How to establish the scope of your organisation for Cyber Essentials certification

Cyber Essentials Scope

One of the first things you must do when applying for Cyber Essentials, is establish the boundary of scope for your organisation and determine what is in scope within this boundary. This means clarifying exactly what is included in your certification.

Consider your organisation and what it consists of. If you are a consultant, it might be just you working from home, if you are a builder or a mobile hairdresser, it might be just you working from your customer’s home. Perhaps your work spans across multiple locations? Do you have a physical office or shop as well as an online presence? Do you have staff who work from home or want to use their own equipment for work? Can all of your organisation have the Cyber Essentials controls applied to it?If you are a sole trader, the scope of your organisation may simply include you, your tools, vehicle and mobile phone. Cyber Essentials is suitable for businesses of all sizes.

Home working

Anyone working from home for any amount of time, is classified as a ‘home worker’. The devices that home workers use to access organisational data or services, whether they are owned by the organisation or the user, are in scope for Cyber Essentials. This includes personal mobile phones that are used to access work emails.
Anyone and anything accessing organisational data and services ( see definitions below) All devices that access organisational data or services (including email) are in scope and this will include those used by employees, volunteers, school governors and contractors.

Organisational data can be defined as any electronic data belonging to the organisation. e.g. emails, office documents, database data, financial data.

Organisational services can be defined as any software applications, cloud applications, cloud services, user interactive desktops and mobile device management solutions owned or subscribed to by the organisation. e.g web applications, MS 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.

All cloud services

All Cloud services are in scope and need to meet the Cyber Essentials controls. If your organisation’s data or services are hosted in the cloud, then your organisation is responsible for ensuring that all the Cyber Essentials controls are implemented within those services. Whether the cloud service provider or your organisation implements the control, depends on the type of cloud service, but you have the responsibility to ensure the appropriate controls are in place for all cloud services.

Examples of cloud services:

An Infrastructure as a Service (IaaS) cloud service provider hosts the infrastructure components that typically exist in an on-premises data centre including servers, storage and networking hardware as well as the hypervisor or virtualisation layer. Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.

Platform as a Service (PaaS) offers developers a platform for software development and deployment over the internet, enabling them to access up-to-date tools. Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.

Software as a Service (SaaS) cloud service providers host the applications, making them available to users over the internet. With SaaS, organisations do not have to download any software to their existing IT infrastructure.

SaaS is used by most organisation for everyday tasks such as creating and sharing files, signing and sending contracts and project management. Examples of SaaS include Microsoft 365, Jira, Dropbox, Gmail.

A Cyber Essentials scope must include at least one end user device (desktop and laptop computers, thin clients, tablets and smart phones). This might sound like a strange requirement, but it is really to close a loophole where some organisations were only certifying their server systems.

Whole organisation

The scope of your Cyber Essentials assessment and certification should ideally cover the whole of the IT infrastructure used to perform your business. Including your ‘whole organisation’ in the scope of the assessment, gives you the most protection and if your annual turnover is less than £20 million and you are domiciled in the UK, also means you qualify for cyber insurance included with your Cyber Essentials certification.

In some cases, however, it is not possible to have the whole organisation in scope, for example, if you want to use software that is no longer supported. If some parts of your network are excluded from the scope, they need to be technically separated. This can be achieved by creating a subset using a VLAN ( definition below) or firewall, which blocks access to the included parts of the network in order to segregate and protect it from any vulnerabilities within the network that is out of scope.

If your organisation has a segregated ‘guest’ network that does not interact with other organisational data or services and allows people outside of the organisation to use the internet, this can be excluded from the scope. An example would be a hotel with a guest network or a student network in a school. This is an exception to the rule and the certification scope can still be described as ‘whole organisation’.

What is a VLAN?

Your Local Area Network (LAN) is everything inside of the router that your internet service provider has given you to connect to the wider internet. It might include all the computers, mobile devices and IoT devices in your home or office. VLAN stands for Virtual Local Area Network. It is a technology that allows you to split a network into segments using low cost switches. Computers, servers and other network devices can be connected or separated regardless of their physical location.

Even if these devices are scattered in different locations, it wouldn’t matter because a VLAN can group them into separate virtual networks. You can use VLANs to improve network security by, essentially, putting all sensitive information and the users who have access to it on a separate network. No other types of information can travel on that VLAN and only authorised users have access to it, whether it’s a guest network or a VLAN to separate your work and home devices when your office is at home. The separation means that devices on separate networks can’t communicate directly, instead, the data has to go through firewalls which can protect the network. This ensures that if malware infects a device in one network, the devices in the other, separate network, will be protected.

Equipment that stays offline

If you have IT equipment that does not ever connect to the internet and does not control data flow to and from the internet, then this is automatically excluded from the scope of Cyber Essentials, and you do not need to declare it.

Help and support

If you have a complex company structure and believe the assessment would not cover the whole of your organisation, you may need to seek professional advice on how you would apply controls to a subset of your organisation to allow part of it to be in scope for Cyber Essentials.

There are over 270 specially trained cyber security companies around the UK who are licensed to certify against the Government’s Cyber Essentials Scheme. They can offer help and support in preparation for the assessment. Find one near you.