IASME Governance

The affordable and achievable alternative to ISO 27001

Beyond Cyber Essentials

The Information Assurance for Small & Medium sized Enterprises (IASME) Governance standard was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO 27001.

The IASME Governance standard allows the small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers’ information. The IASME Governance assessment includes the Cyber Essentials assessment and GDPR requirements, and is available either as a self assessment or on-site audit.

IASME Governance Self Assessed

IASME Governance Self Assesed helps organisations achieve an excellent level of information security in a cost-effective manner.

It is particularly applicable to SMEs who want to demonstrate to clients and business partners that they manage information and data securely.

The self-assessment is carried out online using IASME’s secure portal where organisations are required to answer around 160 short questions about their security.

You will get access to the portal immediately after paying for the assessment and have up to six months to complete the answers.

The answers are saved automatically by the system.

Once the answers have been provided, the assessment is marked by one of IASME’s Certification Bodies and usually a pass/fail is returned to the organisation within 72 hours.

An organisation receives certificates showing their compliance to both IASME Governance and Cyber Essentials on passing the assessment. The assessment also demonstrates achievement against the requirements of GDPR.

IASME Governance Audited

The audited IASME Governance standard is IASME’s highest level of certification and is an excellent alternative to ISO 27001 for small and medium sized organisations.

The first step towards achieving the IASME Governance Audited standard is to contact Risc IT Solutions for a quote. You can do this through the form below.

Our consultants will then discuss with you the scope of the assessment and arrange a mutually convenient time to visit your organisation’s head office to carry out an audit of your policies and process.

This audit usually involves interviews with members of staff and a review of documentation and system configuration.

It does not involve a technical assessment unless you are being assessed to Cyber Essentials plus at the same time, although it may be helpful to have technical staff available to provide evidence to the assessor of your system configuration.

The consultant may also wish to visit branch offices or other locations in order to satisfy themselves that your good security practice is reflected across the organisation.

The audited certification is renewed at the end of years 1 and 2 by simply renewing the online IASME Governance assessment.

At the end of year 3 a full audit, as described above, is required again to renew the certification.

IASME Governance FAQs

What is the difference between Cyber Essentials and Iasme Governance?

The Cyber Essentials Scheme is a Government scheme that helps organisations to guard against the most common cyber threats from the internet and demonstrate commitment to cyber security. It covers five main technical controls which will protect companies against an estimated 80% of common internet threats. The controls are:

  • Secure your Internet connection (Firewalls and routers)
  • Secure your devices and software (Secure configuration)
  • Control access to your data and services (Access control)
  • Protect from viruses and other malware (Malware protection)
  • Keep your devices and software up to date (Software updates)

IASME Governance certification is aligned to the Government’s Ten Steps to Cyber Security and includes Cyber Essentials certification as well as controls around people and processes. It also covers the General Data Protection Regulation (GDPR) requirements. IASME Governance is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized organisations to implement.

When I apply to do Cyber Essentials and IASME Governance together, can I do IASME Governance at a later date?

We would normally require the Cyber Essentials and IASME Governance to be assessed at the same time, but they can be done separately provided that the IASME Governance is completed within 6 months of the Cyber Essentials certification.

Is IASME Governance Audited the same as Cyber Essentials Plus?

No, Cyber Essentials Plus is an audited level of the Cyber Essentials assessment, testing the 5 Cyber Essentials controls only. IASME Governance Audited is an independent on-site audit of the level of information security provided by your organisation, against the IASME Governance standard. It is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized organisations to implement. The standard includes GDPR requirements and adds additional topics that mostly relate to people and processes, for example:

  • Risk assessment and management
  • Training and managing people
  • Change management
  • Monitoring
  • Backup
  • Incident response and business continuity
Does the price for IASME Governance include the price for Cyber Essentials?

Yes, IASME Governance includes Cyber Essentials so the cost would be for both.

Risc IT Solutions’ consultants are accredited by IASME to assess and certify against the Government’s Cyber Essentials scheme requirements. We offer consulting services to assist organisations in achieving IASME, Cyber Essentials or Cyber Essentials Plus certifications.

Complete the form, press send and your enquiry will be directed straight to a member of the team.

Shortly afterwards, we will be in touch to discuss your requirements and answer any questions you may have.


Wider range of disciplines than Cyber Essentials

Comply with supply chain requirements

Ongoing assurance

Perfect for any business that stores sensitive data

An alternative to ISO 27001

Recognised as the best Cyber Security Standard by the UK Government