Devices and software are within the scope of the Cyber Essentials Plus assessment if they can:
Accept incoming network connections from untrusted internet connected hosts.
Establish user-initiated outbound connections to devices via the internet.
Control the flow of data between any of the above devices and the internet.
• Servers • Mobiles • Thin Clients
…. are all within scope for of the Cyber Essentials Plus assessment.
Wireless Devices Scope
Wireless devices are in scope if they can communicate with other devices via the internet.
Wireless devices are not in scope if it is not possible for an attacker to attack the device directly from the internet (the Cyber Essentials Scheme is not concerned with attacks that can only be launched from within the signal range of the device).
The wireless devices are not in scope if they’re part of an ISP router within a home location.
Cloud ServicesScope
Each cyber essentials control requirement needs to be applied to cloud services.
All Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) are within the scope of the Cyber Essentials Plus assessment.
BYODScope
Bring your own devices (BYOD) fall within the scope of a cyber essentials plus assessment if they are used to access organisational services including cloud services (excluding native voice, native text and MFA applications).
The Cyber Essentials PlusTests
A Cyber Essentials Plus Assessment Consists of 7 tests: