Setting scope – What you need to know about the secret sixth control of Cyber Essentials
In our journey as a certification body – we take time to meet with a lot of smaller teams who are still trying to figure out exactly what the journey for IASME Cyber Essentials and Cyber Essentials Plus looks like. One term that frequently causes confusion is ‘scope’. So, we wanted to take some time to retread the official guidelines and put some thought behind the decisions; it’s all well and good to know what the rules are, but understanding often comes when we develop an explanatory relationship to the rules – knowing why and how those rules have been chosen in particular.
Simply put, the ‘scope’ of your Cyber Essentials assessment refers to the total area of your IT infrastructure that will be included in the assessment. While it is recommended that your entire organisation is in scope, there are occasions or reasonable decisions that might mean it’s acceptable to exclude certain devices or areas of your business from the requirement for assessment. Given that this is possible, ‘scope’ is how we track what is and isn’t being assessed.
What might be excluded then? Manufacturing sector organisations might need to run older unsupported operating systems on their manufacturing hardware, 3D designers might need to use out of support applications to work on specific project files, or a security team might want to keep a laboratory for malware testing on older machinery. There’s all sorts of business cases to be made here – and as long as the right process is followed to isolate these environments, this is absolutely allowable in Cyber Essentials.
The Ideal: Certifying Your Whole Organisation
For most businesses, the ideal scenario is to certify the “whole organisation” under Cyber Essentials. This approach offers the most comprehensive protection against cyber threats, ensuring a consistent level of security across all your operations. An added benefit for eligible Cyber Essentials UK businesses (those domiciled in the UK with an annual turnover under £20 million) is the included cyber liability insurance, providing an extra layer of peace of mind.
When Partial Certification is Necessary (and How to Handle It)
While whole-organisation certification is the gold standard, we understand that it’s not always feasible. Perhaps you have the aforementioned requirement for legacy systems, specialised hardware, or outdated software that simply cannot meet the current Cyber Essentials requirements. In such cases, partial certification becomes an option.
To make this work – you have to segregate what is in scope, from what isn’t in scope. This can be achieved through robust measures like Virtual Local Area Networks (VLANs) or firewalls. This segregation is a vital control measure. It ensures that any vulnerabilities residing in out-of-scope elements cannot compromise your certified network. In our mind, segregation and the exercise to identify what is and isn’t in scope is the ‘secret sixth control’ for Cyber Essentials, as it requires an applicant to identify what sits in their network and align their risk appetite with the reality of their hardware and software.
An often overlooked exception to this rule is a segregated ‘guest’ network. If your organisation provides internet access to visitors via a network that does not interact with your core business data or services (think hotel guest Wi-Fi or a school’s student network), this can be excluded while your certification still qualifies as ‘whole organisation.’
Key Elements to Include in Your Scope
Understanding what needs to be included is key to a fast cyber essentials or quick cyber essentials journey, and you should feel confident reaching out to assessment teams to ask this question.
A. The Boundary of Scope
For Cyber Essentials, your ‘boundary of scope’ is defined by the firewalls and routers that form the first line of defence between your internal networks and devices, and the wider internet. The control requirements outlined in Section 1 (Firewalls) of the Cyber Essentials standard apply directly to these critical components.
B. Endpoint Devices: A Non-Negotiable Inclusion
This is a crucial point: all endpoint devices that have interfaces used by people must be included in your Cyber Essentials scope. This means your PCs, laptops, tablets, and mobile phones are all in. Why is this so important? Excluding these devices creates a significant loophole, ignoring potential threats that can originate from administrators or general end users. Remember, the IASME Cyber Essentials standard is fundamentally about the security of end-user devices, and it is audited from the perspective of how an end user interacts with your systems.
This also extends to home working or flexible working. If your employees, volunteers, trustees, or contractors use their own devices (including personal mobile phones) to access your business data or services, those devices are absolutely in scope.
C. Organisational Data and Services
Any electronic data belonging to your organisation—such as emails, office documents, database records, or financial information—is considered ‘organisational data’ and so anything that accesses it falls within the scope. Similarly, ‘organisational services’ encompass any software applications, cloud applications, cloud services, virtual desktops, and mobile device management solutions owned or subscribed to by your organisation (e.g., web applications, Microsoft 365, Google Workspace, Xero or Quickbooks). All devices that access this data or these services are in scope.
D. Cloud Services
All cloud services that your organisation utilises are in scope and must meet the Cyber Essentials controls. While your cloud service provider implements some of the security controls, your organisation retains the ultimate responsibility for ensuring that all necessary IASME Cyber Essentials controls are properly implemented within those services.
Often organisations feel constrained by this due to a dependency on a certain cloud provider that doesn’t have MFA or meet the requirements of the standard. Again, Cyber Essentials Plus is a great fact-finder in this case. The frustration now is relief later, as it’s simply not best practice to use a cloud service without MFA. If this happens as a part of your CE+ journey, remember to treat this is part of a broader process that is increasing the general resilience of your organisation, and protecting against a very bad day in which a compromised password for an employee was used to access a cloud service without any need for Multi-Factor Authentication.
E. What’s Not in Scope (and why)
Finally, it’s worth noting what you don’t need to even declare. Any IT equipment that genuinely never connects to the internet, or to an internet-connected network, falls outside the scope of Cyber Essentials.
Seeking Expert Guidance for Your Cyber Essentials Journey
If your organisation has a complex IT structure, or you’re simply unsure about how to define your Cyber Essentials scope effectively, expert guidance can be invaluable. Don’t let the technicalities deter you from achieving vital protection.
To ensure a smooth and successful certification process, consider reaching out to a registered certification body for Cyber Essentials UK. These organisations are licensed to assess against the Government’s Cyber Essentials Scheme and can provide tailored advice and support. Integrating this support with the provider of your assessment means they’ll have the additional context and can more efficiently organise your efforts with you – leading to a cheap cyber essentials overall, as you don’t have to pay again for a failed assessment attempt.
Conclusion: The first step of the journey is often the most important
Understanding the scope of your IASME Cyber Essentials certification is not a formality to get out of the way; it’s a foundational exercise undertaken to build strong cyber security for your organisation. Although seen as an obstacle, it needs to be thought of as a fact-finder, helping structure your process and inviting you to ensure you really know the ins and outs of your network and how it’s used by your team.