About scope for schools

What is the scope?

The scope of your network defines what will and won’t be covered by the Cyber Essentials assessment. It is important to identify what is in and what is out of scope. 

You will be required to describe the scope of the system(s) to be evaluated as part of this questionnaire and how these are separated from any systems in your school that are not in scope. This includes:

1. School, academy or trust name

The name of the school, academy or trust will be used on the certificate awarded, so please make sure the name is accurate. 

2. The boundary of the internal network

Ideally, your scope should be the school network as a whole, because this gives you the most protection and also means you qualify for included cyber liability insurance*. (*Your annual budget needs to be less than £20 million).

If a number of schools share the same network then the one assessment must cover them all.

If you are a Multi Academy Trust  (MAT) and your schools are on different, separate networks, it may be better to apply for Cyber Essential certification as separate schools.

If you are certifying a MAT where all the schools are on the same network and you do not wish to include every school in the certification (scope), it would be necessary to work out how to apply controls to keep the schools that are in scope (included in Cyber Essentials) separate on the network from the schools that are out of scope (not included in Cyber Essentials). This is to ensure that a vulnerability in one of the schools that has not been certified cannot affect those that have been certified.

If some parts of your network are excluded from the scope, they need to be technically separated. This can be achieved by creating a subset  using a *VLAN or firewall, which blocks access to the included parts of the network in order to segregate and protect it from any vulnerabilities within the network that is out of scope.

This process can sometimes get complicated, and you may need help from a networking expert. If you exclude part of your network, you will not be eligible for the included insurance.

If you allow students access to your network, it is important that this is segregated on it’s own guest network, and must not be able to interact with your other organisational data or services. You can exclude this guest or student network from scope and still describe the certification scope as “whole organisation”. This is the exception to the rule, and no other parts of the network can be excluded to achieve whole school certification.

3. The physical location of the school or academy

Consider whether you have a single or split-site or whether you are assessing a trust with multiple sites.
If you are assessing multiple sites, you will need to list all the sites with their addresses.

What should the scope include?

When considering what should be in scope, consider the following:

  • Do you have a single school site?
  • Do you have multiple sites with a shared network or a single network for each? How are they connected?
  • Is the pupil/student network separate to the office administration network?
  • Do staff work from home?
  • Do staff use school owned devices or their own devices to access school data and services?
  • What cloud services are used (Dropbox, Microsoft 365, Google Workspace)?
  • Can all of your school and all of your users have Cyber Essentials controls applied?

Defining the scope of Cyber Essentials

The scope should include the whole school IT infrastructure to achieve the best protection. Infrastructure can be split into Devices and Software:
Devices or hardware include all types of hosts, networking equipment, servers, networks and end user equipment such as desktop computers, laptop computers, thin clients, tablets and mobile phones (smartphones) — whether physical or virtual. All devices that have access to organisational data and organisational services should be included. (see below for definitions of organisational data and services) Internet of Thing (IoT) or ‘smart’ devices such as security cameras, thermostats and speakers are not part of Cyber Essentials and need not be included. It’s worth noting, however, that for interactive whiteboards, the computers connecting to them are in scope and for those white board solutions that now have the Operating System built in, they will be included in scope.
A hardware asset list is a list of all the IT devices attached to your school network.It is considered best security practice to hold an up-to-date hardware asset list and the Information Commissioner’s Office (ICO) certainly recommends it. It may also be an insurance requirement, check with your school business manager whether you have one and where it is.
Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firmware.
Organisational data can be defined as any electronic data belonging to the applicant. e.g. emails, office documents, database data, financial data. This does include school emails, so if staff receive emails on their own devices these need to be included in the scope.
Organisational services can be defined as any software applications, cloud applications, cloud services, user interactive desktops and mobile device management solutions owned or subscribed to by the applicant. e.g web applications, MS 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop. All cloud services are in scope for Cyber Essentials.

Important points

1. All devices which connect to the school network and access school data are automatically in scope.
2. Devices without internet connectivity are automatically out of scope.
3. Devices which are managed by your school and have standard user accounts that connect to the internet for web browsing or opening emails are in scope.
4. Devices which can be ‘seen’ from the internet, including network equipment that control the flow of data from the internet such as routers and boundary firewalls are in scope.
Wireless devices (including wireless access points) that can communicate with other devices via the internet are included in the scope.

Home users

Anyone who accesses school data or services via the internet from home is classed as a home worker.
Please note, this does not include students accessing a segregated student network.

Schools need to ensure that, as well as technical controls, the appropriate policies for remote/home working are in place.

(See guidance on remote/home working, and policy documents).

Equipment owned by the school and loaned out to students to use at home can be included on the asset list and is ‘in scope’ when it is checked into the school, and it is excluded from the asset list and considered ‘out of scope’ once it is checked out of the school and in the care of the student to use at home.

Sometimes ‘legacy’ devices (outdated computers, tablets or phones that are no longer receiving updates from the manufacturer) are loaned or given to a school for the students use at home. If these devices are no longer supported with updates, or do not meet other standards for Cyber Essentials, they need not be declared as long as they never connect to the school network.

Bring Your Own Device (BYOD)

School devices are often managed through centralised administration, ensuring consistency. Assessment of the security controls is usually more straightforward when this is the case.

In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope for Cyber Essentials. This does not include mobile or remote devices that are used only for the purpose of : text messages, voice calls or Multi Factor Authentication applications. This means that if teachers or governors use their mobile phone to text or speak to work colleagues and receive MFA codes, but do not use it to access work emails or files, then that mobile phone is out of scope. However, If staff use their mobile device to access work emails, that device is in scope. (See guidance on BYOD).

Mobile devices

All Mobile devices (phones/tablets) belonging to the school, which are used to access the internet and can access organisational data and services such as email, are in scope.

A privately owned device with access to the school network is in scope.

Personally owned devices, using a segregated guest WiFi which prevents the device from accessing the school internal network and data, are not in scope.

Wireless devices

Wireless devices, including wireless access points, which communicate with other devices via the internet are in scope.

Wireless devices are not in scope if they are part of an ISP router within the home location.

Cloud services

All Cloud services are fully integrated into the scheme. If a school’s data or services are hosted on cloud services, then the school is responsible for ensuring that all the Cyber Essentials controls are implemented on that service. Definitions of cloud services include Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the school implement the control depends on the type of cloud service but the school has a responsibility to check that the controls are put in place.

Do you have a list of all the cloud services that your school uses? Have you enabled MFA for every account that accesses every cloud service? (See guidance on applying the five controls to cloud services and applying MFA to access cloud services).

Remote IT administration

If a school is using a third party provider to manage their IT systems remotely, the responsibility of the controls still lie with the school. The school needs to be able to demonstrate that it has an understanding of the controls that are in place and confirm that they are Cyber Essentials compliant. The easiest way for a school to provide evidence that Cyber Essentials requirements have been met by the third party provider is to have a contractual agreement in place with the provider that includes the Cyber Essentials controls.

Further support

The government document describing the requirements for Cyber Essentials is available here

If you have a complex structure, you may need to seek advice from your IT support provider on how you can apply controls and whether this would allow all or part of your system to be included in the scope for Cyber Essentials.

IASME has trained a team of qualified cyber security companies who are located all over the UK and the crown dependencies, they are available to offer consulting services to help you achieve certification.