What is in scope of the Cyber Essentials scheme?
As a Cyber Essentials scheme applicant, you need to ensure that your organisation meets all the requirements of the scheme.
Your Cyber Essentials assessment and certification can cover your whole IT infrastructure, or a subset of it.* However you define your boundaries, the Cyber Essentials requirements will apply to any in-scope devices that meet at least one of the following conditions:
- It can accept incoming network connections from untrusted Internet-connected hosts.
- It can establish user-initiated outbound connections to devices via the Internet.
- It controls the flow of data between any of the above devices and the Internet.
User-owned devices that can access organisational data or services, such as emails, are in scope, as are Cloud services if you host your data or services on them. For Cloud services, the applicant is always responsible for ensuring all controls are implemented, but some of those controls can be implemented by the Cloud service provider.
By default, commercial web applications created by development companies and accessible from the Internet are in scope; bespoke and custom components of web applications are not.
*A subset is defined as “a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN”. It can be used to define what is in or out of scope for certification.
Secure your organisation with Cyber Essentials
With IT Governance, you can complete the entire Cyber Essentials certification process quickly and easily for as little as £400.