What is the difference between Cyber Assurance Level 1 and Level 2?

Cyber Assurance Level 1 is a verified self-assessment where the organisation completes the IASME question set and an IASME-appointed assessor reviews the submitted answers and evidence references remotely. Level 2 adds an independent on-site or remote audit that tests the controls, documentation, and operational practices in depth, giving a higher level of independent assurance.

Do I need Cyber Essentials before Cyber Assurance?

Yes. A valid Cyber Essentials certification is a prerequisite for Cyber Assurance. Cyber Assurance builds on the five Cyber Essentials technical controls and extends coverage to governance, risk management, data protection, incident response, and continuity.

How long does Cyber Assurance certification take?

Level 1 readiness typically takes 4 to 8 weeks for small organisations, focused on policy, evidence, and self-assessment completion. Level 2 typically takes 8 to 16 weeks as it involves an on-site or remote audit that requires more mature documentation and operational evidence.

Is Cyber Assurance equivalent to ISO 27001?

Cyber Assurance is aligned with the principles of ISO/IEC 27001 and UK GDPR but is designed to be more accessible for small and mid-sized organisations. Level 2 certification can support a future ISO 27001 transition by establishing foundational governance, risk assessment, and control documentation.

Cyber Assurance Level 1 & Level 2 Certification

Cyber Assurance Level 1 and Level 2 Certification Preparation

IASME Cyber Assurance is the recognised UK certification for organisations that need to demonstrate broader information assurance than Cyber Essentials alone. Primelo Cyber helps you prepare for either Level 1 (verified self-assessment) or Level 2 (independently audited) certification with a practical, evidence-led delivery model.

A UK Information Assurance Standard Aligned with ISO 27001 Principles

Cyber Assurance (previously known as IASME Governance) is administered by IASME and recognised by the UK National Cyber Security Centre as a route to demonstrate broad information security and data protection capability. It covers the technical controls required by Cyber Essentials and extends into governance, risk management, asset management, incident response, business continuity, data protection, and supplier assurance.

The standard is structured around thirteen themes and maps directly to UK GDPR and to the core principles of ISO/IEC 27001, making it an effective stepping stone for small and mid-sized organisations that need credible assurance without the full weight of ISO certification.

Scope Covered by the Cyber Assurance Standard

Planning and organisation: leadership accountability, information assurance policy, and risk appetite.
Asset, people, and physical controls: information asset inventory, access rights, physical security, and staff awareness.
Legal, regulatory, and data protection: UK GDPR alignment, records of processing, and rights handling.
Risk assessment and management: documented methodology, risk register, and treatment plans.
Technical controls: the five Cyber Essentials controls plus extended hardening, monitoring, and patching.
Incident response and continuity: tested incident playbooks, backup regimes, and recovery plans.
Supplier management: due diligence, contractual safeguards, and ongoing oversight of third parties.

Choosing Between Verified Self-Assessment and Independent Audit

Cyber Assurance is offered at two levels. Both result in a formally recognised certificate issued under the IASME scheme, but they differ in assessment depth, evidence expectations, and the weight of assurance provided to customers, regulators, and insurers.

LEVEL 01

Verified Self-Assessment

The organisation completes the IASME Cyber Assurance question set and submits supporting evidence references through the IASME portal. An IASME-appointed assessor reviews the responses remotely and issues the certificate when the submission meets the standard.

Remote, questionnaire-based assessment.
Valid Cyber Essentials certificate required as a prerequisite.
Shorter preparation window, lower assessment fee.
Suitable for smaller organisations and supply-chain assurance needs.

LEVEL 02

Independently Audited

Includes everything in Level 1, plus an independent audit conducted on-site or remotely by an IASME-certified assessor. The auditor tests documentation, interviews control owners, and samples evidence to verify that controls are designed and operating effectively.

Full document review plus on-site or remote audit.
Higher assurance level recognised by regulated buyers and insurers.
Stronger foundation for a future ISO/IEC 27001 certification programme.
Suitable for organisations handling sensitive data or regulated services.

Level 1 is typically the right starting point for organisations up to around 50 staff that want verified assurance beyond Cyber Essentials. Level 2 is appropriate where buyers, insurers, or regulators require independent audit evidence or where the organisation is preparing for ISO 27001 certification over a longer horizon.

How Primelo Cyber Helps Prepare for Level 1 and Level 2 Certification

Primelo Cyber delivers a structured preparation programme that gets the controls, documentation, and evidence into a state that will satisfy the IASME assessor at either Level 1 or Level 2. The work is scoped up front with fixed-fee milestones so there are no surprises through to certification.

SERVICE 01

Readiness Gap Analysis

Structured review against the thirteen Cyber Assurance themes. We map current posture, flag gaps, and produce a prioritised remediation plan aligned with the target level and your in-house capacity.

SERVICE 02

Level 1 Self-Assessment Support

Hands-on support to draft policies, complete the IASME question set, and build the evidence references required for a clean verified self-assessment submission first time.

SERVICE 03

Level 2 Audit Preparation

Deeper documentation, operational evidence, control testing, and a pre-audit dry run so the IASME auditor finds mature controls, complete records, and confident control owners on the day.

SERVICE 04

Full Lifecycle Support

End-to-end delivery from prerequisite Cyber Essentials certification, through Level 1 or Level 2, and on to annual renewal, supplier assurance, and readiness for future ISO 27001 certification.

Clear pathway from Cyber Essentials baseline to Level 1 and Level 2 Cyber Assurance.

Practical policies and evidence packs designed for the IASME question set and audit sampling.

Control ownership and training so the programme is sustainable after certification.

Direct coordination with the IASME assessor to keep the submission and audit on track.

Cyber Assurance sits alongside the other frameworks Primelo Cyber supports. Teams targeting a deeper information security management system should also review our ISO 27001 certification service, while those with broader personal data obligations should pair this work with our GDPR compliance service. Verification of our issuing bodies and practitioner credentials is available on the accreditations page.

Start Cyber Assurance Assessment