Expert support and guidance is available if you need some help in determining the scope. Simply purchase an hour of LiveOnline consultancy and get the answers you need.
Here is some further information to help you define the scope:
The scope should be clearly defined in terms of the organisation or business unit managing it, the network boundary and the physical location(s).
Regardless of whether the whole or a part of the organisation is subject to certification, the name on the certificate must be consistent with the scope. The scope must be agreed before any testing starts.
The scope statement will appear on your Cyber Essentials certificate; the description will be used to verify that the scope, questionnaire responses and subjects of the scan are consistent.
Determining the scope to which Cyber Essentials applies can be a complex task, especially if your organisation is large or has an intricately structured network or network segmentation.
A simple way to determine this:
- If you are using SaaS (Software as a Service) then it is out of scope.
- With PaaS (Platform as a Service) then in all likelihood it will also be out of scope, depending on the application that must be configured.
- If it is Infrastructure as a Service (IaaS) then it will be in scope as you will be responsible for configuring the platform.
- If you have VPNs connecting sites together, then, depending on the technology, the public IP address of the VPN connection is in scope even if you are using internal private addressing and route all internet traffic through the VPNs to a central egress point.
If you use a private MPLS VPN then there may not be public IP addresses.
Example scope description:
The Internet-facing infrastructure consists of the email server, SharePoint and three firewalls. Company mobiles are out of scope as they only connect to a guest wireless network that connects straight out of the Internet and has no connection to the corporate network. External hosted systems include a custom ERP platform, which also connects to our infrastructure over the Internet and is in scope. Our externally hosted web servers are out of scope as they are wholly managed by third parties. We also use Google Docs and ShareFile cloud based services, which are also out of scope.
Also see this page on defining the scope for further information.