Defining the scope for Cyber Essentials certification

What is in scope and what is not for Cyber Essentials?

As a Cyber Essentials scheme applicant, you will need to ensure that your organisation meets all the requirements of the scheme.

Your Cyber Essentials assessment and certification can cover the whole IT infrastructure, or a sub-set. However you define your boundary, your devices and software will need to meet the following conditions:

  • Accept incoming network connections from untrusted Internet-connected hosts. 
  • Establish user-initiated outbound connections to devices via the Internet. 
  • Control the flow of data between any of the above devices and the Internet. 

In addition to mobile or remote devices owned by your organisation, user-owned devices that access organisational data or services are in scope. 

Wireless devices (including wireless access points) are in scope if they can communicate with other devices via the Internet.

If it is practicable to apply the requirements to Cloud services, these services are within the boundary of scope. Commercial web applications created by development companies (rather than in-house developers) and which are publicly accessible from the Internet are in scope by default.



The level of Cyber Essentials certification your organisation wishes to be certified to.



Identify what is in and what is out of scope. Whatever you decide is the scope of your certification, it needs to be clearly defined.


Complete self-assessment questionnaire (SAQ) online

Verify that your IT is suitably secure and meets the standards set by Cyber Essentials.



Should the self-assessment questionnaire be none compliant one of our security experts will inform you of the areas which need changes.


Submit SAQ

Submit the SAQ for official assessment. For Cyber Essentials Basic this is the final stage. An IT Governance Cyber Essentials assessor will review your submitted SAQ and will pass or fail it accordingly. Successful applicants will be issued with their Cyber Essentials Certificate.


Cyber Essentials Plus only - On-site assessment

The on-site assessment and internal scan must be undertaken within three months of achieving Cyber Essentials from an IASME licenced Certification Body.


Cyber Essentials Plus only - External Scan

External vulnerability scan of the Internet facing network and applications.



If there are nonconformities, you will receive feedback to help you close these gaps, and a month for remediation and reassessment.



Repeat testing can be conducted within a month of the initial assessment to confirm vulnerabilities are resolved. Repeat testing will be chargeable and billed separately.


Final analysis

Subject to a positive outcome, we issue your Cyber Essentials Plus certificate.

Secure your organisation with Cyber Essentials

With IT Governance, you can complete the entire certification process quickly and easily for as little as £500.

Shop now

This website uses cookies. View our cookie policy
WIN £100