Logo Transparent

The Cyber Essentials Plus Scope

Whole Organisation Certification

Ideally, the scope  of your Cyber Essentials certification will  be “whole organisation” because this gives you the most protection. It will also mean that you qualify for the included cyber liability insurance (if your annual turnover is less than £20 million and you are domiciled in the UK).

Organisation Subset Certification

In some cases, however, it is not possible to have the whole organisation in scope, for example, if you want to use devices or software that do not meet the Cyber Essentials requirements because they are no longer supported by the manufacturer. 

In this case, you must have a way to technically separate what is in scope from what is not . This can be achieved by creating a subset using a VLAN  or firewall, which controls access to the parts of the network that are included in the assessment in order to segregate and protect it from any vulnerabilities that occur from within the network that is out of scope.

For the purposes of Cyber Essentials, the boundary of scope is the firewalls and routers which are creating the first line of defence between your networks and devices and the internet.

Firewalls
Firewalls
Network Segmentation
Network Segmentation

Devices

Workstations
Workstations
Mobile Devices
Mobile Devices
Laptops
Laptops
Servers
Servers
Cloud Servers
Cloud Servers
Hypervisors
Hypervisors
Thin Clients
Thin Clients

All devices that access organisational data or services are in scope and this will include those used by employees, volunteers, trustees, school governors and contractors.

This includes;

  • Laptops and workstations
  • Mobile devices
  • Servers (both on premises and cloud hosted)
  • Hypervisors
  • Thin clients
IT equipment that does not ever connect to the internet or connect to an internet-connected network does not form part of your cyber essentials assessment. 

Cloud Services

All cloud services are in scope and need to meet the Cyber Essentials controls. If your organisation’s data or services are hosted in the cloud, then your organisation is responsible for ensuring that all the Cyber Essentials controls are implemented within those services.  Whether the cloud service provider or your organisation implements the control, depends on the type of cloud service, but you have the responsibility to ensure the appropriate controls are in place for all cloud services.

All Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) are within the scope of the Cyber Essentials assessment.

As a general rule, any service that contains your company’s data outside of your network will be included within the scope of your Cyber Essentials assessment and must, at a minimum have multifactor authentication (MFA) enabled.

cloud
multi-factor

Bring Your Own Devices BYODs

Bring Your Own Devices

Any personally owned (Bring Your Own (BYOD)) devices that are used to access organisational data (any electronic data belonging to the organisation. e.g. emails, office documents, database data, financial data) also fall within the scope of the Cyber Essentials assessment. 

 

The Cyber Essentials Plus Tests

A Cyber Essentials Plus Assessment Consists of 7 tests:

External Vulnerability Assessment
External Vulnerability Assessment
Internal Vulnerability Assessment
Internal Vulnerability Assessment
Malware Protection Assessment
Malware Protection Assessment
Email Malware Protection Assessment
Email Malware Protection Assessment
Multi Factor Authentication Assessment
Multi Factor Authentication Assessment
Web Malware Protection Assessment
Web Malware Protection Assessment
Account Separation Assessment
Account Separation Assessment
CE+ Tests

How to Start Your Assessment

telephone-call

Schedule a free 30 minute consultation with a KEYSIGMA Cyber Advisor

Book a Call