The Cyber Essentials (CE) scheme is a UK government-backed program designed to ensure organisations can proactively and robustly demonstrate their commitment to cyber security. Supported by the National Cyber Security Centre (NCSC), this CE certification verifies that an organisation has the technical controls in place to defend its business against the most common types of cyber attacks.
To acquire this certification, you must outline how your business meets the requirements of the scheme through a self-assessment. Part of this assessment includes defining your scope. The scope is essentially the entire IT infrastructure used to perform daily business.
It may sound daunting but we’re here to help! In this article, we look at the 7 key areas to consider when defining your scope for the Cyber Essentials self-assessment.
Whole organisation or subset?
When applying to complete the Cyber Essentials certification, you must first decide whether to certify your entire IT infrastructure or a subset using a VLAN or a firewall.
Choosing the whole infrastructure offers more protection and elevates both team member and customer trust as you are committing to certifying all devices instead of a select few. This is the preferred option if your annual turnover is less than £20 million and you are domiciled in the UK. Crucially, it also helps to ensure your organisation is eligible for cyber insurance.
Sometimes it’s necessary to only certify a specific section of your organisation, or create a subset, as some devices may not be accepted under the CE requirements. To do this you must isolate the chosen section of your network and amend access restrictions to ensure vulnerabilities can’t be passed between the subset and the network within your scope. A scope that does not include end-user devices is not acceptable.
The boundary of your scope
It’s important that you clearly establish the boundary of the scope, including the business unit, the network boundary, and the physical location. If you are unsure what this means, we explore it below in a little more detail:
The business unit, in this instance, concerns the team or department that manages the scope.
The network boundary concerns the firewalls and routers that create the frontline of defence around your network and the devices within it.
Establishing the physical location requires you to outline where your network is physically.
The boundary of your scope must be agreed upon with the certification body before the assessment begins.
Device and software inclusion
Within the Cyber Essentials certification, it is key that you define all devices and software and ensure that everything included meets the specific conditions.
The CE requirements apply to all devices and software that can accept connections from untrusted hosts, establish user-initiated outbound connections, or control data flow between any of the above devices and the internet.
This includes end-user devices, devices used for home working, ‘Bring Your Own Device’ (BYOD) or personal devices used for business purposes, wireless devices, and cloud services.
BYOD, remote work, wireless devices, cloud services
The way devices are used within your company determines whether they are included in the Cyber Essentials assessment.
If personal devices are used to access company data and services, then they are within scope. However, if personal devices are used only for multi-factor authentication applications, these shouldn’t be included within the scope.
For remote workers, it’s important to consider factors such as access policies, VPN usage, firewall types, and who is in charge of implementing specific controls.
In a nutshell, home working devices are generally always included within the scope and CE firewalls should be installed onto these devices to maintain security. Firewalls that are provided by the
Internet Service Provider are not within scope.
Asset management
Although not a direct control, a comprehensive and well-coordinated asset management approach is vital to satisfy all five CE controls.
This involves creating and maintaining accurate information about the assets within your scope that enable daily business operations.
Asset management is linked to all other aspects of cyber security such as risk management, assessing vulnerabilities, and managing identity and access controls so must be considered when filling out the CE assessment.
Third-party accounts and devices
Devices that are used by third parties, excluding MSP administrators, and interact with your company data should be included in your CE scope.
For any devices that fall outside of the assessment scope, it’s key that you ensure all technical controls are in place and demonstrate that all devices are correctly configured.
Web applications
By default, publicly available commercial web applications fall within the scope.
To mitigate the risk of vulnerabilities, it’s important to adhere to robust development practices and regular testing when using bespoke applications.
How Net Defence can support you
While it may feel like there’s a lot to consider and you can be sure that challenges may arise, the rewards of defining your scope and achieving the Cyber Essentials certification are worth it.
Net Defence is a certified body of IASME, and therefore we can support you on your journey to becoming CE-certified. Not only can we mark CE self-assessments and grant certifications, but we can audit your business and highlight gaps in your current cyber security solutions to ensure you are meeting all the key requirements.
To take control of your cyber security, get in touch with Net Defence today. We’ll be with you every step of the way.
