Certification Bodies and IASME: Choosing Your Assessor
Cyber Essentials certification is delivered through a network of certification bodies accredited by IASME. Understanding how the certification ecosystem works can help you choose the right assessor for your organisation.
Key Takeaways
| Point | Summary |
|---|---|
| NCSC | Owns the scheme, sets requirements, maintains standards |
| IASME | Sole accreditation body since 2020; accredits and manages certification bodies |
| 300+ certification bodies | All accredited by IASME; conduct assessments and issue certificates |
| Selection criteria | Price, responsiveness, industry expertise, location (for Plus), reviews |
| All certificates equal | Same certificate regardless of which CB you use |
Quick Answer: Choose any IASME-accredited certification body. All issue the same certificate. Compare on price, responsiveness, and expertise. For Plus, consider location if you prefer an on-site audit.
The Cyber Essentials ecosystem
How the scheme is governed
National Cyber Security Centre (NCSC):
- Owns the Cyber Essentials scheme
- Sets requirements and standards
- Provides scheme guidance
- Maintains scheme integrity
IASME Consortium:
- Sole accreditation body (since 2020)
- Accredits certification bodies
- Maintains CB quality
- Issues certificates
- Manages scheme delivery
Certification bodies (300+):
- Accredited by IASME
- Conduct assessments
- Review self-assessments
- Perform Plus audits
- Recommend certification
Your organisation:
- Implements controls
- Completes assessment
- Receives certification
- Maintains compliance
What is IASME?
IASME (Information Assurance for Small and Medium Enterprises) is the sole delivery partner for the NCSC's Cyber Essentials scheme.
| Aspect | Details |
|---|---|
| Role | Scheme accreditation body |
| Established | 2010 |
| NCSC partnership | Since 2014 for CE |
| Sole provider | Since April 2020 |
| CBs accredited | 300+ certification bodies |
IASME's responsibilities
| Responsibility | What This Means |
|---|---|
| CB accreditation | Approves and monitors certification bodies |
| Quality assurance | Ensures consistent assessment standards |
| Certificate issuance | Official certificates through IASME |
| Scheme updates | Implements NCSC requirement changes |
| Appeals process | Handles certification disputes |
What certification bodies do
For Basic certification
- Receive your SAQ submission
- Review your responses
- Request clarifications if needed
- Assess against requirements
- Recommend certification to IASME
- Issue certificate on IASME's behalf
For Plus certification
- Schedule and conduct audit
- Perform technical testing
- Document findings
- Determine pass/fail
- Recommend certification to IASME
- Issue Plus certificate
Additional services (some CBs)
- Pre-assessment consultancy
- Gap analysis
- Remediation support
- Ongoing advisory
- Other certifications (ISO 27001, etc.)
Types of certification bodies
| Type | Characteristics |
|---|---|
| Large IT consultancies | Wide service range, may have higher prices |
| Specialist security firms | Deep expertise, focused service |
| Accounting/advisory firms | Combined with other assurance services |
| Regional IT companies | Local service, relationship focus |
| Online-only services | Lower cost, more automated process |
Choosing a certification body
Selection criteria
| Criterion | Considerations |
|---|---|
| Price | Varies significantly; compare quotes |
| Location | For Plus, consider on-site vs remote |
| Reputation | Check reviews and references |
| Turnaround | How quickly can they assess? |
| Support | Do they offer guidance or just assess? |
| Other services | Might you need ISO 27001, etc.? |
Questions to ask
Experience:
- How long have you been a CB?
- How many certifications have you issued?
- Do you have experience with our sector?
- Can you provide references?
Process:
- What's your typical timeline?
- How do you conduct Plus audits (remote/on-site)?
- What support do you provide during assessment?
- What happens if we fail?
Cost:
- What's included in the quoted price?
- Are there additional fees for clarifications?
- What's the re-assessment cost if we fail?
- Do you offer packages (Basic + Plus)?
Quality:
- What's your pass rate?
- How do you ensure assessment quality?
- What feedback do you provide?
- How do you handle appeals?
Price comparison
Typical price ranges (approximate):
| Service | Lower End | Higher End |
|---|---|---|
| CE Basic | £300 | £500 |
| CE Plus (small org) | £1,500 | £3,000 |
| CE Plus (medium org) | £2,500 | £5,000 |
| CE Plus (large org) | £5,000 | £10,000+ |
Note: Prices vary by CB, scope complexity, and additional services.
Finding certification bodies
Official resources
| Source | URL |
|---|---|
| IASME directory | iasme.co.uk |
| NCSC website | ncsc.gov.uk |
| CE online directory | cyberessentials.online |
Selection process
Step 1: Identify options
- Search IASME directory
- Get recommendations
- Research local providers
- Create shortlist (3-5 CBs)
Step 2: Gather quotes
- Describe your scope
- Request itemised pricing
- Ask about timelines
- Clarify what's included
Step 3: Evaluate
- Compare prices
- Consider experience
- Check references
- Assess communication quality
Step 4: Select
- Choose best fit
- Confirm booking
- Agree timelines
- Begin preparation
Working with your CB
During assessment
| Stage | Your Role | CB Role |
|---|---|---|
| Preparation | Implement controls | Provide guidance (if offered) |
| Submission | Complete SAQ accurately | Process submission |
| Review | Respond to clarifications | Review and assess |
| Audit (Plus) | Facilitate testing | Conduct assessment |
| Outcome | Receive decision | Issue certificate |
If issues arise
Disagreement with CB decision:
- Discuss with assessor first
- Request supervisor review
- Formal appeal to CB
- IASME appeal (last resort)
- Document all communications
Poor service experience:
- Document issues
- Raise with CB management
- Report to IASME if serious
- Consider different CB for renewal
Unexpected costs:
- Review original agreement
- Query with CB
- Request itemisation
- Negotiate if appropriate
The IASME certificate
All Cyber Essentials certificates are ultimately issued by IASME:
| Certificate Element | Details |
|---|---|
| Issuing body | IASME on behalf of NCSC |
| Certificate number | Unique identifier |
| Organisation name | Your registered name |
| Scope | What's certified |
| Level | Basic or Plus |
| Issue date | When certified |
| Expiry date | Valid for 12 months |
| Verification | Listed in IASME directory |
Certificate verification
Third parties can verify your certificate:
- IASME online directory
- Certificate number lookup
- Direct verification request
How Bastion can help
Navigating certification bodies and the CE ecosystem can be confusing. We can simplify the process.
| Challenge | How We Help |
|---|---|
| CB selection | We provide recommendations based on your needs |
| Quote comparison | We help evaluate proposals |
| Assessment support | We prepare you before submission |
| Issue resolution | We advocate if problems arise |
| Renewal management | We ensure timely recertification |
Working with a managed service partner means you have someone who's been through this process many times. We know which certification bodies are responsive, which questions to ask, and how to navigate any issues that arise.
Need help choosing a certification body? Talk to our team