the extra mile.
What is YourHackRisk Score?
Your Credit Score for Cyber Security
AI-powered cyber risk monitoring with secure dashboard and shareable reports, delivered by security experts.
Dark Web Scanning
Vulnerability Scanning
Recon Scanning
Supply Chain Security
This page was reviewed by Tharun Udayasankar, Cyber Security Consultant for Professional Services at CyberLab, on 11.05.26.
Speak With an Expert
Enter your details and one of our experts will be in touch.
Whether you’re looking to implement basic cyber security best practice, improve your existing defences, or introduce a new system or solution, our team of expert consultants, engineers, and ethical hackers are here to help.
Our team specialise in creating bespoke security solutions and testing packages to improve and maintain your security posture.
We are 100% vendor agnostic and will only ever recommend the best products and solutions for your requirements.
