IASME Certification Process: How Cyber Essentials Assessment Works
IASME Certification Process: How Cyber Essentials Assessment Works
Every CE certificate in the UK runs through one organisation. IASME. The NCSC appointed them as sole delivery partner for the whole Cyber Essentials scheme. They don't sit down and assess you themselves (that's what assessors like us do), but they're the ones who license assessors, run the portal, set the marking standards, and actually issue every certificate.
Most people find the process a bit opaque until they've been through it once. So here's how it actually works, start to finish.
IASME's role
IASME (the Information Assurance for Small and Medium Enterprises consortium) took over the CE scheme in 2020. Before that, five separate certification bodies delivered it. Pulling everything under one roof standardised the requirements, made the process consistent regardless of which assessor you use, and gave everyone a single portal.
In practice, IASME does three things for the scheme:
- Licenses certification bodies. Assessors apply to IASME for a licence, meet their quality standards, and get authorised to conduct assessments, a process we went through ourselves.
- Manages the assessment platform. The questionnaire, the submission workflow, the certificate issuance, all of it sits inside the IASME portal.
- Sets the standards. The marking scheme, the CE Plus test specification, the assessor guidance, the requirements documents. All produced and maintained by IASME working with the NCSC.
The Basic CE process
Step 1: Choose an assessor
You don't apply through IASME directly but through a licensed certification body instead. The assessor registers your application, walks you through the process, and reviews what you submit.
And the level of support varies wildly between assessors. Some hand you the questionnaire and leave you to it. Others (us included) offer pre-assessment guidance, help you spot gaps before you submit, and reduce your chances of a non-compliance finding. Worth asking what you're getting before you commit.
Step 2: Define your scope
Before you answer a single question, you've got to define what's in scope. Under the current requirements (Danzell), that includes: (based on findings from the internal attestation audit).
- All devices that access organisational data (workstations, laptops, servers, phones, tablets)
- All cloud services used for business purposes
- Personal devices that access organisational data (BYOD)
- All internet-facing infrastructure (firewalls, routers, VPN appliances)
- Business social media accounts (new under Danzell)
This is where mistakes start. Leaving a device or service out of scope is a compliance gap, and it's something assessors specifically check for.
Step 3: Complete the questionnaire
The questionnaire covers the five CE controls: firewalls, secure configuration, user access control, malware protection, and patch management. For each control you describe what's in place, how it's configured, and what policies govern it.
The questions are specific enough that answering "Do you have a firewall?" with a simple yes won't cut it. You need to describe your firewall, its configuration, your inbound rules with business justifications, and your default deny policy.
I always tell people: check your actual controls before writing answers. Log into the firewall and look at the actual rules. Verify the rules are what you think they are. Check patch dates on every device in scope. Confirm MFA is enforced, not just enabled somewhere in a settings menu. Your answers should describe what's actually there, not what you assume is there.
Step 4: Assessor review
The assessor reads through every answer, cross-references for consistency, and marks each question as Compliant, Non-Compliance, Fail, or More Information Required.
If everything's compliant, the certificate gets issued through the portal. If there's a non-compliance finding (you're allowed a maximum of one per submission under the two-strike rule), you get a chance to fix and resubmit. A fail means starting a new application entirely. Read more about how the marking scheme works.
Step 5: Certificate issued
Once the assessor is satisfied, the certificate goes through the IASME portal. You get a PDF, your certification appears on the IASME public register, and you receive the CE badge for your website and materials.
The certificate is valid for 12 months, after which you recertify.
The CE Plus process
CE Plus starts after you have passed Basic. You need a current Basic CE certificate before Plus testing can begin.
Step 1: Scope and sample confirmation
The assessor confirms the scope (same as Basic, but this time verified rather than self-declared) and works out the device sample using the IASME sampling methodology. That sample gets declared to IASME at least 72 hours before testing starts.
Step 2: External vulnerability scan
The assessor runs an unauthenticated scan against all your internet-facing IP addresses. This picks up open ports, vulnerable services, and missing patches visible from outside your network. Anything with a CVSS score of 7.0 or higher on an internet-facing system is an automatic failure.
Step 3: Internal testing
The assessor connects to each sampled device, either remotely or on-site, and runs authenticated checks. Patch levels, configuration, antimalware status, MFA enforcement, account separation. Every server gets tested regardless of sample size.
Step 4: Remediation (if needed)
If the assessor finds issues, you've got 30 calendar days to fix them. After that, the assessor re-tests the affected areas. If the issues are still there after re-testing, the assessment fails.
Step 5: Certification
Once all test cases pass, the CE Plus certificate comes through IASME. Same as Basic: valid for 12 months, listed on the public register.
Timeline constraint
CE Plus must be completed within 3 months of your Basic CE certification date. Miss that window and you need to recertify Basic first.
The 3-month window
This catches businesses that plan to do CE Plus "later." The clock starts the day your Basic certificate is issued. Three months is the hard limit set by IASME. After that, IASME considers the Basic results potentially stale (your configurations could have changed), and you need to prove Basic compliance again before anyone runs Plus testing.
If you're planning to do both, the smartest approach is preparing for both at the same time. Get your controls sorted, pass Basic, then schedule Plus testing for the weeks after, not months.
Assessor qualifications
IASME requires assessors to meet specific standards:
- Training: Completion of Cyber Essentials assessor training programme
- Technical competence: Demonstrated ability to conduct vulnerability assessments and interpret results
- Quality management: Certification bodies must operate quality management systems
- Continuing professional development: Assessors must stay current with requirements changes
- Audit: IASME audits certification bodies to ensure consistent standards
For CE Plus, the assessor doing the technical testing needs appropriate technical qualifications. And there's a wide range in how different certification bodies approach this. Some assessors run scans and report findings without much context. Our team treats it with the same rigour as a penetration test, giving detailed technical context for everything we find. That distinction matters if you actually want to understand your results.
After certification
Once you're certified, your business appears on the IASME Cyber Essentials register. It's a public database that clients, insurers, and procurement teams search to verify certifications.
You also get the CE badge (Basic or Plus) for your website, email signatures, and marketing materials. There are specific display rules you need to follow, which are covered in the logo display requirements guide.
Basic CE includes automatic cyber insurance cover (subject to terms and turnover limits). The insurance is underwritten by a panel insurer and activates when your certificate is issued.
If you're considering certification and want to see where your controls stand right now, the readiness quiz covers the five control areas in five minutes. No commitment or obligation required to find out.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and practical assessment tips. No spam and no sales pitches, just useful updates.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Cyber Essentials Marking Scheme: How Your Assessment Is Actually Scored
- Cyber Essentials Plus Assessment Process Explained
- How Long Does a Cyber Essentials Plus Assessment Take?
- Failed Cyber Essentials? What to Do Next
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.