The Cyber Essentials Plus Scope
Device Scope
Devices and software are within the scope of the Cyber Essentials Plus assessment if they can:
- Accept incoming network connections from untrusted internet connected hosts.
- Establish user-initiated outbound connections to devices via the internet.
- Control the flow of data between any of the above devices and the internet.
• Servers
• Mobiles
• Thin Clients
…. are all within scope for of the Cyber Essentials Plus assessment.
Wireless Devices Scope
Wireless devices are in scope if they can communicate with other devices via the internet.
Wireless devices are not in scope if it is not possible for an attacker to attack the device directly from the internet (the Cyber Essentials Scheme is not concerned with attacks that can only be launched from within the signal range of the device).
The wireless devices are not in scope if they’re part of an ISP router within a home location.
Cloud Services Scope
Each cyber essentials control requirement needs to be applied to cloud services.
All Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) are within the scope of the Cyber Essentials Plus assessment.
BYOD Scope
Bring your own devices (BYOD) fall within the scope of a cyber essentials plus assessment if they are used to access organisational services including cloud services (excluding native voice, native text and MFA applications).
The Cyber Essentials Plus Tests
A Cyber Essentials Plus Assessment Consists of 7 tests:
External Vulnerability Assessment
Internal Vulnerability Assessment
Malware Protection Assessment
Email Malware Protection Assessment
Web Malware Protection Assessment
Multi Factor Authentication Assessment
Account Separation Assesment