How to become a Cyber Essentials assessor: the IASME requirements and the fastest route (2026)

How to become a Cyber Essentials assessor: the IASME requirements and the fastest route (2026)

The UK Cyber Essentials market is growing fast. Procurement mandates, insurance incentives, and supply-chain pressure have pushed SME certification volumes up year after year, and the roughly 290 IASME-licensed certification bodies in the UK are collectively issuing more certificates than ever. That has produced a recurring question from MSPs, cyber consultancies, IT resellers, accountants with a cyber speciality, and individual security professionals who already have a book of business:

What is the fastest way to become a Cyber Essentials assessor?

There are three credible answers. Each has very different requirements, timelines, and commercial economics. This guide walks through all three, covers the full IASME requirements behind each, and then lays out the Fig Assessor Programme - the fastest and easiest route currently available in the UK.

Your three options

• Option 1 - Become an individual assessor · You join a licensed certification body and assess submissions on their behalf. 2–6 weeks. Lowest barrier, lowest margin.
• Option 2 - Become a licensed certification body · You apply directly to IASME, complete four formal accreditations, build a full quality-management system, and issue certificates under your own licence. 6–18 months. Highest barrier, highest margin.
• Option 3 - The Fig Assessor Programme · Online, self-paced training and a fully software-driven platform that lets you operate under Fig Group's existing IASME licence from roughly day 10–14. Fastest route to market, revenue from week two.

The rest of this article unpacks each option in detail, with the full IASME requirements, realistic timelines, and honest trade-offs.

Option 1 - Become an individual assessor

An individual assessor is a person employed by (or under formal contract with) an IASME-licensed certification body, who reviews submissions and issues certificates on that body's behalf. This is the lowest-barrier route to doing the work of a Cyber Essentials assessor, but it is not the same as running a certification body.

Requirements

• Demonstrated cyber-security competence - typically 3+ years in a relevant role, or equivalent qualifications.
• Pass IASME's assessor training and exams (delivered online, currently ~£1,500 per assessor).
• Employment or formal contract with a licensed certification body.

Typical timeline: 2–6 weeks from decision to first supervised assessment.

Economics: you receive a salary or day-rate from the certification body. You do not hold a licence yourself, do not own the commercial client relationship, and cannot issue certificates outside that body's umbrella. This is a good fit for security professionals who want to assess without running a business.

If this is the route you want, the straightforward next step is to approach one of the UK's ~290 IASME-licensed bodies (the IASME directory lists all of them) and discuss employment or contract-assessor roles.

Option 2 - Become a licensed certification body

A licensed certification body is the organisation that holds the IASME licence, issues certificates, employs or contracts assessors, and is commercially accountable for every assessment. This is what most people searching for "become a Cyber Essentials assessor" actually want, because it is the commercially meaningful role - full fee per certificate, your own brand, no revenue share upstream.

It is also the slowest and most expensive route. The IASME bar is high, and it is high for good reason - the NCSC delegates scheme integrity to IASME, and IASME delegates it to the licensed bodies. Here are the full requirements.

The four formal IASME requirements for a Certification Body

IASME publishes the requirements for becoming a licensed CB on its Cyber Essentials scheme page. Every licensed CB must hold four formal accreditations. None of them are optional.

1. Cyber Essentials Plus

You must hold a current Cyber Essentials Plus certificate. Not Cyber Essentials - Plus. The version with hands-on technical testing by an independent assessor: vulnerability scans, an authenticated scan of a representative endpoint, email-filtering and malware-protection tests.

The logic is simple - if you are going to assess other organisations against the scheme, you must be able to demonstrate compliance with the stricter variant yourself.

• Typical cost: £1,499–£4,499 + VAT depending on organisation size.
• Typical timeline: 2–6 weeks, assuming you already meet the five controls.
• Required for: CB application submission.

2. IASME Cyber Assurance Level 2

IASME's broader information-security management accreditation - 13 themes covering governance, information rights, asset management, incident management, business continuity, supplier controls, and more. Level 2 is the independently-audited tier; Level 1 is self-assessed and not accepted for CB applicants.

Structurally it sits between Cyber Essentials Plus and ISO 27001 - much broader than CE Plus, significantly lighter-weight than ISO 27001. See the IASME Cyber Assurance page.

• Typical cost: £1,800–£4,500 + VAT.
• Typical timeline: 2–4 months from decision to certificate, assuming existing controls.
• Required for: CB application submission.

3. IASME Quality Principles

IASME's own quality-management-system accreditation. Structurally similar to ISO 9001 - management responsibility, resource planning, operational process control, documented procedures, records management, continuous improvement, internal audits. Listed alongside IASME's other schemes on the our schemes page.

• Typical cost: £1,200–£3,000 + VAT.
• Typical timeline: 2–4 months (the QMS itself often takes longer than the audit).
• Required for: CB application submission.

4. Documented internal policies for all major processes

This is the heaviest lift. IASME requires a full QMS covering, at minimum, the following policies and procedures:

• Assessment methodology - how you score submissions, how you apply the scheme, how you maintain consistency.
• Assessor competence and continuing professional development - who can assess, how they are trained, how their competence is maintained and reviewed.
• Quality assurance and peer review - every assessment peer-reviewed by a second qualified assessor before a certificate is issued.
• Conflict of interest - assessors cannot certify their own organisation, close affiliates, or clients where commercial bias could exist.
• Impartiality and confidentiality - no commercial incentives to pass or fail a submission; submission data handled confidentially.
• Complaints handling and appeals - documented process for a client who disputes an outcome, with escalation to IASME.
• Data protection / GDPR - lawful basis for processing assessment data, retention, subject rights.
• Records retention - submissions, evidence, peer-review records retained for the full scheme requirement (typically six years).
• Business continuity - how assessments continue if the primary assessor, platform, or office is unavailable.
• Subcontracting - if you use contract assessors, how their competence, conflicts, and accountability are managed.

All ten are reviewed at CB application, and spot-checked at IASME's annual surveillance audit.

Beyond the four formal accreditations

The full IASME CB requirement set also includes:

• Trained assessors - every assessor must complete IASME's assessor training and pass the associated exam. Typical cost ~£1,500 per assessor.
• Professional indemnity insurance - typically £1m+ cover.
• UK legal entity - Companies House registered, with VAT registration where applicable.
• Annual IASME licensing fee - payable on grant and at every renewal.
• Annual IASME surveillance audit - a formal review of records, peer-review samples, complaints and appeals, QMS effectiveness.

The realistic independent timeline and cost

Taken end-to-end, the independent route to becoming an IASME-licensed CB looks like this for a small consultancy starting from scratch:

Add 0.5–1.0 FTE of internal labour for the QMS build and ongoing process design, plus the opportunity cost of 12 months before a single fee-paying certificate can be issued under your own licence.

For most prospective CBs the independent route is technically achievable but commercially slow. The bar is not arbitrary - IASME's accreditation chain is how the NCSC maintains scheme quality - but it is a meaningful barrier to entry.

Option 3 - The Fig Assessor Programme

The fastest and easiest way to become a Cyber Essentials assessor in the UK in 2026.

Fig Group is an IASME-licensed certification body (licence ID `325cdf33-3812-4082-bf8d-7dce7ac02977`, verifiable on the IASME directory). We already operate the platform, QMS, assessor tooling, peer-review system, and operational processes that IASME requires of every licensed CB.

The Fig Assessor Programme is an end-to-end pathway that lets a prospective CB skip 12–18 months of independent build-out by operating under Fig's existing IASME licence. It is delivered entirely online, self-paced, through Fig's platform. There is no consultant, no scheduled calls, no human-gated onboarding. Most participants complete the programme's foundational phases in days rather than weeks, and begin issuing certificates under Fig's IASME licence within a fortnight.

How the Fig Assessor Programme works

The whole programme is delivered through the Fig platform. Training is online and on demand; QMS adoption is a click; peer review and quality checks are automated workflows routed through the platform to Fig's QA assessors. Nothing in the programme is gated by a human at Fig other than the scheme-mandated peer-review step on each live assessment (which itself is a platform workflow, not a meeting).

What the programme gives a prospective Cyber Essentials assessor

1. Start issuing certificates in days, not months. First live assessments inside the first two weeks; revenue from Phase 3 onwards.

2. Online, self-paced training. Fig's Cyber Essentials Assessor Academy - video modules, knowledge checks, and practice assessments - delivered entirely in the platform. Complete it on your own schedule, no consultant calls, no waiting list.

3. IASME-approved QMS and policies - adopted from an operating licensed CB at the click of a button, not drafted from scratch.

4. Platform and tooling - the same Fig platform that runs Fig Group's own assessments, with AI-assisted evidence review, continuous monitoring, and automated peer-review workflow built in.

5. Licence to assess under - Fig's IASME licence, with Fig as the accountable party to IASME.

6. Sponsored assessor training - IASME's own assessor training, registered, paid for, and delivered entirely online.

7. Automated peer review - every live assessment routed to Fig's QA team through the platform and returned inside the 6-hour SLA. No scheduled meetings required.

8. Path to independent licensure - the four IASME CB accreditations delivered in parallel, so when you are ready, the application is straightforward.

What the programme asks of the prospective assessor

• UK legal entity with Companies House registration.
• Demonstrated cyber-security competence (typically 3+ years in an adjacent role, or relevant qualifications).
• Commitment to Fig's QMS, peer-review process, and impartiality/conflict-of-interest rules while operating under the licence.
• Professional indemnity insurance (Fig can introduce underwriters with appropriate cover).
• No conflict of interest with the organisations to be certified.

Compliance safeguards

Because every assessment issued during Phase 3 is under Fig's IASME licence, three safeguards apply by default:

• Fig remains accountable to IASME for the assessment and for the certificate issued.
• Every assessment is peer-reviewed by a Fig senior assessor before the certificate is released. This is a scheme requirement and the model retains it in full.
• The Fig QMS is the operative QMS - programme participants operate within Fig's QMS until their own is accredited.

This is the ethically and operationally sound way to run a sub-contracted assessor model under the IASME scheme. The alternative - informal "white-labelling" of certificates without QMS alignment or peer review - is both a scheme breach and, in the worst case, a reason for IASME to revoke a licence. The Fig Assessor Programme is designed from day one to operate cleanly inside the scheme rules.

How fast is "the fastest"? A concrete comparison

Assume a UK consultancy with four employees, solid cyber hygiene, no existing accreditations:

The Fig Assessor Programme does not eliminate the IASME bar - it cannot, and it should not. What it does is let you start earning while you meet it.

Is this scheme right for your organisation?

The programme is a good fit for:

• MSPs wanting to add Cyber Essentials certification to their service catalogue without operating a parallel CB.
• IT consultancies with a regulated-sector client book (legal, financial, healthcare) where CE is a procurement or client requirement.
• Cyber consultancies that currently refer clients to other CBs and would prefer to keep the relationship and the margin in-house.
• Accountancies and professional-services firms with SME clients subject to supply-chain requirements.
• Individual security professionals with an established network who want to operate a lean CB without the 12-month build-out.

It is not a good fit for:

• Organisations not willing to operate under Fig's QMS and peer-review process during the active-assessing phase.
• Organisations in direct conflict with Fig's own assessment pipeline (anti-compete arrangements apply).
• Organisations without a UK legal entity or appropriate professional indemnity insurance.

Bottom line

Becoming a Cyber Essentials assessor - meaning becoming an IASME-licensed Certification Body - requires four formal IASME accreditations (Cyber Essentials Plus, Cyber Assurance Level 2, Quality Principles, and a documented QMS covering every major process), a trained assessor cohort, insurance, a legal entity, and the IASME licence itself. Independently, that is a 6–18 month project costing £15k–£40k with no revenue during the wait.

The Fig Assessor Programme is the fastest and easiest credible route: online, self-paced training you can start the same day you sign up; an IASME-approved QMS adopted at the click of a button; automated peer-review workflow on the platform; first certificates issued under Fig's IASME licence inside two weeks; and all four underlying IASME accreditations assembled in parallel so you can transition to an independent licence - or stay partnered with Fig - whenever it makes commercial sense.

Fig Group is the fastest IASME-licensed CB in the UK (6-hour turnaround, lowest published price at £299.99 + VAT), and we run the programme because the scheme itself is healthier when more competent assessors enter it quickly under the right quality controls.

If you want to become a Cyber Essentials assessor in 2026, this is the route.

Speak to the team about the Fig Assessor Programme | Explore the Fig platform | See current Cyber Essentials pricing | Read the IASME scheme requirements