IASME is the organisation that runs the UK’s Cyber Essentials scheme on behalf of the National Cyber Security Centre (NCSC), and the author of its own IASME Cyber Assurance standard. The name originally stood for “Information Assurance for Small and Medium Enterprises” — a clue to its mission: making credible, recognised security certification accessible to organisations that aren’t large corporations.
If you’ve looked into Cyber Essentials, you’ve already met IASME without necessarily knowing it. This guide explains who they are, the standards they own, and what their credentials tell you about an IT provider.
IASME and the NCSC: the partnership
The NCSC — part of GCHQ — sets UK cyber security policy and owns the Cyber Essentials scheme, but it does not run the certification process itself. Since 2020, IASME has been the NCSC’s sole Cyber Essentials Partner, responsible for delivering the scheme day to day.
In practice that means IASME maintains the technical standard, accredits the network of certification bodies that assess organisations, and oversees the quality and consistency of certification. So the chain of trust runs: the NCSC owns the scheme → IASME operates it → accredited certification bodies assess organisations → your provider earns the certificate. That backing is what gives Cyber Essentials its credibility.
IASME Cyber Assurance: beyond the five controls
Beyond Cyber Essentials, IASME owns its own, broader standard: IASME Cyber Assurance (previously known as IASME Governance). Where Cyber Essentials certifies five baseline technical controls, Cyber Assurance is a wider, risk-based standard covering how an organisation actually manages security, including:
- Risk management — identifying and managing information-security risks.
- Policies and people — security governance, staff responsibilities and training.
- Incident response and business continuity — planning for when things go wrong.
- Data protection — alignment with UK GDPR obligations.
It is sometimes described as a stepping stone towards the breadth of ISO 27001, but designed to be more accessible and affordable for small and medium organisations. It is available in two levels — a verified self-assessment and an independently audited level — mirroring the assurance step-up you see between Cyber Essentials and Cyber Essentials Plus.
How IASME Cyber Assurance compares to ISO 27001
Both ISO 27001 and IASME Cyber Assurance certify a broad, risk-based approach to managing security rather than a fixed checklist. The practical difference is scale and cost: Cyber Assurance is deliberately more accessible and lower-cost, which suits many smaller businesses, while ISO 27001 is the heavier international standard often expected by larger or regulated organisations. For many UK SMEs, Cyber Assurance offers much of the governance discipline of ISO 27001 without the same overhead.
What IASME credentials tell you about a provider
There are two distinct things to look for, and they mean different things:
- Holding IASME Cyber Assurance — the provider has certified its own security and governance to a broad, risk-based standard. A solid signal of maturity beyond the basics.
- Being an IASME-accredited certification body — the provider is trusted by IASME to assess other organisations for Cyber Essentials. To reach this status it must demonstrate real security competence itself, so it’s a meaningful mark of credibility.
“Working with IASME” and “being an IASME-accredited certification body” are not the same thing. If a provider markets the latter, you can confirm it — and confirm any Cyber Essentials certificate — against the NCSC list of certified organisations and IASME’s own records.
How WhatMSP uses IASME credentials
Both IASME Cyber Assurance and IASME certification-body status feed into the Security & Compliance category of our independent /50 score. We verify Cyber Essentials and IASME credentials against the IASME-issued records and the NCSC list of certified organisations — checked at source, never taken from a footer logo. It’s the same principle we apply to every credential on the register.
Compare providers on verified credentials
Every provider on the register is independently scored out of 50, with IASME and Cyber Essentials credentials checked at source. We don’t sell rankings — the score is earned. Free for buyers.
Frequently asked questions
What is IASME?
IASME is the organisation that runs the UK's Cyber Essentials scheme on behalf of the National Cyber Security Centre (NCSC), and the author of its own IASME Cyber Assurance standard. Originally standing for "Information Assurance for Small and Medium Enterprises", IASME develops accessible security and governance standards aimed especially at smaller organisations.
What is the relationship between IASME and Cyber Essentials?
IASME is the NCSC's sole Cyber Essentials Partner. It owns and operates the Cyber Essentials and Cyber Essentials Plus scheme day to day — maintaining the standard, accrediting the certification bodies that assess organisations, and overseeing quality. So when you gain Cyber Essentials, you do so within the framework IASME runs for the NCSC.
What is IASME Cyber Assurance?
IASME Cyber Assurance (formerly the IASME Governance standard) is a broader, risk-based security and governance certification that goes beyond the five Cyber Essentials controls. It covers areas such as risk management, people, policies, incident response, business continuity and data protection — a step towards the breadth of ISO 27001, but designed to be more accessible and affordable for smaller organisations.
How is IASME Cyber Assurance different from ISO 27001?
Both certify a broad approach to managing information security rather than a fixed checklist. IASME Cyber Assurance is designed to be more accessible and lower-cost, which suits many small and medium businesses, while ISO 27001 is the heavier international standard often expected by larger or regulated organisations. IASME Cyber Assurance is sometimes described as closely aligned with the principles of ISO 27001.
Should my IT provider be an IASME certification body?
It is a strong positive signal. To become an IASME-accredited certification body, a provider must demonstrate its own security maturity and competence, since it is trusted to assess others. A provider that is itself a certification body has cleared a meaningful bar — though you should still check the certifications it holds in its own right.
How does WhatMSP use IASME credentials?
IASME Cyber Assurance and IASME certification-body status both feed into the Security & Compliance category of our independent /50 score, and we verify Cyber Essentials and IASME credentials against the IASME-issued records and the NCSC list of certified organisations. As with every credential, it is checked at source rather than taken from a website logo.