Defining the scope for Cyber Essentials certification

What is in scope of the Cyber Essentials scheme?

As a Cyber Essentials scheme applicant, you need to ensure that your organisation meets all the requirements of the scheme.

Your Cyber Essentials assessment and certification can cover your whole IT infrastructure, or a subset of it.* However you define your boundaries, the Cyber Essentials requirements will apply to any in-scope devices that meet at least one of the following conditions:

  • It can accept incoming network connections from untrusted Internet-connected hosts.
  • It can establish user-initiated outbound connections to devices via the Internet.
  • It controls the flow of data between any of the above devices and the Internet.

User-owned devices that can access organisational data or services, such as emails, are in scope, as are Cloud services if you host your data or services on them. For Cloud services, the applicant is always responsible for ensuring all controls are implemented, but some of those controls can be implemented by the Cloud service provider.

By default, commercial web applications created by development companies and accessible from the Internet are in scope; bespoke and custom components of web applications are not.

*A subset is defined as “a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN”. It can be used to define what is in or out of scope for certification.



There are two levels of Cyber Essentials certification your organisation can achieve certification to: Cyber Essentials and Cyber Essentials Plus.

Both levels have the same requirements, but certification to Cyber Essentials Plus involves a technical assessment, which provides an extra level of assurance about the effectiveness of the controls your organisation has implemented.

You should decide which level best suits your organisation.



Download and read Cyber Essentials Requirements for IT infrastructure. This will help you define your scope. You will be asked to confirm that you have read this as part of your application.

Identify what is in and what is out of scope. Whatever you decide the scope of your certification to be, it must be clearly defined and meet the Cyber Essentials scoping requirements.


Complete your SAQ (self-assessment questionnaire) online

Verify that your in-scope IT infrastructure is suitably secure and meets the standards set by Cyber Essentials.


Submit your SAQ

Submit the SAQ for official assessment, which is the final step for Cyber Essentials applicants. An IT Governance Cyber Essentials assessor will review your submitted SAQ and pass or fail it accordingly. Successful applicants will be issued with their Cyber Essentials certificate.

If you are pursuing Cyber Essentials Plus certification, your technical audit must be completed within three months of your Cyber Essentials certification date.


Cyber Essentials Plus only – technical audit

All elements of the technical audit – the internal vulnerability scans, tests of your in-scope systems and off-site external scan – must be completed within three months of achieving Cyber Essentials certification.



If nonconformities are identified, you will receive feedback to help you close them, and get up to one month for remediation and reassessment.



Repeat testing must be conducted within a month of the initial assessment to confirm vulnerabilities are resolved. Repeat testing is chargeable and billed separately.


Final analysis

Subject to a positive outcome, we will issue your Cyber Essentials Plus certificate and report.

Secure your organisation with Cyber Essentials

With IT Governance, you can complete the entire Cyber Essentials certification process quickly and easily for as little as £400.

Shop now

This website uses cookies. View our cookie policy
SAVE 10%