Skip to content
360 Cyber Compliance

Example engagement — illustrative

IASME Cyber Assurance for an SME proving itself in the supply chain

Manufacturing SME (~45 staff) · IASME Cyber Assurance

The challenge

A manufacturing SME needed to show larger buyers a broader assurance of good security than Cyber Essentials alone, but ISO 27001 felt too heavy for where the business was.

What we did

  • Compared IASME Cyber Assurance with Cyber Essentials and ISO 27001 to confirm the right fit
  • Started from the Cyber Essentials five controls as the technical foundation
  • Built out wider practices — data protection, backup, incident response and staff awareness
  • Chose the Level 1 self-assessment route with a path to Level 2 audited certification later
  • Assembled the evidence and completed verification through an IASME-accredited body

The outcome

The SME achieved IASME Cyber Assurance, giving buyers broader assurance than Cyber Essentials without the weight of full ISO 27001.

Background

There is a real gap between Cyber Essentials, which certifies five technical controls, and ISO 27001, a full information security management system. IASME Cyber Assurance sits deliberately in that middle ground, offering broader coverage than Cyber Essentials while remaining achievable for a smaller organisation. In this illustrative example, a manufacturing SME of around 45 staff was being asked by larger buyers to demonstrate more than the basics, but the directors rightly judged that ISO 27001 was more than the business needed at this stage.

What we did

We started by confirming the fit, comparing the three options against the buyers’ actual expectations so the choice was evidence-based rather than aspirational. IASME Cyber Assurance was the right level, and it has a helpful property: it builds on the same five controls as Cyber Essentials, so the technical foundation set out in our guide to the five controls did double duty.

From that base we developed the wider practices the standard covers but Cyber Essentials does not — data protection arrangements, dependable backups, a written incident response plan, and staff security awareness. IASME Cyber Assurance offers two routes: a self-assessed Level 1 and an independently audited Level 2. We chose Level 1 for now, appropriate to the business’s maturity and immediate needs, while deliberately building the evidence so that stepping up to the audited Level 2 later would be straightforward rather than a fresh start. We then assembled the evidence and completed verification through an IASME-accredited body.

Result

The SME achieved IASME Cyber Assurance, giving its larger buyers meaningfully broader assurance than a Cyber Essentials certificate alone, without committing to the overhead of ISO 27001 before the business was ready for it. It also left a clear, credible path to Level 2 when a customer eventually asks for it.

This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.

Facing something similar?

Book a free, no-obligation readiness check and we’ll map out your options.