Logo Transparent

Cyber Essentials Scope

Ideally, your Cyber Essentials certification should be scoped to cover the whole organisation, as this provides the highest level of protection. It may also make you eligible for the included cyber liability insurance, provided your annual turnover is less than £20 million and your organisation is domiciled in the UK.

However, in some cases, certifying the whole organisation is not possible. For example, certain devices or software may need to remain in use despite not meeting the Cyber Essentials requirements, such as where they are no longer supported by the manufacturer.

The main considerations relating to scope, including how to define and manage in-scope and out-of-scope elements, are set out below.

Cloud Services

MFA must be enabled on all cloud services where it is available, even where this involves additional cost. If MFA is available but not enabled, the assessment will automatically fail.

Where your organisation’s data or services are hosted in the cloud, your organisation is responsible for ensuring that all applicable Cyber Essentials controls are in place. While responsibility for implementing specific controls may sit either with your organisation or with the cloud service provider, depending on the service model, accountability remains with your organisation.

All cloud services are in scope for Cyber Essentials and must meet the relevant controls. Cyber Essentials defines a cloud service as any on-demand, internet-accessible service used to store or process organisational data. In practice, if a service handles your organisation’s data, it is in scope.

This includes IaaS, PaaS, SaaS, and social media accounts. Social media is now explicitly included within scope, reflecting the operational and reputational risks that can arise if such accounts are compromised.

Cloud services can not be descoped from Cyber Essentials. All cloud services must be fully declared, including any “shadow IT” adopted without formal IT approval.

Scoping

  • Where an assessment does not cover the whole organisation:
    • The scope description must state which networks are not in the scope of the assessment.
    • The segregations must be enforced using either a physical firewall or a VLAN(s).
  • Scope exclusions only apply at the network level, not the device level. Individual devices cannot be excluded unless connected to a de-scoped network.
  • Details of the excluded networks must now be defined and documented in the self-assessment questionnaire. This information is required for certification purposes but will not be made public on the certificate.

The Cyber Essentials Danzell standard clarifies two important principles relating to cloud services and the devices used to access them:

  • All cloud services are in scope, even where they are accessed only from a segregated or otherwise descoped network.
  • Any device used to access cloud services is also in scope, even where that device is connected to a descoped network.

This means a device can now only be treated as out of scope for Cyber Essentials if it:

  • has no internet access, or
  • is connected only to a descoped network and is not used to access any organisational cloud services.

For example:

  • A developer workstation located on a descoped network segment would come back into scope if it is used to access corporate cloud platforms such as finance systems, HR applications, or CRM solutions.

In Scope Devices

All devices that access organisational data or services are in scope and this will include those used by employees, volunteers, trustees, school governors and contractors. This includes;

  • Laptops and workstations
  • Mobile devices
  • Servers (both on premises and cloud hosted)
  • Hypervisors
  • Thin clients
IT equipment that does not ever connect to the internet or connect to an internet-connected network does not form part of your cyber essentials assessment. 

Bring Your Own Devices

Any personally owned devices used to access organisational data under a Bring Your Own Device (BYOD) arrangement are within the scope of the Cyber Essentials assessment. This includes access to any electronic data belonging to the organisation, such as emails, Office documents, database records, and financial information.

An exception applies only where the device is connected exclusively to a network that has been explicitly declared out of scope.

Learn More About Cyber Essentials
Need Help to Scope Your Assessment?
telephone-call

Schedule a free 30 minute consultation with a KEYSIGMA Cyber Advisor

Book a Call