IASME Cyber Assurance Auditing

IASME Cyber Assurance is a broader organisational certification than Cyber Essentials, covering cyber security and data protection controls across the business. Punk Security provides both the Level One verified assessment route and the Level Two audited route for organisations that need a wider assurance statement.

What IASME Cyber Assurance is

IASME describes Cyber Assurance as a comprehensive, flexible, and affordable way to demonstrate that an organisation has important cyber security and data protection controls in place.

The certification is available in two levels:

• Level One: Verified Assessment
• Level Two: Audited

You must pass Level One before applying for Level Two.

This page is for the assessment and audit routes

This service is for organisations that want to book IASME Cyber Assurance assessment activity itself.

The focus is on:

• confirming eligibility and scope
• assessing the organisation against the relevant level
• reviewing the submitted evidence and responses
• auditing the required controls for Level Two
• completing certification where the standard is met

Cyber Essentials comes first

IASME states that an organisation must hold a valid Cyber Essentials certificate, with at least one month remaining before expiry, before it can complete IASME Cyber Assurance.

IASME also states that the scope of Cyber Essentials and IASME Cyber Assurance must cover the whole organisation.

Who this is for

• You need broader organisational assurance than Cyber Essentials alone provides.
• A customer, framework, or supply-chain requirement expects a wider control set covering cyber resilience and data protection.
• You want a certification route that is broader than Cyber Essentials without defaulting immediately to ISO 27001.
• You need either Level One verified assessment or Level Two audited assurance.
• You want the assessment or audit itself, not a page centred on preparation support.

Level One and Level Two

Level One

Level One is a verified assessment reviewed by an independent Assessor. It is the entry point into IASME Cyber Assurance and must be passed before Level Two.

Level Two

Level Two is the audited route. IASME describes it as an audit of the processes, procedures, and controls required by the IASME Cyber Assurance standard.

What Punk Security does

• Confirm the certification route and organisation size.
• Check the Cyber Essentials prerequisite and scope position.
• Assess the submitted Level One answers and supporting material.
• Perform the Level Two audit where that route is required.
• Record findings, complete the review, and issue certification where the requirements are met.

What the assessment is looking at

IASME Cyber Assurance goes beyond the five Cyber Essentials controls and looks more broadly at how the organisation manages cyber security and data protection.

That commonly includes themes such as:

• governance and policy
• asset and device management
• access control
• backup and resilience
• incident response
• supplier and third-party oversight
• privacy and data protection controls

What you need before booking

• A valid Cyber Essentials certificate with enough time left before expiry.
• Whole-organisation scope clarity.
• A named internal owner who can answer organisational and control questions.
• Access to the policies, procedures, registers, and evidence needed for the selected level.

What commonly affects the assessment

• Cyber Essentials does not actually cover the whole organisation.
• The organisation has operational controls in place, but weak evidence ownership.
• Governance exists informally but is not well recorded.
• Supplier, backup, incident, or privacy controls are inconsistently applied.
• The business is choosing between Level One and Level Two without first understanding the assurance requirement.

Typical route

1. Confirm that Cyber Essentials is valid and in scope for the whole organisation.
2. Choose the appropriate IASME Cyber Assurance level.
3. Complete Level One verified assessment.
4. Progress to Level Two if audited assurance is required.
5. Complete certification once the relevant level has been successfully assessed.

Why Punk Security

• We provide both assessment and audit capability across assurance schemes.
• We communicate clearly about what is being assessed and what the organisation needs to provide.
• We understand the relationship between Cyber Essentials, IASME Cyber Assurance, DCC, and wider governance-led certifications.
• We already hold IASME Cyber Assurance Level 2 ourselves, which gives us a practical feel for the standard as well as the assessment route.

Common questions

Is IASME Cyber Assurance a replacement for Cyber Essentials?

No. Cyber Essentials is a prerequisite to IASME Cyber Assurance, not an alternative to it.

Does IASME Cyber Assurance apply to the whole organisation?

Yes. IASME states that the scope of both Cyber Essentials and IASME Cyber Assurance must cover the whole organisation.

Is Level Two mandatory?

No. Some organisations only need Level One. Others specifically need the additional confidence of the audited Level Two route.

What if we need help getting ready first?

That sits outside the assessment itself. This page is written for organisations that want to book the IASME Cyber Assurance assessment or audit route.

Useful references

• IASME Cyber Assurance overview
• Cyber Essentials Certification
• Cyber Essentials Plus Auditing