Defining the Scope for Cyber Essentials - Southern IT

Defining the Scope for Cyber Essentials - Southern IT

3rd October 2018


Cyber Security is essential in today’s increasingly complex threat environment, so well done for prioritising your business’s safety and looking to get your business Cyber Essentials certified! Getting started is the most difficult step in most cases, and figuring out your Cyber Essentials scope and what you need to do can seem complicated initially, so we’ve put together a short overview and Q&A on everything you need to successfully get your certification. Let’s get started!

What is Cyber Essentials?

Cyber Essentials is a government-backed scheme to help you protect your business against cyber attacks. It provides a clear overview of your current cyber security level and gives you the tools you need to increase your protection and fortify your defences against the most common threats. Having your Cyber Essentials certification shows your clients, partners and prospects that you prioritise your cyber security and take measures to protect their data.

What is my Cyber Essentials scope?

It’s by no means exhaustive, and for the vast majority of small and medium-sized businesses, the scope of your assessment will include your whole organisation. But what about the remote team members, third parties with access to your system, and even your IT provider, you may wonder? We have put together a short Q&A answering the most common questions we get regarding your Cyber Essentials Scope.

Cyber Essentials Scope Q&A

Q. Does the “scope” need to be my whole company?

A. The scope should cover your whole organisation and doing so makes it much easier to answer the questions

However, we recognise that some organisations are complex and so you can describe a scope that relates to a particular subsidiary or business area of an organisation if necessary.

It’s important that it is an entity that is logically separate from the wider organisation. It must also be technically isolated from the wider organisation, normally by using a firewall which blocks access to the excluded segment of the business. If you choose a scope that is not the whole organisation, and you self certify, it is up to you to provide a clear scope description that is acceptable to the assessor. The Cyber Essentials scope description will appear on the certificate you receive.

Q. Are home / remote workers in my Cyber Essentials scope?

A. Home workers includes anyone who works 50% or more of their time at home and accesses company data (email on a home PC, tablet or mobile phone). Home workers and their home internet router are typically always in scope if they access any kind of company data unless they use a VPN on their computer, in which case only the computer accessing the data is in scope and not the internet router.

Q. Are Third Party workers, such as bookkeepers or accountants, included?

A. If they access your network or company data and use a VPN then only the computer accessing the data is in scope. If they use RDP or access company data hosted on G-Suite, Office 365, Dropbox and the like then their computer and internet router is in scope.

Q. Are all my employee’s personal mobile phones in the Cyber Essentials scope?

A. If they access the internet using your main office WiFi connection then yes. The way round this is to install a guest WiFi system which prevents devices from accessing your own internal network. Even if they were to use guest WiFi in the office, if they have company data on them (I.e. email), then they are always in scope.

Q: Are cloud providers in scope, such as Microsoft 365, GSuite, Dropbox, Azure, AWS etc?

A: The Cyber Essentials scope typically relates to the location where you are accessing data from rather than specific cloud hosted services.

If there is a VPN which connects your office network to the cloud provider, then yes, they are in scope.oud providers in scope, such as Microsoft 365, GSuite, Dropbox, Azure, AWS etc?


Get your Cyber Essentials certification with Southern IT

At Southern IT, we deliver comprehensive cyber security services, and we’re more than happy to help you get your Cyber Essentials certification. If you have any questions or concerns regarding your Cyber Essentials scope, assessment, or anything else surrounding your certification, reach out to our friendly experts or click below to learn more about our cyber security services.

Cyber Security Services

Can your business recover from Disaster?

Do you have a backup? is it sufficient? when did you last review it, or test it?

Download our free 25 point checklist to help give you peace of mind that you've got the best system in place for your business needs.