RB Consultancy Logo
Call NOW

Cyber Essentials: Scoping

Introduction

Cyber Essentials is a UK government-backed scheme and the recommended minimum baseline cyber security standard for organisations – it aims to protect organisations from the most common forms of internet-based attacks. One of the first steps in achieving Cyber Essentials is scoping – this defines what systems, devices, and networks are covered under the certification. 

 

Why Scoping is Important

This is where technical controls need to be applied – it can be considered in terms of network boundaries – containing internet-connected devices that access organisational data/services. It’s imperative that technical controls are applied to the in-scope assets and that there’s also an alignment on scope between the organisation seeking Cyber Essentials certification and the certification body carrying out the assessment – so getting scoping right is crucial.

 

Cyber Essentials Scoping

The Cyber Essentials Requirements for IT document version 3.2 defines scope on pages 6 to 12, with the applicability being initially set out as:

 The requirements apply to all devices and software in scope and which meet any of these conditions: 

  • can accept incoming network connections from untrusted internet-connected hosts 
  • can establish user-initiated outbound connections to devices via the internet 
  • control the flow of data between any of the above devices and the internet”


This is then further clarified throughout the document, considering specific factors of bring your own device, home / remote working, wireless devices, cloud services, accounts, devices, and web applications. Each of the five technical controls also have an ‘applies to’ section, which can show where the controls need to be in place. 

So, when considering scope, it can help to combine these three key areas:

  1. Organisational data / services – the ‘crown jewels’ of most organisations
  2. Devices / users that access data and are internet-connected- accessing ‘crown jewels’
  3. Internet connectivity and devices – a source of common threats


Then,  when applying the technical controls, consider: 

  1. Servers, desktops, laptops, mobile phones, tablets with internet connectivity and that access organisational data/services – company-owned and/or personal devices
  2. Cloud services relating to organisational data/services
  3. Internet-connected wireless devices – including access points
  4. Accounts used to access organisational data – used by the organisation applying for certification, as well as third parties
  5. Publicly available commercial web applications
  6. Network equipment that controls the flow of data between the internet and (in-scope) devices – including routers, firewalls, and business broadband devices

 

Considerations and Key Notes

Options are available on whether to certify the whole organisation or exclude parts of it

    1. Ideally, the whole organisation should be in scope to reduce risk and protect customer data. Free cyber liability insurance may be available

    2. If necessary, networks may be excluded, however this requires a well-defined and separately managed sub-set.

Key Notes

  • NCSC Cyber Advisors are also available and specially trained to assist with Cyber Essentials – including scoping
  • An asset list/inventory is not one of the key controls for Cyber Essentials, but is needed to form input into the process – it’s crucial to understand the devices that can access organisational data/services

The Requirements for IT Infrastructure document is the main source of information for scoping of Cyber Essentials – an example of how this helps is shown in the table and diagram below, sourced from that document

The Requirements for IT Infrastructure document is the main source of information for scoping of Cyber Essentials - an example of how this helps is shown in the table and diagram below

An asset list / inventory is not one of the key control for Cyber Essentials, but is needed to form input into the process - it’s crucial to understand the devices that can access organisational data/services.

Example Scenario 

Organisation ABC uses Microsoft 365 for Business to store organisational data (including email). It has multiple additional cloud services. The main office has 20 employees, using 10 Windows laptops and 10 Windows desktops. 5 employees work from home, using 5 Macbooks. In total 10 Apple iphones (company devices) and 10 Samsung / android phones (personal devices) are also used to access organisational data (mainly email). Printers are used occasionally in the office and at home. The office network consists of a Draytek router/firewall and an unmanaged layer-2 switch which have been purchased and setup by the organisation. The work-at-home networks all use ISP-provided home broadband. A third party (managed service provider) is used for IT support, using their equipment to support. 

For this environment, focus is on the scope of Cyber Essentials for Organisation ABC – the ‘in scope’ assets are:

  • Whole Organisation is in scope – no sub-set environments being excluded 
  • 10 Windows laptops and 10 Windows desktops (main office) 
  • 5 Macbooks (work from home)
  • 10 iPhones (company) and 10 Samsung / Android (personal) phones 
  • Draytek router/firewall (sourced by the organization)
  • Microsoft 365 for Business and other cloud services
  • Accounts used by the employees and managed service provider

 

Tips and Recommendations

  1. Focus on internet connected devices that access organisational data and services 
  2. Work from home / personal devices are typically in scope
  3. Non-internet-connected devices and subsets can be considered as being out of scope
  4. Guidance and support can be provided on scoping from an NCSC Cyber Advisor and NCSC Assured Service Provider (such as RB Consultancy Ltd)

For more detailed guidance, review the IT Requirement for Infrastructure document and/or visit the IASME knowledge hub for Cyber Essentials. 

 

How We Help

At RB Consultancy Ltd, we support organisations to improve cyber security and to meet Cyber Essentials and Cyber Essentials Plus requirements. As NCSC assured service providers and IASME certification body:

  • We explain the importance of Cyber Essentials and help ensure the right scope is applied
  • We can explain why the Cyber Essentials questions are being asked and how they intend to protect. organisations
  • We support organisations to achieve Cyber Essentials and Cyber Essentials Plus.
  • We assess and issue organisations with certifications

 

Conclusion

Having the right scope for Cyber Essentials and Cyber Essentials Plus is critical for certification and for protecting your organisation from cyber threats. An inaccurate scope can leave your organisation vulnerable. Implementing best practices and ensuring compliance with Cyber Essentials technical controls can bring huge benefits to organisations, including reduced risk, the ability to bid for new contracts, free cyber liability insurance, and enhanced trust from customers and suppliers. If you need any assistance with Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.

 

Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only and should not be taken as legal advice.