What is IASME?

What is IASME?

Funded by the Government’s Technology Strategy Board, the IASME (Information Assurance for Small and Medium Enterprises) Governance Standard was developed for smaller businesses as an appropriate and cost-effective alternative to the international standard ISO/IEC 27001.

IASME goes a step further than the Cyber Essentials Scheme (CES); in addition to the five technical areas of control assessed by CE or CE Plus, IASME tests for basic information security governance and since 1st March 2017, also includes a mandatory assessment against the GDPR requirements.

Based on international best practice, IASME is risk-based and provides a highly credible security management standard. It combines research in small company security with best practice such as ISO/IEC 27001, National Institute of Standards and Technology (NIST) 800-50, and the SANS/CPNI1 Critical Controls.

Why do I need IASME?

If you are a direct supplier to government or part of a government supply chain, CE is a mandatory requirement but IASME (which includes CE) allows you to demonstrate a more rigorous approach.

Having IASME certification may set you apart from your competition. It may also help you to participate in a government supply chain, where there is a growing awareness that small companies pose a known threat to information security.

Successful assessments are issued with an IASME certificate alongside the relevant CE certificate and Cyber Security Insurance of up to £25,000 of cover from AIG.

How do I achieve IASME certification?

Gaining IASME certification involves answering a series of governance questions (over and above the CE questions) that are checked by an IASME accredited Certification Body (CB) – Ascentor was the first licensed external assessor. IASME certification is typically conducted at the same time as a CE. Companies can choose to self-assess against the IASME standard or go the extra step to evidence there security posture, and get an external IASME audit by a CB.

As well as audit and certification, we offer an advisory service where an accredited Ascentor assessor visits you to produce a risk assessment, a capability gap analysis and an implementation plan. We leave you to undertake the implementation activities before returning to complete the formal assessment, which will lead to certification.

For companies that don’t have an IT team or security team, we offer a day of on-site consultancy where we will talk you through the process and help you answer the questions. In these situations, the person providing the consultancy would be unlikely to carry out an subsequent audit. Although the IASME rules allow for the same consultant to provide consultancy and the audit, we would try and keep separation by using a different consultant for each task.

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch