Defining the Scope for Cyber Essentials

Great, you’re looking at getting your company Cyber Essentials Certified but early on you’ll hit the question “Does the scope of this assessment cover your whole organisation?” so what we’ve put together a few pointers on how to define the scope for your Cyber Essentials certification.

It’s by no means exhaustive, and for the vast majority of micro and small businesses it will be the whole organisation but what about the home workers, third parties with access to your system and even your IT provider? Here are the things that we find usually throw a spanner in the works…

Q. Does the “scope” need to be my whole company?

A. The scope should cover your whole organisation and doing so makes it much easier to answer the questions

However, we recognise that some organisations are complex and so you can describe a scope that relates to a particular subsidiary or business area of an organisation if necessary.

It’s important that it is an entity that is logically separate from the wider organisation. It must also be technically isolated from the wider organisation, normally by using a firewall which blocks access to the excluded segment of the business. If you choose a scope that is not the whole organisation, and you self certify, it is up to you to provide a clear scope description that is acceptable to the assessor. The scope description will appear on the certificate you receive.

Q. Are home / remote workers in scope?

A. Home workers includes anyone who works 50% or more of their time at home and accesses company data which includes accessing email on a home PC, tablet or mobile phone. Home workers and their home internet router are typically always in scope if they access any kind of company data unless they use a VPN on their computer in which case only the computer accessing the data is in scope and not the internet router.

Q. Are Third Party workers such as book keepers or accountants included?

A. If they access your network or company data and use a VPN then only the computer accessing the data is in scope. If they use RDP or access company data hosted on GSuite, Office 365, Dropbox and the like then their computer and internet router is in scope. 

Q. Are all my employee’s personal mobile phones in scope?

A. If they access the internet using your main office WiFi connection then yes. The way round this is to install a guest WiFi system which prevents devices from accessing your own internal network. Even if they were to use guest WiFi in the office, if they have company data on them (email), then they are always in scope.

Q: Are cloud providers in scope such as Office 365, GSuite, Dropbox, Azure, AWS etc?

A: The scope typically relates to the location where you are accessing data from rather than specific cloud hosted services. 

If there is a VPN which connects your office network to the cloud provider, then yes, they are in scope.