Request a cyber security review
0330 043 0826 | [email protected]
InfoSec Governance Logo

IASME Cyber Assurance version 7: What you need to know

IASME Cyber Assurance version 7: What you need to know

At the end of May 2025 IASME released their latest standard of IASME Cyber Assurance, version 7. Theres been a few changes that you will need to know if you will be renewing your certification soon or are looking to achieve IASME Cyber Assurance soon.

Version 7 of the standard is a refresh; however the core of the standard remains the same, the changes have been refreshed to ensure that the standard meets real-world company requirements and makes implementation easier.

But before we get on with what the changes are, it’s probably best to run over what IASME Cyber Assurance is.

The IASME Cyber Assurance standard is designed for the implementation of information security, primarily within micro and smaller organisations and where certification can be achieved within a day. As well as this, it allows businesses to build a cyber security framework or foundation, upon which they can build upon.

In order to achieve IASME Cyber Assurance, you must first have a valid Cyber Essentials basic certification, this is the only pre-requisite.

The standard comes in two forms, a level one self-assessment, point in time assessment which is renewed annually and a level two certification which builds upon the level one certification, but where the business is audited and evidence is provided. This level two certification is performed every three years.

Some of the benefits of IASME Cyber Assurance is that it maps quite a bit to ISO 27001, the DSIT Cyber Governance framework, as well as the NCSC CAF Framework.

By implementing the standard, it gives you, the business a way to further prove and demonstrate awareness of cyber security and the protection of information.

If you’re looking for an information security framework and ISO 27001 is too much for your business, Cyber Assurance can play a key part at a fraction of the cost.

What’s new

So now that we know a little bit about the standard, what’s changed in version 7?

Themes

There are now fourteen themes that make up the standard, this is a change from the 13 themes in version 6 and are groups into the same 4 categories. There are no additional requirements, but requirements have been moved around a little to make it flow easier during audits and assessments, by removing potential duplication of requirements between various themes.

The themes are:

  • Theme 1 – Planning
  • Theme 2 – Organisation
  • Theme 3 – Assets
  • Theme 4 – Legal and regulatory landscape
  • Theme 5 – Assessing and treating risks
  • Theme 6 – Physical and environmental protection
  • Theme 7 – People
  • Theme 8 – Policy realisation
  • Theme 9 – Managing access
  • Theme 10 – Technical intrusion
  • Theme 11 – Change management
  • Theme 12 – Secure business operations: monitoring and review
  • Theme 13 – Backup and restore
  • Theme 14 – Resilience and business continuity, incident management and disaster recovery

Standard aligned to company size

The standard has now been developed to work with companies sizes and no longer is it one size fits all. The standard sizes for companies are now defined as:

  • Sole trader / 2 person partnership
  • Micro Business (1 – 9 people, excluding the above)
  • Small Business (10 – 49 people)
  • All other businesses

Now depending upon the company size, requirements will now be mandatory or non-mandatory, depending upon the size of your business. The smaller your business, the less requirements you will need to obtain. This will hopefully make the standard easier to understand and implement without complex controls and procedures being implemented.

These changes will help to align your business with the standard and hopefully reduce the amount of compliance burden for micro and small businesses.

However, companies will still need to have the following based upon the size and complexity of the business.

  • A security policy
  • Risk assessment
  • Business impact assessment
  • Business continuity plan

The number of requirements that you will need to apply are as follows:

  • IASME Cyber Assurance Standard – Sole trader / 2 person partnership:
  • IASME Cyber Assurance Standard – (1 – 9 people excluding above): 20 requirements
  • IASME Cyber Assurance Standard – (10 – 49 people): 32 requirements
  • IASME Cyber Assurance Standard – all others: 65 requirements

Documents and templates

As part of the standard update, there is now an executive summary, the standard themes, risk assessment guidance and information security policies information. This information is now easier to read and hopefully implement.

There are also new templates which can be obtained via the IASME website.

You can download the questions here: https://iasme.co.uk/iasme-cyber-assurance/help-resources#questionset

You can download the standard here: https://iasme.co.uk/iasme-cyber-assurance/help-resources#questionset