Defining the scope for Cyber Essentials certification

What is in scope of the Cyber Essentials scheme?

As a Cyber Essentials scheme applicant, you will need to ensure that your organisation meets all the requirements of the scheme.

Your Cyber Essentials assessment and certification can cover the whole IT infrastructure, or a sub-set*. However you define your boundary, the Cyber Essentials requirements will apply to any devices within the scope that meet one of the following conditions:

  • Can accept incoming network connections from untrusted Internet-connected hosts; or
  • Can establish user-initiated outbound connections to devices via the Internet; or
  • Control the flow of data between any of the above devices and the Internet.

You must include some end-user device (EUDs) in your scope.

In addition to mobile or remote devices owned by your organisation, user-owned devices that access organisational data (including emails) or services are in scope.

Cloud Services are within the scope of the certification. For Cloud services, the applicant is always responsible for ensuring all the controls are implemented, but some of the controls can be implemented by the Cloud service provider. Commercial web applications created by development companies (rather than in-house developers) and publicly accessible from the Internet are in scope by default.

*A sub-set is defined as part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope.



The level of Cyber Essentials certification your organisation wishes to be certified to.

Download and read Cyber Essentials Requirements for IT infrastructure. This will help you define your scope. You are asked to confirm that you have read this as part of your application.



Identify what is in and what is out of scope. Whatever you decide the scope of your certification to be, it must be clearly defined.


Complete self-assessment questionnaire (SAQ) online

Verify that your IT infrastructure is suitably secure and meets the standards set by the Cyber Essentials.


Submit SAQ

Submit the SAQ for official assessment. For basic Cyber Essentials this is the final stage. An IT Governance Cyber Essentials assessor will review your submitted SAQ and pass or fail it accordingly. Successful applicants will be issued with their Cyber Essentials certificate. Subsequent submissions to Cyber Essentials Plus must be completed within three months of a Cyber Essentials certificate date.


Cyber Essentials Plus only – on-site or remote assessment and external scan

All elements of the on-site/remote assessment and internal/external scans must be completed within three months of achieving Cyber Essentials certification.



If nonconformities are identified, you will receive feedback to help you close these gaps, and up to one month for remediation and reassessment.



Repeat testing must be conducted within a month of the initial assessment to confirm vulnerabilities are resolved. Repeat testing is chargeable and billed separately.


Final analysis

Subject to a positive outcome, we issue your Cyber Essentials Plus certificate and report.

Secure your organisation with Cyber Essentials

With IT Governance, you can complete the entire Cyber Essentials certification process quickly and easily for as little as £400.

Shop now

This website uses cookies. View our cookie policy
WIN £100