Is IASME a viable alternative to ISO 27001 certification?


ISO/IEC 27001 is considered by many to be the de facto international standard on how to manage information security. In many jurisdictions, it’s mandatory for conducting business, especially when dealing with state entities.

While ISO is important for data protection in any industry, it’s particularly encouraged in industries dealing with sensitive information, such as Banking, IT sector, Finance, Healthcare. To illustrate this point, a recent study by the Federation of Small Businesses (FSB) showed that only 2% of member businesses are either certified for Cyber Essentials or ISO27001. Even more alarming, only 4% had a documented incident plan.

When first looking at this information, it would be easy to point the finger at SMEs not doing enough. However, the fact of the matter is that most small businesses simply don’t have the capacity, resources or knowledge, to obtain ISO 27001 or similar standards.

For example, ISO 27001 alone requires an organization to tackle 14 different domains, including:

  • Information security policies
  • Organization of information security
  • Human resource security, etc.

Becoming certified also involves a multi-stage process and external audits from Accredited Registrars. All-in-all, it’s a daunting prospect and one that may dissuade small businesses from pursuing this type of crucial standardization of their security practices and falling short of crucial compliance standards.


LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, HITRUST, PCI DSS, and SOX.


This suggests that more can be done by the security community to bring these actors into the fold.

What is IASME?

This gap is exactly what IASME (Information Assurance for Small to Medium‐sized Enterprises) aims to address. It’s a governance standard designed as a security benchmark specifically for SMEs. It was a government-funded project developed in 2010 alongside businesses in the UK.

Like ISO27001, IASME helps organizations analyze the maturity of their current information security as well as guide them through implementing an information security model. It’s a formal methodology that’s not specific to any sector and is considered to be more accessible than ISO27001, particularly for SMEs.

The scope of IASME spans the following:

  • Risk assessment and management
  • Monitoring
  • Change management
  • Training and managing people
  • Backup
  • Incident response and business continuity

This entails everything included in precluding standards such as Cyber Essentials and GDPR. In fact, compliance with IASME automatically certification with Cyber Essentials.

This is important as Cyber Essentials certification was a mandatory requirement for contracting with the UK government in any way.

That makes it a good alternative to small businesses for who ISO 27001 might not make sense. IASME can help these organizations assess their compliance with data protection legislation as well as provide a level of assurance to third parties in their supply chain and consumers.

IASME is also a much more cost-effective approach. Full certification to ISO 27001 can cost up to $50,000. In contrast, IASME certification typically only costs a few hundred or only up to $1,500.

IASME: A Viable Alternative to ISO 27001

In short, IASME is a suitable alternative for many SMEs who, for whatever reason, ISO 27001, is not feasible. Its scope is comprehensive enough for SMEs to conduct a thorough assessment of their information security and adopt a posture and process to effectively deal with the most cybersecurity threats.