Affordable ISO-27001 alternative for SMEs (Levels 1 & 2)
IASME Cyber Assurance
IASME Cyber Assurance is a comprehensive, SME-friendly standard that covers information security and data protection (GDPR) at Level 2. It's a cost-effective stepping stone between Cyber Essentials and ISO 27001.
What you get
- Level 1 (self-assessed) or Level 2 (audited)
- GDPR / data protection built in at Level 2
- More affordable than full ISO 27001
- Recognised across UK supply chains
Pricing: Request a quote
What IASME Cyber Assurance is
IASME Cyber Assurance is a comprehensive information- and cyber-security standard developed and run by IASME, the same organisation that delivers Cyber Essentials on behalf of the NCSC. It is often described as a proportionate, SME-friendly alternative to ISO 27001: it takes a similar risk-led, management-system approach to protecting information, but is designed to be more accessible and affordable for small and medium-sized organisations.
Where Cyber Essentials focuses tightly on five technical controls, Cyber Assurance goes further — covering governance, risk management, physical security, staff awareness, business continuity, incident response and data protection. It gives organisations a way to demonstrate a mature security posture without the full weight of an ISO 27001 certification programme.
Levels 1 and 2
IASME Cyber Assurance is offered at two levels, so you can match the depth of assurance to what you need.
| Level 1 | Level 2 | |
|---|---|---|
| Method | Verified self-assessment | Self-assessment plus an independent on-site or remote audit |
| Assurance | Good | Higher, independently verified |
| GDPR assessment | Covered within the standard | Includes a dedicated GDPR assessment |
| Best for | Organisations wanting a broad, credible self-declared standard | Organisations needing externally verified assurance |
Level 1 is a self-assessment against the full standard, giving you a broad and credible statement of your security arrangements. Level 2 adds an independent audit that verifies your self-assessment, and notably includes a GDPR assessment — making it a strong choice for organisations that want their data-protection posture examined alongside their security controls. Cyber Essentials is a prerequisite element of the standard, so achieving it is part of the journey.
What the standard covers
The breadth of IASME Cyber Assurance is its defining feature. Rather than concentrating on technical hardening alone, it asks you to demonstrate a rounded approach to protecting information. The themes it examines typically include:
- Governance and organisation — who is responsible for information security, how decisions are made, and how policies are maintained.
- Risk management — identifying the information risks that matter to you and deciding how to treat them, in a way that is proportionate to your size.
- People — recruitment checks where appropriate, clear responsibilities, and ongoing staff awareness so security is part of the culture rather than a poster on the wall.
- Physical and environmental security — protecting premises, equipment and paper records, which still matter enormously in care settings.
- Technical controls — including the five Cyber Essentials controls as a foundation.
- Business continuity and resilience — how you would keep operating, and recover, after an incident or outage.
- Incident management — how you detect, respond to and learn from security incidents and data breaches.
- Data protection — how you meet your obligations for the personal data you hold, examined in depth at Level 2 through the GDPR assessment.
This rounded coverage is exactly why it appeals to organisations that have outgrown a purely technical certificate but do not yet need — or want — the full machinery of ISO 27001.
Who it suits — and who might look elsewhere
IASME Cyber Assurance is aimed squarely at SMEs, care providers and smaller health organisations that want more than Cyber Essentials but find full ISO 27001 disproportionate for their size and risk.
It is a strong fit if:
- You want a broad, recognised security standard that also addresses data protection.
- You are being asked by clients or partners for more assurance than Cyber Essentials alone provides.
- You value an NCSC-linked, UK-developed standard designed with smaller organisations in mind.
- You want a stepping stone that shares much of its thinking with ISO 27001, should you certify later.
You might instead choose plain Cyber Essentials if all you need is the technical baseline, or full ISO 27001 if international recognition or a specific contract requires it. Cyber Assurance is voluntary — there is no legal obligation to hold it.
How it works
The path depends on the level you choose, but broadly:
- Scope your organisation. Define what is covered and gather a picture of your systems, data and processes.
- Meet the Cyber Essentials elements. The five technical controls form part of the wider standard.
- Complete the Cyber Assurance self-assessment. Work through the full question set covering governance, risk, people, physical security, continuity, incident response and data protection.
- Submit for verification (both levels). Your self-assessment is reviewed.
- Independent audit (Level 2). An assessor verifies your answers, including the GDPR assessment, through an on-site or remote audit.
- Certify and maintain. Once you meet the standard you are certified, and you keep it current through periodic reassessment.
Evidence and documents involved
Because Cyber Assurance is broader than Cyber Essentials, the evidence base is wider. Depending on level, it typically includes:
- Information-security and data-protection policies
- A risk assessment and risk treatment approach
- Asset and information inventories
- Staff awareness and training records
- Business continuity and incident response plans
- Records demonstrating the five Cyber Essentials controls
- For Level 2, evidence supporting the GDPR assessment — records of processing, lawful bases, and data-subject rights handling
Our DPIA guide is a useful reference for the data-protection elements you may need to evidence.
Why the GDPR assessment matters at Level 2
One feature that sets IASME Cyber Assurance apart from a purely technical certificate is the GDPR assessment built into Level 2. Rather than treating data protection as a separate exercise, the standard examines it alongside your security controls, which is a natural fit — most information you are securing is, after all, personal data. The assessment looks at whether you understand what personal data you hold and why, whether you have identified appropriate lawful bases, how you handle individuals’ rights, and how you would respond to a breach. For care and health providers processing sensitive information about the people they support, that combined view is genuinely useful: it means your security and your data-protection posture are examined as one, and a single engagement can give clients confidence on both fronts. If data protection is a live concern for your organisation, Level 2 often earns its place for this reason alone. Our UK GDPR service and the work of an outsourced DPO complement this assessment closely.
Common mistakes
- Assuming it is just “Cyber Essentials plus”. It covers governance, continuity and data protection too — the breadth surprises some applicants.
- Underestimating the data-protection work, particularly for Level 2’s GDPR assessment.
- Weak scoping, which makes the self-assessment harder to complete credibly.
- Missing the management elements — risk assessment, continuity and incident planning are integral, not optional.
- Choosing the wrong level for what clients actually require, and either over- or under-investing.
How it relates to the other standards
Cyber Assurance sits neatly between the baseline schemes and full ISO certification:
- It incorporates Cyber Essentials as part of its technical foundation.
- It shares much of its risk-led philosophy with ISO 27001, making it a sensible stepping stone.
- Its Level 2 GDPR assessment aligns with your UK GDPR obligations and complements the work of an outsourced DPO.
- Much of its governance content maps onto the DSPT for care and health providers.
Key terms are explained in our glossary.
How 360 Cyber Compliance helps
For many SMEs and care providers, IASME Cyber Assurance hits the sweet spot — more assurance than Cyber Essentials, less overhead than ISO 27001 — but its breadth means it benefits from experienced guidance. We work with you on a transparent fixed-fee basis, following a clear delivery process suited to the level you choose.
We help you decide between Level 1 and Level 2, scope your organisation, meet the Cyber Essentials elements, and work through the full self-assessment including the governance, continuity and data-protection sections. For Level 2 we help you prepare for the independent audit and the GDPR assessment, gathering the records an assessor will expect to see.
We provide practical support throughout the assessment and make no promises about the outcome — certification depends on genuinely meeting the standard — but our aim is to make a broad standard feel manageable and clearly evidenced.
Choosing between the levels
If you are unsure which level to pursue, a simple way to think about it is who is asking, and why. If you want a credible, broad self-declared standard to show clients and partners, and no one is demanding independent verification, Level 1 is often the right starting point — it gives you the full breadth of the standard without the cost of an audit. If a customer, commissioner or contract specifically wants independent assurance, or if you handle a lot of sensitive personal data and want your GDPR posture examined by an assessor, Level 2 is the stronger choice. Many organisations begin at Level 1 to build good foundations, then step up to Level 2 when a contract requires it, reusing most of the same evidence. We are happy to help you read your own situation rather than pushing you toward the more expensive option by default. Get in touch to talk through which level fits your needs.
What you'll receive
- Advice on the right level for your contracts
- A gap review against the IASME themes
- Policy and process support
- Support completing the assessment
- Preparation for a Level 2 audit, if applicable
On your own vs. with 360 Cyber Compliance
| On your own | With us |
|---|---|
| Decide between IASME levels alone | We advise which level your contracts actually need |
| Cover security and GDPR separately | We address both together at Level 2 |
| Prepare for the audit unaided | We get you audit-ready first time |
A typical timeline
- 1
Weeks 1–2
Scope, level decision and gap review
- 2
Weeks 3–5
Policies, processes and evidence
- 3
Weeks 6–8
Assessment and (for Level 2) audit
Indicative only — your timeline depends on your starting point, size and deadline.
Who we help with IASME Cyber Assurance
Why choose us for IASME Cyber Assurance
Care & health specialists
DSPT, CQC expectations and NHS data flows are our day job, not a sideline.
Transparent fixed-fee engagements
A clear scope and price agreed up front — no open-ended day rates.
Remote delivery, UK-wide
Almost everything is done remotely, wherever you are in the country.
Award-winning expertise
Led by a BCS Fellow and NEXT CIO 2025, with 20+ years in IT, cyber security and compliance.
Practical, plain-English support
Clear guidance and templates throughout the assessment — no jargon.
Ongoing support
Annual renewals, surveillance audits and everyday advice after you are certified.
Frequently asked questions
How is IASME different from ISO 27001?
It covers similar ground for SMEs at a lower cost and effort, and bakes in a GDPR assessment at Level 2.
Which level do I need?
Level 1 is a verified self-assessment; Level 2 adds an independent audit. We'll advise based on your contracts.
Does it include Cyber Essentials?
IASME Cyber Assurance builds on the Cyber Essentials controls; many organisations do both together.
Is it recognised?
Yes — IASME is the NCSC's Cyber Essentials partner, and Cyber Assurance is recognised across UK supply chains as a proportionate alternative to ISO 27001.
Get started with IASME Cyber Assurance
Tell us where you are and we’ll come back within one working day with clear, no-obligation next steps.
- Plain-English, jargon-free advice
- Fixed-price quotes — no surprises
- Delivered remotely across the UK