Blog Details

  1. Home
  2. Blog Details

What is required to be a cyber essentials assessor?

Different types of assessor roles

IASME recognises several assessor roles, and individuals can take on multiple roles if they wish. Whether assessing against all roles or just one, it's essential to note that becoming an IASME Cyber Assurance assessor or a Cyber Essentials Plus assessor requires prior certification as a Cyber Essentials basic assessor. The recognised assessor roles are:

1. Cyber Essentials (basic) assessor
2. Cyber Essentials Plus assessor
3. IASME Cyber Assurance assessor

Each role necessitates completion of a one-day training course, currently offered remotely. The associated training costs is £550 for all the training viz Cyber Essentials basic, IASME Cyber Assurance and Cyber Essentials Plus training.

Additionally, your company must obtain certification for the specific scheme being assessed (e.g., Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance). The certification cost is contingent on your company's size.

The journey from Assessor to Certification Body signifies dedication and proficiency, culminating in a leadership role within the realm of Cyber Essentials.

Cyber Essentials (basic) assessor

To attain the role of a Cyber Essentials Assessor at the basic level, a minimum of 3 years' practical experience in IT or Cyber Security (excluding study periods) is required, along with residence in the UK or Crown Dependencies. Unless already possessing one of the specified qualifications (CISSP, CISM, Certified Professional (CCP) in SIRA, IA Auditor, or IA Architect roles at Practitioner-equivalent level or above, and ISO27001 Lead Auditor), candidates must successfully complete the free Assessor Skills exam. Upon completing the course, your company will undergo the Cyber Essentials verified self-assessment (unless already certified). The associated cost varies based on your company's size.

Upon passing the course, you'll be eligible to assess against Cyber Essentials (basic) when affiliated with a licensed Certification Body. If you need assistance with the Assessor Skills exam, please reach out to us for further details.

ISAME Cyber Assurance assessor

To become an IASME Cyber Assurance assessor, follow these steps:

Meet the qualification/experience requirements for becoming a basic-level Cyber Essentials Assessor. Complete the one-day Cyber Essentials assessor course, followed by the one-day IASME Cyber Assurance assessor course. Upon finishing the IASME Cyber Assurance course and passing the Cyber Essentials verified self-assessment, your company will proceed to obtain the IASME Cyber Assurance (Level One) certification. After achieving the IASME Cyber Assurance (Level One) certification, you may need to pursue IASME Quality Principles certification, depending on the details outlined in the Become a Certification Body section.

With all certifications in hand, you'll be paired with another trainee Certification Body to conduct a mutual on-site IASME Cyber Assurance (Level Two) audit of each other’s organization.

Successfully complete an IASME Cyber Assurance (Level Two) audit on your partner company and obtain certification from your partner trainee. Upon completing these steps, you'll be qualified to assess against Cyber Essentials (basic) and the IASME Cyber Assurance standard (Level One and Level Two) when affiliated with a licensed Certification Body.

Cyber Essntials Plus assessor

Embarking on the journey to assess against Cyber Essentials Plus requires careful navigation through a series of prerequisites and qualifications. Here’s a detailed guide to lead you through the process:

Prerequisites

To embark on the Cyber Essentials Plus assessment journey, ensure you have successfully attended and passed the Cyber Essentials Assessor course, as detailed above and must be based in the UK or Crown Dependencies.

Lead Assessor Qualifications

For Certification Bodies to deliver Cyber Essentials Plus assessments, a crucial requirement is the designation of at least one 'Lead Assessor.' This Lead Assessor must hold one of the following qualifications:

• CREST Registered Penetration Tester
• CREST Certified Infrastructure Tester • Cyber Scheme Team Member (CSTM)
• Cyber Scheme Team Leader (CSTL)

• EC-Council Certified Security Analyst (ECSA):

Penetration Testing practical

• EC-Council Certified Penetration Testing

Professional (CPENT)

• Offensive Security Certified Professional (OSCP)
• TigerScheme Team Member (CTM/QSTM)**
• TigerScheme Team Leader (CTL/SST)**

**Note: These qualifications remain valid unless expired. In case of expiry, an alternative qualification on List A is required to continue as a Lead Assessor.

All other Cyber Essentials Plus assessors within the same Certification Body are required to have a minimum of 3 years' experience in IT or Cyber Security and successfully pass ISAME’s Vulnerability Assessment Plus exam.

All Cyber Essentials Plus assessors must participate in and successfully pass the online Cyber Essentials Plus training course. Your company should also achieve Cyber Essentials Plus certification. IASME recommend that individuals who complete the course collaborate by pairing up to assess each other against Cyber Essentials Plus once they have obtained Certification Body status.

Bonus: Become a certification body

Upon the successful completion of the required training, acquisition of relevant certification, and triumph in exams and assessments, Assessors find themselves at a pivotal juncture—the opportunity for their company to attain Certification Body status. This journey begins with the foundational training, equipping Assessors with the knowledge and skills crucial for their role. The subsequent achievement of relevant certification signals their proficiency in Cyber Essentials intricacies, followed by successful exams and assessments that solidify readiness for Certification Body responsibilities. Becoming a Certification Body involves contractual commitments. Companies must sign and return the associated contract, demonstrating their dedication to upholding the standards and principles of Cyber Essentials. Adherence to both security and quality requirements is imperative. Certification Bodies showcase their commitment to security through certifications such as UKAS-accredited ISO 27001 or audited IASME Cyber Assurance (Level Two). Quality requirements are met through certifications like UKAS-accredited ISO 9001, IASME Quality Principles alongside IASME Cyber Assurance (Level Two), or QG Quality Fundamentals+. For IASME Cyber Assurance Certification Bodies, holding IASME Cyber Assurance (Level Two) is not just a preference but a contractual requirement. The commitment to Cyber Assurance is then extended to companies expressing interest in becoming a Certification Body. Size is not a determining factor; professionalism, expertise, and attitude take precedence. The journey from Assessor to Certification Body signifies dedication and proficiency, culminating in a leadership role within the realm of Cyber Essentials.

More details can be found on the official website of the IASME Consortium: https://iasme.co.uk/become-an-assessor/.

Vicky Talreja

Information Security | GRC | CISA | CISM | PCI-DSS | COBIT | ITIL | SOx | NIST | ISO 27001 | ITGC | ERM | Breaking into White Hat from Grey Hat