About scope for schools
What is the scope?
You will be required to identify the actual scope of the system(s) to be evaluated as part of this questionnaire. This includes:
1. School, academy or trust name
The name of the school, academy or trust will be used on the certificate awarded, so please make sure the name is accurate. The Cyber Essentials assessment will ask for a company number and you can add the URN at this point.
2. The boundary of the internal network
Ideally, your scope should be the school network as a whole, because this gives you the most protection and also means you qualify for free cyber insurance*.
(*Your annual budget needs to be less than £20 million)
If you are a Multi-Academy Trust (MAT) and all the schools within your trust are linked on the same network, you will have to apply for one certification to cover the whole MAT. If, however, your schools are on different, separate, networks, it may be better to apply for Cyber Essential certification as separate schools.
If you are certifying a MAT and do not wish to include every school or every network in the certification (scope), it would be necessary to work out how to apply controls to keep the schools that are in scope (included in Cyber Essentials) separate on the network from the schools that are out of scope (not included in Cyber Essentials). This is to ensure that a vulnerability in one of the schools that has not been certified cannot affect those that have been certified.
If some parts of your network are excluded from the scope, they need to be technically separated. This can be achieved by technical measure such as firewall rules or VLAN segregation, which blocks access to the included parts of the network in order to segregate and protect them from the out of scope parts.
This process can sometimes get complicated, and you may need help from a networking expert. If you exclude part of your network, you will not be eligible for the free insurance.
If you allow students access to your network, it is important that this is segregated on it’s own guest network, and must not be able to interact with your other organisational data or services.
This network is the exception to the rule above where whole school certification can still be achieved.
3. The physical location of the school or academy
Consider whether you have a single or split-site or whether you are assessing a trust with multiple sites.
If you are assessing multiple sites, you will need to list all the sites with their basic address.
What should the scope include?
When considering what should be in scope, consider the following:
- Do you have a single school site?
- Do you have multiple sites with a shared network or a single network for each? How are they connected?
- Is the pupil/student network different network to the office administration network?
- Do staff work from home?
- Do staff use school owned devices or their own devices for work?
- What cloud services are used (Dropbox, Microsoft 365, Google Workspace)?
- Can all of your school and all of your users have Cyber Essentials controls applied?
Defining the scope of Cyber Essentials
The scope should include the whole school IT infrastructure to achieve the best protection. Infrastructure can be split into Devices and Software:
Devices or hardware include all types of hosts, networking equipment, servers, networks and end user equipment such as desktop computers, laptop computers, tablets and mobile phones (smartphones) — whether physical or virtual.
All devices that have access to organisational data and organisational services should be included. (see below for definitions of organisational data and services)
Internet of Thing (IoT) or ‘smart’ devices such as security cameras, thermostats and speakers are not part of Cyber Essentials and need not be included. It’s worth noting, however, that for interactive whiteboards, the computers connecting to them are in scope and for those white board solutions that now have the Operating System built in, they would be included in scope.
A hardware asset list is a list of all the IT devices attached to your school network.
It is considered best security practice to hold an up-to-date hardware asset list and the Information Commissioner’s Office (ICO) certainly recommends it. It may also be an insurance requirement, check with your school business manager whether you have one and where it is.
Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firmware.
Organisational data can be defined as any electronic data belonging to the applicant. e.g. emails, office documents, database data, financial data. This does include school emails, (so if staff receive emails on their own devices these need to be included in the scope.
Organisational services can be defined as any software applications, cloud applications, cloud services, user interactive desktops and mobile device management solutions owned or subscribed to by the applicant. e.g web applications, MS 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.
1. All devices which connect to the school network and access school data are automatically in scope.
2. Devices without internet connectivity are automatically out of scope.
3. Devices which are managed by your school and have standard user accounts that connect to the internet for web browsing or opening emails are in scope.
4. Devices which can be ‘seen’ from the internet, including network equipment that control the flow of data from the internet such as routers and boundary firewalls are in scope.
Wireless devices (including wireless access points) that can communicate with other devices via the internet are included in the scope.
Anyone who accesses school data or services via the internet from home as part of their contracted working hours is classed as a home worker.
Please note, this does not include students accessing a segregated student network.
Home workers, and their home internet router, are usually in scope if they access any kind of school data.
Firewall controls need to be applied to home routers for home workers and software firewalls on devices must be turned on. Relying on a proxy server is not adequate.
If a full tunnel Virtual Private Network (VPN) is used to connect to school systems, only the computer accessing the data is in scope and not the internet router. Other VPN solutions are not accepted.
Schools need to ensure that, as well as technical controls, the appropriate policies for remote/home working are in place. Remote working guidance and policy documents are available on the Cyber Essentials for school’s web page, you can download them here.
Equipment owned by the school and loaned out to students to use at home can be included on the asset list and is ‘in scope’ when it is checked into the school, and it is excluded from the asset list and considered ‘out of scope’ once it is checked out of the school and in the care of the student to use at home.
Sometimes ‘legacy’ devices (outdated computers, tablets or phones that are no longer receiving updates from the manufacturer) are loaned or given to a school for the students use at home. If these devices are no longer supported with updates, or do not meet other standards for Cyber Essentials, they need not be declared as long as they never connect to the school network.
Bring Your Own Device (BYOD)
School devices are often managed through centralised administration, ensuring consistency. Assessment of the security controls is usually more straightforward when this is the case.
Devices which are personally owned are usually set up in many different ways and verifying controls can be more challenging.
In addition to mobile devices or laptops owned by the school, user-owned devices which access organisational data or services are in scope.
All Mobile devices (phones/tablets) belonging to the school, which are used to access the internet and can access organisational data and services such as email, are in scope.
A privately owned device with access to the school network is in scope.
Personally owned devices, using a segregated guest WiFi which prevents the device from accessing the school internal network and data, are not in scope.
Wireless devices, including wireless access points, which communicate with other devices via the internet are in scope.
Wireless devices are not in scope if there is no communication with other devices over the internet.
Schools often use cloud services, such as Microsoft 365, Google Workspace, Dropbox, Microsoft Azure and Amazon Web Services (AWS).
Cyber Essential’s scope usually relates to the location you are accessing data from (your home/school), rather than specific cloud hosted services. Cloud services are usually not in scope.
The exception is if you have control over the cloud environment’s technical controls such as firewall settings and update management this is known as Infrastructure as a Service (IaaS) and would be included in scope. You may have to connect to a cloud provider via a VPN (Virtual Private Network) if this is the case. Please seek advice from your IT Technician, or contact one of the IASME certifying bodies around the UK that can help you with consulting services to achieve Cyber Essentials.
Software as a Service (SaaS) and Platform as a Service (PaaS) where you do not have any control over the firewalls and software updates are not in scope.
Remote IT administration
If a school is using a third party provider to manage their IT systems remotely, the responsibility of the controls still lie with the school. The school needs to be able to demonstrate that it has an understanding of the controls that are in place and confirm that they are Cyber Essentials compliant. The easiest way for a school to provide evidence that Cyber Essentials requirements have been met by the third party provider is to have a contractual agreement in place with the provider that includes the Cyber Essentials controls.
The government document describing the requirements for Cyber Essentials is available here
If you have a complex structure, you may need to seek advice from your IT support provider on how you can apply controls and whether this would allow all or part of your system to be included in the scope for Cyber Essentials.
IASME has trained a team of qualified cyber security companies who are located all over the UK and the crown dependencies, they are available to offer consulting services to help you achieve certification.