RB Consultancy Logo
Call NOW

Cyber Essentials: Scoping

Introduction

Cyber Essentials is a UK government-backed scheme and the recommended minimum baseline cyber security standard for organisations – it aims to protect organisations from the most common forms of internet-based attacks. One of the first steps in achieving Cyber Essentials is scoping – this defines what systems, devices, and networks are covered under the certification. 

 

Why Scoping is Important

This is where technical controls need to be applied – it can be considered in terms of network boundaries – containing internet-connected devices that access organisational data/services. Scope can be seen as a combination of these three key areas:

  1. Organisational data / services – the ‘crown jewels’ of most organisations
  2. Devices / users that access data and are internet-connected- accessing ‘crown jewels’
  3. Internet connectivity and devices – a source of common threats

It’s imperative that technical controls are applied to the in-scope assets and that there’s also an alignment on scope between the organisation seeking Cyber Essentials certification and the certification body carrying out the assessment – so getting scoping right is crucial.

 

Cyber Essentials Scoping

The Cyber Essentials Requirements for IT document defines scope over a number of pages – the following bullet points are aimed to help set this out at a high level.

In-scope, where the technical controls need to be applied:

  1. Servers, desktops, laptops, mobile phones, tablets with internet connectivity and that access organisational data/services – company-owned and/or personal devices
  2. Cloud services relating to organisational data/services
  3. Internet-connected wireless devices – including access points
  4. Accounts used to access organisational data – used by the organisation applying for certification, as well as third parties)
  5. Publicly available commercial web applications
  6. Network equipment that controls the flow of data between the internet and (in-scope) devices – including routers, firewalls, and business broadband devices

 

Considerations and Key Notes

When considering the scope of your organisation:

Options are available on whether to certify the whole organisation or exclude parts of it

    1. Ideally, the whole organisation should be in scope to reduce risk and protect customer data. Free cyber liability insurance may be available

    2. Some parts of the organisation may be excluded from the scope. This can happen if out-of-support software or operating systems must be retained. Networks can be excluded if devices are segregated by a firewall or VLAN using sub-sets

Key Notes

  • NCSC Cyber Advisors are also available and specially trained to assist with Cyber Essentials – including scoping
  • An asset list/inventory is not one of the key controls for Cyber Essentials, but is needed to form input into the process – it’s crucial to understand the devices that can access organisational data/services

The Requirements for IT Infrastructure document is the main source of information for scoping of Cyber Essentials – an example of how this helps is shown in the table and diagram below, sourced from that document

The Requirements for IT Infrastructure document is the main source of information for scoping of Cyber Essentials - an example of how this helps is shown in the table and diagram below

An asset list / inventory is not one of the key control for Cyber Essentials, but is needed to form input into the process - it’s crucial to understand the devices that can access organisational data/services.

Example Scenario 

Organisation ABC uses Microsoft 365 for Business to store organisational data (including email). It has multiple additional cloud services. The main office has 20 employees, using 10 Windows laptops and 10 Windows desktops. 5 employees work from home, using 5 Macbooks. In total 10 Apple iphones (company devices) and 10 Samsung / android phones (personal devices) are also used to access organisational data (mainly email). Printers are used occasionally in the office and at home. The office network consists of a Draytek router/firewall and an unmanaged layer-2 switch which have been purchased and setup by the organisation. The work-at-home networks all use ISP-provided home broadband. A third party (managed service provider) is used for IT support, using their equipment to support. 

For this environment, focus is on the scope of Cyber Essentials for Organisation ABC – the ‘in scope’ assets are:

  • Whole Organisation is in scope – no sub-set environments being excluded 
  • 10 Windows laptops and 10 Windows desktops (main office) 
  • 5 Macbooks (work from home)
  • 10 iPhones (company) and 10 Samsung / Android (personal) phones 
  • Draytek router/firewall (sourced by the organization)
  • Microsoft 365 for Business and other cloud services
  • Accounts used by the employees and managed service provider

 

Tips and Recommendations

  1. Focus on internet connected devices that access organisational data and services 
  2. Work from home / personal devices are typically in scope
  3. Non-internet-connected devices and subsets can be considered as being out of scope
  4. Guidance and support can be provided on scoping from an NCSC Cyber Advisor and NCSC Assured Service Provider (such as RB Consultancy Ltd)

For more detailed guidance, review the IT Requirement for Infrastructure document and/or visit the IASME knowledge hub for Cyber Essentials. 

 

How We Help

At RB Consultancy Ltd, we support organisations to improve cyber security and to meet Cyber Essentials and Cyber Essentials Plus requirements. As NCSC assured service providers and IASME certification body:

  • We explain the importance of Cyber Essentials and help ensure the right scope is applied
  • We can explain why the Cyber Essentials questions are being asked and how they intend to protect. organisations
  • We support organisations to achieve Cyber Essentials and Cyber Essentials Plus.
  • We assess and issue organisations with certifications

 

Conclusion

Having the right scope for Cyber Essentials and Cyber Essentials Plus is critical for certification and for protecting your organisation from cyber threats. An inaccurate scope can leave your organisation vulnerable. Implementing best practices and ensuring compliance with Cyber Essentials technical controls can bring huge benefits to organisations, including reduced risk, the ability to bid for new contracts, free cyber liability insurance, and enhanced trust from customers and suppliers. If you need any assistance with Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.

Leave a Reply

Your email address will not be published. Required fields are marked *

RB Consultancy

Company Details

  • Registered address: 20 - 22 Wenlock Road, London, England, N1 7GU
  • Trading address: Pioneer House, Pioneer Business Park, North Road, Ellesmere Port, Cheshire, CH65 1AD
  • Company Number: 14677066
  • VAT Registration Number: 479590726

Useful Links

Services

Contact

Cyber Essentials
Copyright © 2024 – All rights reserved.