About scope of evaluation
One of the first things you must do when applying for Cyber Essentials, is establish the boundary of scope for your organisation and determine what is in scope within this boundary. This means clarifying exactly what is included in your certification.
Consider your organisation and what it consists of. Is it just you working from home or your customer’s house, or does it span across multiple locations? Do you have a physical office or shop as well as an online presence? Do you have staff who work from home or want to use their own equipment for work? Can all of your organisation have the Cyber Essentials controls applied to it?
Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational data or services, whether they are owned by the organisation or the user, are in scope for Cyber Essentials. This includes personal mobile phones that are used to access work emails. (See guidance, about remote/ home working).
Cloud services are in scope and need to meet the Cyber Essentials controls. If your organisation’s data or services are hosted in the cloud ( eg Microsoft 365, Dropbox, Salesforce), then your organisation is responsible for ensuring that all the Cyber Essentials controls are implemented within those services. Definitions of cloud services include Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or your organisation implements the control, depends on the type of cloud service, but you have the responsibility to ensure the appropriate controls are in place for all cloud services. (See guidance, applying the five controls to cloud services).
A Cyber Essentials scope must include at least one end user device (desktop and laptop computers, thin clients, tablets and smart phones).
The scope of your Cyber Essentials assessment and certification should ideally cover the whole of the IT infrastructure used to perform your business. Including your ‘whole organisation’ in the scope of the assessment, gives you the most protection and also means you qualify for cyber liability insurance *included with your Cyber Essentials certification. (*if your annual turnover is less than £20 million and you are domiciled in the UK).
Please note, if you are a sole trader, the scope of your organisation may simply include, you, your tools, vehicle and mobile phone. Cyber Essentials is suitable for businesses of all sizes and all of the guidance will apply to you, even if you are a sole trader or micro business.
In some cases, it is not possible to have the whole organisation in scope, for example, if you need to use old, out of support software for a particular project. In this case, you must have a way to securely separate this part of the business from the rest of your business. One solution would be to use a technical configuration on a firewall or *VLAN to create a well defined and separately managed sub-set or network segment, which separates the ‘out of scope’ network from the rest of the business. This would protect the ‘in scope’ business network from any vulnerabilities introduced by the unsupported software. A subset can be used to certify different sites, departments or networks individually, you must be able to clearly describe what the scope is (eg ‘our office in Guildford only’) and how it is separated from any out of scope part of your organisation. Any assessment scope without a technical network boundary is not acceptable, for example, an individual project team will not be an acceptable scope unless the IT systems associated with that team is in a technical network subset.
If you have IT equipment that never has an internet connection and does not control data flow to and from the internet, then this is automatically excluded from the scope of Cyber Essentials, and you do not need to declare it.
If you have a complex company structure and believe the assessment would not cover the whole of your organisation, you may need to seek professional advice on how you would apply controls to a subset of your organisation to allow part of it to be in scope for Cyber Essentials.
There are over 270 specially trained cyber security companies around the UK who are licensed to certify against the Government’s Cyber Essentials Scheme. They can offer help and support in preparation for the assessment. Find one near you.