IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
Two IASME-affiliated certifications. Both prove cyber posture. They prove different things to different procurement audiences. Cyber Essentials Plus is the UK government scheme covering five technical controls, delivered by IASME-Authorised Certification Bodies (NetSec is one) under NCSC scheme rules. IASME Cyber Assurance is IASME's own audit-based cybersecurity and governance standard, broader than Cyber Essentials and widely recognised as the SME-focused equivalent of ISO 27001.
This article walks through what each certification actually proves, where each fits in UK procurement, and the cases where holding both is the right answer.
The framework shapes side by side
Cyber Essentials Plus covers five technical controls (firewalls, secure configuration, user access control, malware protection, patch management) across the IT estate. The certificate lasts 12 months. The CE Plus version adds an external assessor running a technical sample on a subset of devices. The framework is published by NCSC and operated by IASME on NCSC's behalf.
IASME Cyber Assurance is IASME's own standard, covering broader cyber security and governance across:
- Risk management and information security policy
- Asset management
- Access control
- Cryptography and physical security
- Operations security (including the Cyber Essentials technical controls)
- Communications security
- System acquisition and development
- Supplier relationships
- Incident management
- Business continuity
- Compliance with applicable laws and regulations
- Plus optional Quality Principles overlay covering data-protection governance
Cyber Assurance Level 1 is self-assessment certified by an IASME Certification Body. Cyber Assurance Level 2 is audit-verified by an IASME-authorised auditor. Both certificates last 12 months. Quality Principles is an optional add-on.
Where each fits in UK procurement
Most UK central government, NHS, MoD-adjacent supply chain, and large corporate procurement names Cyber Essentials Plus by default. PPN 09/14 set CE as the floor for central government contracts handling personal data. NHS procurement frameworks expect CE Plus for clinical-system suppliers. The CE Plus certificate is the procurement-passing artefact most customers check on the IASME registry.
IASME Cyber Assurance is increasingly named where the customer wants evidence of broader governance and data-protection posture beyond the five technical controls. Procurement frameworks that say "ISO 27001 or equivalent" generally accept IASME Cyber Assurance Level 2 as the equivalent. The framework is particularly common in:
- Local government procurement requiring data-protection governance
- Insurance industry supplier qualification
- Charity Commission-aligned funding due diligence for grant-funded work
- B2B SaaS customer due diligence where the customer holds ISO 27001 themselves and asks suppliers for an equivalent
A firm holding only CE Plus has the technical-controls evidence. A firm holding only IASME Cyber Assurance has the governance evidence (which includes the technical controls). Many UK firms hold both because different customers ask for different artefacts.
Where the two overlap on technical controls
IASME Cyber Assurance includes the Cyber Essentials five technical controls within its Operations Security section. A firm with current Cyber Essentials Plus has demonstrated the technical-controls subset of IASME Cyber Assurance Level 2.
The non-overlapping parts of IASME Cyber Assurance are the broader governance, policy, supplier-relationship, and incident-response areas that CE Plus does not address.
When CE Plus alone is the right answer
UK SMEs whose customer base is primarily UK regulated-sector procurement (central government, NHS, MoD supply chain, large enterprise panel-firm cyber reviews). CE Plus is the procurement-passing artefact these customers expect. Adding IASME Cyber Assurance is investment without immediate procurement return.
This is the most common shape of UK SME we work with: domestic UK customer base, regulated-sector procurement pressure, technical-controls evidence is what the customer wants.
When IASME Cyber Assurance alone is the right answer
A UK firm with strong governance discipline whose customer base specifically asks for ISO 27001-equivalent evidence rather than technical-controls evidence. Some insurance-industry suppliers, some charity-funded work, and some B2B SaaS customers fit this pattern.
For these firms, IASME Cyber Assurance Level 2 is the asset. CE Plus is sometimes added afterwards if a specific procurement explicitly names it.
When holding both is the right answer
UK firms with mixed customer bases facing both technical-controls procurement (CE Plus expected) and broader-governance procurement (Cyber Assurance expected). Holding both closes both audiences without leaving gaps.
For most UK SMEs in this position, the practical sequencing is CE Plus first (cheaper, faster, opens UK regulated-sector procurement immediately), then IASME Cyber Assurance Level 2 with Quality Principles after the first customer asks for the broader governance evidence.
How CE Plus and Cyber 365 fit alongside IASME Cyber Assurance
A CE Plus certificate is valid for 12 months. IASME Cyber Assurance Level 2 is also annual but the audit cycle is more interpretive (the auditor returns to confirm continued conformance, with re-audit depth varying year on year).
Cyber 365 is the year-round operational discipline that holds the CE Plus controls in place between assessment days. The same discipline supports IASME Cyber Assurance Operations Security indicators by providing continuous evidence of patch cadence, vulnerability management, and detection events.
The Danzell scheme update from April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. The same year-round discipline IASME Cyber Assurance expected on the operations-security side is now what Cyber Essentials expects too.
NetSec's own posture
NetSec holds IASME Cyber Assurance Level 2 with Quality Principles, audited by IASME annually. The certification is publicly verifiable on the Blockmark Registry. NetSec is also an IASME-Authorised Cyber Essentials Plus Certification Body. The combination means the firm assessing your CE Plus certificate has been audited to the broader Cyber Assurance standard and holds the Quality Principles overlay covering data-protection governance.
For prospects who want to verify NetSec's own certifications before engaging, the Trust Centre at /trust links to the Blockmark Registry where every NetSec certificate can be independently verified. (consistent with the 2024 threshold evaluation criteria).
Where to start
Book a 30-minute scoping call. Tell us your customer base, your near-term procurement targets, and any specific customer asking for ISO 27001-equivalent or governance-broader evidence. We come back with a written quote covering CE Plus and, where it makes sense, IASME Cyber Assurance Level 2 alongside it.
For firms with a tight UK regulated-sector procurement deadline, the 4-day fast-track path demonstrates the fast-engagement shape. For firms wanting both the certificate and the year-round discipline wrapped together, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with Cyber 365 into one monthly subscription.
The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified firm and IASME. NetSec does not bundle, broker, or upsell it.
CE Plus is the right answer for the vast majority of UK SMEs. IASME Cyber Assurance Level 2 is the right answer when the customer specifically wants broader governance and data-protection evidence. The two work alongside each other where the firm sits in both audiences. The honest call arrives on the scoping call.
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.