The Cyber Essentials Plus Scope
Whole Organisation Certification
Organisation Subset Certification
In some cases, however, it is not possible to have the whole organisation in scope, for example, if you want to use devices or software that do not meet the Cyber Essentials requirements because they are no longer supported by the manufacturer.
In this case, you must have a way to technically separate what is in scope from what is not . This can be achieved by creating a subset using a VLAN or firewall, which controls access to the parts of the network that are included in the assessment in order to segregate and protect it from any vulnerabilities that occur from within the network that is out of scope.
For the purposes of Cyber Essentials, the boundary of scope is the firewalls and routers which are creating the first line of defence between your networks and devices and the internet.


Devices




All devices that access organisational data or services are in scope and this will include those used by employees, volunteers, trustees, school governors and contractors.
This includes;
- Laptops and workstations
- Mobile devices
- Servers (both on premises and cloud hosted)
- Hypervisors
- Thin clients
Cloud Services
All cloud services are in scope and need to meet the Cyber Essentials controls. If your organisation’s data or services are hosted in the cloud, then your organisation is responsible for ensuring that all the Cyber Essentials controls are implemented within those services. Whether the cloud service provider or your organisation implements the control, depends on the type of cloud service, but you have the responsibility to ensure the appropriate controls are in place for all cloud services.
All Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) are within the scope of the Cyber Essentials assessment.
As a general rule, any service that contains your company’s data outside of your network will be included within the scope of your Cyber Essentials assessment and must, at a minimum have multifactor authentication (MFA) enabled.