The scope is crucial for Cyber Essentials (CE) certification. It is often seen as one of the most confusing areas. A well-defined scope helps in prioritising your resources, identifying vulnerabilities, and implementing effective security controls, thereby strengthening your organisation’s overall cybersecurity posture.

Whole Organisation or Subset: You need to decide whether to certify your entire IT infrastructure or a certain subset. Choosing the whole infrastructure offers more protection and elevates customer trust.

Scope Boundary: It’s important that you clearly establish the boundary of the scope, including business unit, network boundary, and physical location. Make sure this is agreed upon with the certification body before the assessment begins.

Devices and Software Inclusion: Keep in mind that requirements extend to all devices and software that meet specific conditions, such as accepting connections from untrusted hosts or controlling data flow on the internet. Include all end-user devices in your scope.

Asset Management: Although not a direct control, a comprehensive and well-coordinated asset management approach is vital to satisfy all five CE controls.

BYOD, Remote Work, Wireless Devices, Cloud Services: Depending on your company’s rules and practices, you should decide whether BYOD, remote work devices, wireless devices, and cloud services should be in your scope. Think about factors like access policies, VPN usage, router types, and who is in charge of implementing specific controls.

Third-Party Accounts and Devices: Include accounts and devices used by third parties and interacting with your data in the assessment scope. Make sure that all technical controls are in place and can be demonstrated for services and devices managed externally.

Web Applications: By default, publicly available commercial web applications fall within the scope. Adhere to robust development practices to lessen vulnerabilities.

Align your scope with your cybersecurity objectives, regulatory requirements, and available resources. While challenges may arise, the rewards of defining your scope and achieving CE certification are worth it. Remember, Net Defence is here to help you conquer these challenges, boosting your cybersecurity stance and overall security position

  • Over 40,000 organizations in the UK have obtained CE.
  • CE certification can reduced vulnerability to cyber threats by up to 80%.
  • 50% of businesses regard Cyber Essentials Certification as a factor when selecting suppliers.
  • CE can reduce insurance premiums by up to 25%.
  • Over 90% of UK government contracts requiring IT services in 2021 mandated CE.

Contact us to learn more.

Learn more about cyber security and resilience