Defining the Scope for Cyber Essentials

3rd October 2018

Great, you’re looking at getting your company Cyber Essentials Certified but early on you’ll hit the question “Does the scope of this assessment cover your whole organisation?” so what we’ve put together a few pointers on how to define the scope for your Cyber Essentials certification.

It’s by no means exhaustive, and for the vast majority of micro and small businesses it will be the whole organisation but what about the home workers, third parties with access to your system and even your IT provider? Here are the things that we find usually throw a spanner in the works…

Q. Does the “scope” need to be my whole company?

A. The scope should cover your whole organisation and doing so makes it much easier to answer the questions

However, we recognise that some organisations are complex and so you can describe a scope that relates to a particular subsidiary or business area of an organisation if necessary.

It’s important that it is an entity that is logically separate from the wider organisation. It must also be technically isolated from the wider organisation, normally by using separate servers, applications and networks with boundary firewalls. If you choose a scope that is not the whole organisation, and you self certify, it is up to you to provide a clear scope description that is acceptable to the assessor. The scope description will appear on the certificate you receive.

Q. Are home / remote workers in scope?

A. Home workers includes anyone who works 50% or more of their time at home and accesses company data which includes accessing email on a home PC, tablet or mobile phone. Home workers and their home networks are typically always in scope if they access any kind of company data even if they use a VPN or remote desktop / citrix connection and even if it’s just email in GSuite or Office 365.

Q. Are Third Party workers such as book keepers or accountants included?

A. If they access your network via a VPN or RDP or access company data hosted on GSuite, Office 365, Dropbox and the like then their device and office network are in scope.

Q. Are all my employee’s personal mobile phones in scope?

A. If they access the internet using your main office WiFi connection then yes. The way round this is to install a guest WiFi system which prevents devices from accessing your own internal network. Even if they were to use guest WiFi in the office, if they have company data on them (email), then they are always in scope.

Q: Are cloud providers in scope such as Office 365, GSuite, Dropbox, Azure, AWS etc?

A: If there is a VPN which connects your office network to the cloud provider, then yes, they are in scope. If you have remote workers who access files or email from these services, then they are also in scope.

They do not have to be included in scope if the data is only accessed from the business network, but you should follow the Cyber Essentials requirements for setting passwords and enabling two factor authentication wherever possible.

If external hosting / cloud providers are used you must be able to control the settings on their systems, i.e the software patching policy. So if you are using Azure as a IaaS to run virtual machines this would be fine, but generally if you are utilising these type of providers on a PaaS basis then they will most likely need to be left out of scope.