Can IASME contact you for research purposes?

Who is the commercial contracting organisation?

Who is the government contracting organisation and what is the contract number?

Who is the grant authority?

Who is the regulator?

What are the reasons you have applied for the certification which you described as ‘other’?

If you are not certifying your whole organisation, what scope description would you like to appear on your certificate and website?

⚠ For any end-of-life operating system that has an extended security update program, you must maintain the required subscription. If you are using Windows 10 beyond 14th October 2025, you must be signed up to the Microsoft Extended Security Update program to remain compliant.

If you answered ‘yes’ to the previous question, your organisation is eligible for included cyber insurance upon certification. If you do not want this insurance element, please opt out here.

What is the organisation email contact for the insurance documents?

If you answered ‘no’ to question A4.1.1, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems.

Please complete the relevant option below if applicable:

Option D: A passwordless system is being used as an alternative to username and password — please describe:

Option E: None of the above — please describe:

Have you reviewed your firewall rules in the last 12 months? Please describe your review process.

Please describe how you approve and document your allowed inbound connections.

Please complete the relevant option below if applicable:

Option D: Passwordless — please describe:

Option E: None of the above — please describe:

When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?

Which method do you use to unlock the devices?

Are any of the in-scope software or cloud services unlicensed or unsupported?

Are all updates applied for operating systems by enabling auto updates?

Are all updates applied on your applications by enabling auto updates?

Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes are applied within 14 days of release?

Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment? Please explain how you achieve this.

Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?

Has MFA been applied to all administrators of your cloud services?

Has MFA been applied to all users of your cloud services?

If Option B has been selected: Where you use an app-store or application signing, are users restricted from installing unsigned applications?

If Option B has been selected: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation, and do you maintain this list of approved applications?