Proposed
3RD_PARTY | SC0001 | Is a CASBE service needed for third party cloud services where the services are not under our contract (such as work email accounts for news services) | 0 | LITIG_050623 |
3RD_PARTY | SC0002 | Is a third party also BYOD? | Third party device is owned and administered by another organisation, BYOD is owned by an individual. | UCISA_110523 |
3RD_PARTY | SC0003 | What is the definition of third party contractor? For educational scenarios, would that include external examiners, visiting lecturers, etc? | It is up to the applicant organisation to determine whether they are a 3rd party contractor, not the CE requirements. | UCISA_110523 |
3RD_PARTY | SC0006 | In the context of Cyber Essentials compliance, what are Non-executive Directors classed as for the purpose of accessing company systems? Currently we do not provide them with access to any internal systems, but we will soon be looking into using Microsoft Teams for Board level meetings and records management. They use their own devices, we would not be providing them with equipment, but we may provide them with an account in Microsoft365 to access Teams. Interested to hear from both Iasme and other orgs on how they deal with this type of scenario to meet Cyber Essentials compliance. | They would be considered as a 3rd-party contractor. Statement is in correct Non-Exec directors re in scope as they are on the board of Directors of the organisation, address with AM | LinkedIn_280723 |
3RD_PARTY | SC0007 | Hi, if we have a group of employees using customer laptops rather than laptops owned and controlled by our organisation, and they only accessed our organisations Cloud Services, e.g. o365, Service Now, MS Teams, etc. Then I would understand that these devices are indeed 'in scope' of our Cyber Essentials submission. Correct ? So if in scope, do we need technical controls in place to prevent any of these customer owned laptops accessing these cloud services if they are not at the most up to date os level, security updates, etc ? Or is it sufficient to say that the Customer is keeping these laptops up to date and we have contractual agreement in place that states this ? | There is a great table in “Section C, subsection (vi) Devices used by third parties” of the Cyber Essentials requirements (link here: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf) | LinkedIn_280723 |
3RD_PARTY | KH0001 | |||
ACCOUNTS | SC0008 | What about scoping accounts? Students may be out of scope but their accounts will in many cases exist alongside staff accounts, presumably offering a common attack surface. | Stement is in correct and | UCISA_110523 |
ASSETS | SC0009 | Do you need to show evidence of Asset Management for CE? | Asset management is not part of the requirements, but it is regarded as very important - it's much easier to protect your assets if you know what they are. Section 2 of the CE question set is all about asset management as these are the devices you need to apply the controls on. | CHANGES 280423 |
ASSETS | SC0010 | Looking to apply for Cyber Essentials here for a Spanish company. Got a few doubts, I hope you can help. Any comment is much appreciated:
| We would expect something along the lines of “X x Custom PC running Windows 11 22H2” as an example. | LinkedIn_280723 |
BYOD | SC0004 | Is a student BYOD device in scope? | A device owned by a student is not included scope for CE. It’s important to note that the cloud services that the student connects to must be included in scope and the outlined controls applied. | UCISA_110523 |
BYOD | SC0005 | Is a staff BYOD device in scope? | Yes, they are included as in scope because they are connecting to organisational data for running the day to day business of the applicant organisation. | |
BYOD | SC0066 | Would a sessional or hourly lecturer, using a BYOD device, be a third-party contractor and so out of scope? | It is up to the applicant organisation to determine if they are a 3rd party contractor, not the CE requirements. | UCISA_110523 |
BYOD | SC0011 | All of our BYOD devices use network guest access when in our offices, which keeps them away from our servers. Does that mean that they are now within scope? | They would not be in scope if they are connecting to a segregated guest network and not used for business purposes. However if they re being used for business purposes to access orgnisational data or services such as MS365, they will be inscope for assessment. | CHANGES 280423 |
BYOD | SC0012 | A similar question around volunteers has just been asked. The response was: MDM isn't a requirement, although can be useful. If the devices are BYOD, you'll need to control access to organisation data via allow listing (i.e. only permitted applications can access your data) How does this achieve the requirement of ensuring the device is running a supported version of the OS i.e. a mobile running the correct version of iOS? | BLANK | CHANGES 280423 |
BYOD | SC0013 | Could you please clarify the answer earlier about BYOD on the guest network. It was said the guest network is out of scope, does that mean the BYOD is out of scope or is it still in scope if it is accessing org data and services? e.g accessing email, teams etc | When a BYOD is connected to a guest network the device is out of scope (provided that the guest network is properly segregated via firewall/VPN). However, accounts used to access organisation data or services would be in scope. | CHANGES 280423 |
BYOD | SC0014 | Could you please clarify the BYOD on guest network answer please, I understand guest network is out of scope but surely BYOD even if connecting to this type of network has access to the internet and potentially still accessing org data and services via MS365 (email, Teams etc) then the BYOD is in scope? The answer made it sounds like BYOD is out of scope, e.g. if BYOD is connecting to 3/4/5G, public wifi, home wifi, guest wifi but accessing org data and services from that device it is in scope? | The devices themselves would not be in scope - however any accounts used to access organisational data or services would be. | CHANGES 280423 |
BYOD | SC0015 | How about "BYOD" devices where the companies don't have much controls? | The controls must still be applied to BYOD, these devices are as much a risk as company owned devices. This can be applied through a mixture of technical controls and a good BYOD policy for users to inform them how to apply the controls. | CHANGES 280423 |
BYOD | SC0016 | If BYOD is restricted to just Office 365, is this acceptable? | MS 365 formerly know as Office 365 is an organisational service and coantins organisational data, any BYOD device connecting to MS365 is inscope for CE | CHANGES 280423 |
BYOD | SC0017 | If we have a VDI service, must we apply technical controls to the devices that connect to this service, even though they may not be our corporate devices, i.e. third-party devices or BYOD? | Yes, there are known vulnerbilities with VDI connection software. | CHANGES 280423 |
BYOD | SC0018 | If you have an employee who has a BYOD for day to day work and does touch company data, would this device be in scope | If they are using the device to access organisational data or services, then yes this would be in scope | CHANGES 280423 |
BYOD | SC0019 | The Device Scoping Table states that Employee owned devices, on BYOD are within scope - Are we expected to list and know of every single device that teachers may have, or use? | Any device used to access organisational data or services is in scope. Teacher BYOD devices asccessing the schools data and services can present a threat to the establishment if the controls are not applied. | CHANGES 280423 |
BYOD | SC0020 | Do CE+ assessors now need to audit an employee's home technology and if so, how? | ISP routers are not in scope, and have not been since April 2021. BYOD belonging to the employee and used to access org data or services will be in scope and can be considered for the audit sample. | LITIG_050623 |
BYOD | SC0021 | What policies for bring your own computer are sufficient to pass CE+ when the desktop is Citrix. Is a written policy sufficient? | Devices used to access VDI are in scope, since a vulnerable device used to connect to the desktop could be used to compromise the virtual system. Written policy alone is not acceptable, there must be a combination of technical and written policy. | LITIG_050623 |
BYOD | SC0022 | Does CE+ allow printing from home computers where they are used for BYOC using Citrix, work cloud email (365 / Mimecast) or thin client? | Printers are not mentioned in the CE requirements and are considered out of scope of the assessment. CE+ absolutely allows printing from home computers/VDI. | LITIG_050623 |
BYOD | SC0023 | Is there anything that you can do to take a personal computer (BYOD / BYOC device) that is connecting to VDI (Citrix) out of scope? | If the BYOD is accessing org data/services, it will be in scope. A Citrix Desktop or application is a organisational service and any BYOD connecting are in scope | LITIG_050623 |
BYOD | SC0024 | Are BYOD devices connecting to VDI systems in scope in the Evendene ruleset, or just on the Montpellier ruleset? | This discussion has been had for a number of years now and those BYOD devices also apply under the Evendine question set. So if you applied for Cyber Essentials on the 23rd April or before, you would still use the Evendine question set and yes, those BYOD devices would be in scope. | DigitalLoft240423 |
BYOD | SC0025 | I think his answer was "byod devices connecting to VDI are in scope in BOTH rulesets". This is a bit confusing to me because we did our audit in Nov 22 and our auditor said that it was not the case IF we segmented our data such that no corporate data (including printing) was available on the BYOD device itself | If you would be happy to email in the details to us at info@iasme.co.uk we would love to hear more about this. I can confirm that devices connecting to a VDI connection would need to be included in the scope. | DigitalLoft240423 |
BYOD | SC0026 | If a 3rd party contractor uses their own equipment to access our services, is that in scope in the same way that employee BYOD devices would be? | In the new version of the requirements is a section which shows the requirements for different BYOD scenarios with third party devices and accounts. Accounts belong to the organisation, so they’re always going to be in scope for assessment. For devices, refer to the table for guidance. It’s up to the applicant to determine how to ensure that the third party devices have the controls applied to the them as part of any supply chain agreement. | DigitalLoft240423 |
BYOD | SC0027 | In an educational setting - student devices (BYOD) on a segregated VLAN with access to the internet, is that in scope? | No, that segment is not in scope. | DigitalLoft240423 |
BYOD | SC0028 | In Higher Education, are student BYOD phones and other devices in scope? | There's a table in the version 3.1 requirements that states when a device is in scope or not. If they're connected to the Business Network of an organization they will present a risk. So we would expect them to be included. But if they're on a separate Guest Wi-Fi or student network they are not in scope. | DigitalLoft240423 |
BYOD | SC0029 | Is it mandatory to use a technical control for BYOD, or if policy or manual methods are mentioned, can we still issue an advisory that it should be done technically? | The controls should be applied using a mixture of technical controls and written policy. It is recommended that for larger companies this is managed through technical implementation, but it's not a control in itself. | DigitalLoft240423 |
BYOD | SC0030 | A number of our users access their Exchange Online mailbox i.e. their calendar and email from their personal mobile device. They connect to the internet via 4G or our guest wifi network. | Any employee owned device accessing organisational data or service has to be in scope, the Montpellier requirements document has a great table that shows when a device would be in scope or not in scope for BYOD which can be found here https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf. | LinkedIn_280723 |
BYOD | SC0032 | Windows 365... say an applicant is using a business instance of Windows 365 and accesses it from the browser on their smart TV at home. Does the smart TV come into scope as BYOD? | 0 | YAMMER_280723 |
CLOUD_SERVICES | SC0033 | Are cloud hosted telephony systems in scope and their associated handsets and firmware? | IP Telephony is not in scope of CE, but tablets and smartphones are. If you are using a Teams phone this is accessing organisational services (MS Teams) so would be included. IP telephony devices are not necessarily something that we would call a device but IP telephony is included as an organization's service within the requirements. So the service itself is in scope, for the devices it depends on what type of handset it is. If it's considered as a smartphone or a tablet that's accessing an organizational service it would be included in scope. You would need to check the requirements document, look at the definitions and see if it applies to your infrastructure depending on the equipment you've got. | CHANGES 280423 |
CLOUD_SERVICES | SC0034 | If we operate an in house software package/ERP thats hosted in IaaS Azure, Windows IIS role. Does this fall under your definition of Cloud Service | Because it's accessed across the Internet and it is Infrastructure as a Service, that is classed as a cloud service and you would need to apply MFA to it. | CHANGES 280423 |
CLOUD_SERVICES | SC0035 | If you have DNS service provided by a third-party that allows the registration and management of public DNS records via the third-party web site, is this classed as a cloud service and in scope or a web app and out of scope? | I think that's something that warrants further discussion. We often get things that sometimes catch us out a little bit and that's one is caught me out, I'll be honest, but we'd be happy to discuss that offline. And probably yeah, we could answer that if we had a better discussion. I can't give you an instant answer on that, I'm afraid. So the person who asked that question, you can ring or email info@iasme.co.uk and just say that you want to be put forward put through to Neil. Or any of the technical team - Neil's actually often out and about talking, so any of the technical team would be great. | CHANGES 280423 |
CLOUD_SERVICES | SC0036 | Is it possible to get further clarification on the difference between a Web Application and a Cloud Service? We feel its not clear, if we develop a web hosted application for internal staff, which does not leverage MFA for standard users, can this lead to a CE failure? This system would not be sold or offered to customers. It would be an internal application only. But hosted on the web for ease of access. | Cloud service applies where there is a subscription (whether paid or free) and there is some kind of administrative control (creating/deleting accounts, setting configurations, etc). MFA would be needed for all users of a cloud service. | CHANGES 280423 |
CLOUD_SERVICES | SC0037 | Similar to Ben's question about MFA, the table showed that customer devices are in scope - does that include those that access a cloud service that we wrote and supply to them? | The decision on whether to include this is for the company to make, but it's highly advisable to use MFA for cloud services where it is available as it is now mandatory for CE and customers may well request it in future (e.g. if they decide to become CE certified) | CHANGES 280423 |
CLOUD_SERVICES | SC0038 | What's the difference between a 'cloud service' and a website that we use regularly? | This is now in the Montpelier question set and agreed with the NCSC for the purposes of Cyber Essentials. It is a service you subscribe to, whether it's paid or free and you have some control over setting up users or administration of that service. We are very often talking about SalesForce, MS365, Google Workspace but that's just the tip of the iceberg. Web portals are where you don't have that level of access and can't turn MFA on or set up the users or assign roles to them. They're not the same. So if it's a hotel booking system that would be classed as a web portal. There are so many different ones it can be difficult to judge but it is based on that level of administration and whether you subscribe to that service. | CHANGES 280423 |
CLOUD_SERVICES | SC0039 | If an organisation does NOT control admin activities on their 365 tenant (outsourced) does it fall out of scope as a "cloud service"? | It depends on how the 365 service is outsourced. If you've outsourced it to your MSP or IT support company to do the administration for, you are still subscribing to that service. You're paying the subscription and you will need to apply the controls of Cyber Essentials. Where you're outsourcing it to an MSP or an IT services company to do the administration for yourselves it remains in scope. | DigitalLoft240423 |
CLOUD_SERVICES | SC0040 | So does the definition for cloud services in scope mean that an organisation must be aware of every employee's use of any cloud service? And must that usage be centrally managed? | This is an area that we've added further guidance to within Cyber Essentials this year. In the version 3.1 Requirements we've added a section of advice around asset management. | DigitalLoft240423 |
CLOUD_SERVICES | SC0041 | What if you use Microsoft 365 for a different part of your organisation which is unrelated to the scope of your CE when you are a large organisation, i.e multi national etc. | The tenant would need to have the controls applied to it. | DigitalLoft240423 |
CLOUD_SERVICES | SC0042 | Cloud apps - Are there exemptions? E.g. support portals or telephony portals? | There are no exceptions to cloud services within the definition given earlier. All cloud services in use by the applicant organisation are in scope and need to be declared. | DigitalLoft240423 |
CLOUD_SERVICES | SC0043 | 35.50 Have NCSC offered any more information on the definition of a web portal in the context of what is or what isnt a cloud service. | The thing with web portals is that it is up to you to decide whether it's a cloud service. If it is not a cloud service, it is not in scope, therefore there is no point in providing 'what is the definition of a web portal' because a web portal wouldn't be in scope. The important thing is, you as an assessor must decide whether it is considered as a cloud service. If there's still some confusion about the definition of a cloud service, again provide feedback, the more we get the more I can push it back to Neil and the tech working group and say, hey, there's still a problem here with regards to that cloud service definition. [ANDY] I keep saying it, feedback is really important, because it's what implements the change. At the moment Cyber Essentials talks about cloud services, it doesnt talk about web portals, the only reason we mention web portal is so we don't have to include it as a cloud service if that makes sense. Web portals aren't a thing for Cyber Essentials. The last time we asked, they might end up saying everything a cloud service which is the danger, it becomes a bit untenable for everyone, so careful what you wish for. All else is a web portal so is not in scope of CE. We can feed it back if it is a constant issue for everyone. | AW280623 |
CLOUD_SERVICES | SC0044 | Web portal versus cloud service definition | As previously stated there is no definition of a web portal, because if it's not a cloud service it's not in scope. A cloud service is defined as any service to which an applicant subscribes, whether paid or free, and has administrative control or control over the accounts within - and obviously it also contains organisational data as well. | AW280623 |
CLOUD_SERVICES | SC0045 | Good morning, everyone. A question about definitions and distinctions. A reply from IASME in this group about four months ago stated, "You could consider a cloud service is where an applicant subscribes to a service (either paid or free) and controls who has access and/or carries out administrative duties. Anything else would be considered as a web portal and would not need to be included in scope." I'm happy so far, but what is the difference between a web portal (apparently not in scope) and a web application (in scope)? The answer determines whether some 60 web-based platforms in use by my client are in or out of scope. Is Just Giving in scope; my client uses a single login to mount charitable funding campaigns and monitor donations? What about online collaboration and data gathering tools (Slack, Smart Survey, Tableau, Zoom, Mural, NVivo)? All of these handle organisatonal data for day-to-day planning and operations, but are not cloud services according to the definition. Are they portals or web apps? On this point, please could someone clarify where in the guidance it states or implies that web portals are not in scope? The word 'portal' does not feature anywhere in the requirements document. Thanks for your help! | The requirements list what is considered as a cloud in the requirements documents Platform as a Service (PaaS) - the cloud provider delivers and manages the underlying infrastructure, and the applicant provides and manages the applications. Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda. Software as a Service (SaaS) - the cloud provider delivers applications to the applicant, and the applicant configures the services. The applicant must still take time to ensure the service is configured securely. Examples of SaaS include Microsoft 365, Dropbox, Gmail.” Due to them being out of the scope of Cyber Essentials, there is no clear definition of what is a Web-Portal and what is a Web Application as such they would be considered to be the same as each other. | LinkedIn_280723 |
CLOUD_SERVICES | SC0046 | I'd appreciate thoughts on this: A large, global company uses Teams/Sharepoint for everything. They scoped their GB operation only, to which my remark was along the lines of "do other users outside of the UK use the same data as the UK operation", to which the reply was "As our business is international, if there is a requirement for access to data within Sharepoint/Teams/OneDrive/file server, for example to collaborate on a project that multiple xxcompanyxx entities are involved in, then this is possible. The access to this data is strictly controlled by the owner of the collaboration space so there is no data accessible by unauthorised personnel." I'm pretty sure this must be a global phenomenon, in which case surely Sharepoint must be administered in higher echelons (it is an American company), which would mean that essentially they are not in full control of their own data, and therefore can't scope GB only. But I am not a Sharepoint expert; is there a way that they could actually do that? | 0 | YAMMER_280723 |
CLOUD_SERVICES | SC0098 | Is the location for cloud-based services just ‘in the cloud’ or would you need to know the physical location of the servers of the cloud service provider? | Cloud Services locations do not need to be included within your assessment for CE, although as you move onto other certification paths like ICA this will become more relevant regarding where your data is stored. For CE you just need to list the locations that have networks under your control along with how many remote (home) workers you have. | QUESTIONS_300823 |
CLOUD_SERVICES | SC0099 | ‘Do you own or rent servers’ – does this refer to a physical server that’s just for us? We purchase storage from Amazon Web Services. Is this counted here? | AWS storage would be counted as a cloud service and fall under the shared responsibility model definition in the requirements document. If you rent IaaS infrastructure from AWS and configure the virtual servers then these would need to be included in the scope of your assessment. | QUESTIONS_300823 |
CLOUD_SERVICES | SC0105 | we find the question of cloud services comes up a lot. Would Sumup, Stripe, WordPress be consider cloud or non-cloud. You can create admin and user accounts, but they are in themselves services? | All of the services you have listed are Cloud Services for the Cyber Essentials definition. | LINKEDIN_290923 |
COMMENT | SC0047 | It's an analogy that doesnt work very well though - because a visiting lecturer is likely to have a device that the visited institution has no management control over. We need to treat them as BYOD. | COMMENT | UCISA_110523 |
COMMENT | SC0048 | Research assistants - sometimes research could be conducted using devices belonging to a 3rd party - so I think that isn't always n/a. And same for students (say nurses at the NHS) | COMMENT | UCISA_110523 |
COMMENT | SC0049 | It's not case specific! It's Academia. And what about Emeritus staff? And eduroam complicates things even further! | COMMENT | UCISA_110523 |
COMMENT | SC0050 | If visiting lecturers and external examiners BYOD were in scope, it would be particularly challenging because only one instance of a MDM can run on their device should they contribute to multiple HE | COMMENT | UCISA_110523 |
DESCOPING | SC0051 | Also Neil answered the BYOD devices connecting via Guest network question by saying the guest network was out of scope but aren't BYOD devices that connect to 'corporate/company' data still within scope? Regardless of connecting via Guest network (or home/public internet). | The devices themselves would not be in scope - however any accounts used to access organisational data or services would be. | CHANGES 280423 |
DESCOPING | SC0052 | Does manufacturing machinery running proprietry software (often doesn't get updates) that needs to be connected to both the internet and company resources to operate correctly need to be declared out of scope or can it be moved to a seperate VLAN with specific ports opened to lock it down? Or would these devices need to be declared as out of scope? | It would be highly advisable, if they're getting no updates or no support, that they are on a network segment. To be clear, a subset is effectively a network segment that is defined by a VLAN or firewall. And these particular manufacturing devices, if they require access to the Internet, you as an organization will not be able to obtain whole company certification, but you will still be able to obtain certification on the networks that meet the controls and the requirements. So you need to include an excluding statement which is question A2.2 of the question set explaining which networks are not included in the assessment. | CHANGES 280423 |
DESCOPING | SC0053 | If we have an internal network protected from the internet via a hardware firewall and servers on that internal network are only able to access internal resources and Windows Update on the internet - is the server in scope or out of scope of CE? | So that would automatically be in scope from the outset, because it's accessing the Internet to receive those updates and that's what we want to see - those servers get those updates out. So good thing, so those servers would be in scope. Now because you've got a boundary firewall in between those servers and other areas of your network, it would be up to whether you choose to scope them or you descope them. So you can descope them by putting an excluding statement in and that excluding statement would provide clarity on the certificate that there is part of your network out of scope. So you can have 'whole organisation excluding (named network)'. | CHANGES 280423 |
DESCOPING | SC0054 | A few moments ago you answered a question from a user which stated "When segmenting off a section of the network to bring it out of scope what is the requirement for 'no access to the internet' does the device need to be completely isolated or just not accessible from the internet? What about restricted access to specific addresses controlled by firewall rules or via proxy?". It was answered that any internet connection is a failure. However, your guide for 3.1 says "can establish user-initiated outbound connections to devices via the internet". Most relevant systems are not user-initiated connections, this may be just licence checking, or API connectivity etc. | It's the first time I've heard that come up in that and asked in that way. That may be something we need to have a discussion about and that's a good piece of feedback to understand and we will have to discuss that further within the technical working group. So thank you for that feedback, very useful. | DigitalLoft240423 |
DESCOPING | SC0055 | It is often difficult and impractical to get certified in large organisations with complex IT infrastructure such as HE. | Yes, you can do what we call subsetting. It's also defined within the version 3.1 Requirements - the ability to divide off your organization internally by a network segment and apply projects to those network segments and the users of those network segments. If they're using the cloud services, that will bring those into scope. It's often a complex area, it's probably the area we discuss the most within support tickets. If you have questions about a particular scenario, I suggest you drop a call to IASME with the contact details info@iasme.co.uk and we can discuss that further, but the general rule of thumb is to use a network segment in that scenario. | DigitalLoft240423 |
DESCOPING | SC0056 | When segmenting off a section of the network to bring it out of scope what is the requirement for 'no access to the internet' does the device need to be completley isolated or just not accessible from the internet? what about restricted access to specific addresses controlled by firewall rules or via proxy? | If they have access at any stage across the Internet such as through firewall rules or proxy they will be connected to the Internet in some form. When we say that the legacy system needs to be segregated with no Internet, that means no inbound or outbound connections of any kind to that legacy system. It's a quite simple rule there. We do not go into the level of allowing certain network configurations and specific firewall rules by IP address, that was something we actually took out of the scheme last year and we're not intending to implement that. We would really like to see legacy systems not exposed to the Internet at all. | DigitalLoft240423 |
DESCOPING | SC0057 | Can I confirm the statement made by IASME on cloud separation based on company, where a global firm has UK and EU arms, the cloud may be segregated by company even though they share the same cloud but are separate companies. I am detailing this answer to client and want to be sure it's valid. | I was unaware you could segregate clouds by company, if a cloud service is being used by an in-scope organisation, it is in scope of assessment, regardles of whether the global firm own it or the subsidiary. For a 365 tenant for example, the 365 tenant of the global firm would be in scope if the UK scoped organisation was using it, and all controls must be applied. For cloud segregation, for example if a global company has a massive IAAS implementation you can segregate by the same old VLAN/firewall segregation within there, the cloud service as a whole would be in scope but you could descope specific networks within the subscription if need be. | AW280623 |
DESCOPING | SC0058 | CE Scoping: In charities, the guidance was that it would be possible to descope these devices. The challenge is mainly in relation volunteer devices. Would appreciate some comment on this. | For charities there is another one of those almost unwritten exceptions, I'm not sure if it was documented anywhere, that charities can scope purely their offices and and exclude all other networks, essentially removing volunteer devices from scope, however, it does not remove any accounts provided by the charity, so any email accounts, 365 accounts, Google accounts, Google email accounts provided by the charity still remain in scope of assessment. It's not really an exception, anyone can do it, you can scope whatever you want to scope, so if you think how charities are set up, the volunteers would generally not be working in the office, so they won't be considered homeworkers, so if they're only scoping the office that's a clearly defined subset, so that's what they're scoping. So that Liverpool office in that example is a good example, Battersea Dog's Home Liverpool office, those workers in that office whether they work form there or they work from home their devices are in scope, everybody else is beyond the scope of the assessment. | AW260423 |
DESCOPING | SC0059 | 28.05 A customer is looking for certification for their company although it appears that they don't work on their own devices but only on customer devices and the processes appear to be the customer processes for using their systems and not the company seeking certification, surely the customer element is out of scope? | Absolutely, anything that is not owned, managed by the organisation is out of scope of assessment but you must remember that a scope without end user devices is not compliant. So if a client is looking for certification they must have their own networks, their own devices in scope of assessment. And any cloud services that are subscribed to accounts within that cloud service, provided they are in scope, and must have the controls applied. | AW_230523 |
DESCOPING | SC0060 | The Montpellier questions, for example A6.7, talk about the need to move unsupported software onto machines in a separate sub-set, which can then be excluded from the scope of the CE assessment. (This may then result in the certification being scoped i.e. not “whole company”.) The guidance for A2.2 mentions excluding a “development network” as an example. We believed we understood what this was suggesting. | The Cyber Essentials Requirements document (https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf) states | LinkedIn_280723 |
DESCOPING | SC0061 | How does CE cope with legacy operating systems and devices such as iPhone's, older network switches, etc? | In the case that some devices cannot meet the requirements, we expect these to be moved to a sub-set. | LinkedIn_280723 |
DESCOPING | SC0062 | The 'whole organisation' scope, it is said "would include all divisions and all people and devices that use business data". However unless I have misunderstood something, devices that are using obsolete software or operating systems on the same network would cause a non-compliance regardless of whether they use business data; or have I got that wrong? | Anything connected to an in-scope network would be in scope of assessment. The only way to remove a device from being in scope would be to place it within a subset. | YAMMER_280723 |
DESCOPING | SC0101 | To comply with CE when someone has an end-of-life device or software I understand it can be de-scope by segmenting it to an internet-restricted VLAN, two questions:
| Here are the requirements for sub-sets: | LINKEDIN_290923 |
DESCOPING | SC0104 | We have 2 devices which use a generic login, used by more than one person. | This device would need to be segregated into a compliant subset using a firewall or a VLAN, this would descope this device from the scope and use an excluding statement within your scope description. If you then choose to remove all inbound and outbound internet connection at the boundary of that sub-set, you can still obtain whole organisation certification. | LINKEDIN_290923 |
DEVICES | SC0063 | What sort of things can be out of scope? | Printers, ISP routers, anything on a segregated network although the subnet would need to be declared in the scope description. Personal devices used only for native voice/text or for MFA authentication. | LITIG_050623 |
DEVICES | SC0064 | How would we enforce firmware updates or segregation of routers when people are working from home using their own routers? | When working from home and using an ISP-provided router, the ISP router is not considered in scope for the assessment. | LITIG_050623 |
DEVICES | SC0067 | Are Academic (staff) owned iMac/MacBooks (BYOD) devices expected to be enrolled on to Org MDM systems? | The use of technical measures has always been the requirement to apply the controls of Cyber Essentials. For BYOD devices a conditional access policy based on supported operating system compliance should be used. Many cloud services have this functionality and we have seen this used across many sectors to manage BYOD access. | UCISA_110523 |
DEVICES | SC0068 | Is it a dependency of whether they are connected on a guest network or main network? Does network segregation matter? | Devices that connect on a guest network are not in scope. The ideal setupwould be to have student devices connected to a student/guest network. Devices connecting to operational networks should then be considered as in scope. | UCISA_110523 |
DEVICES | SC0069 | Is there any distinction between a BYOD phone used for data access (e.g. email) and one used simply as the MFA app device? | BYOD phones which used for data access are in scope, BYOD Phones used for MFA authentication only are not in scope. This is included in the requirements document, and was updated to makes this requirement clearer. In addition to mobile or remote devices owned by the organisation, user-owned devices which
| UCISA_110523 |
DEVICES | SC0070 | And I don't understand the "N/A" in the 'Third Party Organisation Owned' column for employee/volunteer/trustee/RA/student - couldn't they all have devices that are owned by 3rd parties? | The N/A option applies to 3rd party devices where your organisation does not have administrative control or a usage policy to issue to your users and students. These devices will dealt with by your supply chain process. | UCISA_110523 |
DEVICES | SC0071 | How does N/A differ from "out of scope"? | The N/A option applies to 3rd party devices where your organisation does not have administrative control or a usage policy to issues to your users and students. The 3rd party devices will dealt with by your supply chain process and agreements. | UCISA_110523 |
DEVICES | SC0072 | Are we going to hear more about pilot pathway that is in flight? | All University owned devices are in scope if they are accessing University systems and data from anywhere. Those devices will need to have supported operating systems and configured to the requirements outlined. The software firewall on the device should be configured to match the requirements. | UCISA_110523 |
DEVICES | SC0073 | I don't understand the differentiation between '3rd Party' and 'BYOD' on this table on screen. Surely there are devices owned by us, and those not owned by us. Who actually owns and manages them is unknown to us and uncontrolled by us. | The N/A option applies to 3rd party devices where your organisation does not have administrative control or a usage policy to issues to your users and students. The 3rd party devices will dealt with by your supply chain process and agreements. Where the applicant allows BYOD by their employees there needs to be controls in place. | UCISA_110523 |
DEVICES | SC0074 | We have a number of printers (MFP's) that flag up with CVSS scores of critical/high on our vulnerability scanner, mainly to do with SHA1 certificate issues. These are 5 years+ old devices on the latest firmware but NOT internet facing. | Printers are not deemed to be in scope for Cyber Essentials Certifiction | LinkedIn_280723 |
DEVICES | SC0075 | If an IOS device is not able to access the internet or corporate resources but can be used as a phone, will it be assessed as non-compliant if not on the latest IOS | If a mobile or remote device is not accessing any organisational data/services and is only being used for: native voice applications (calls), native text applications (texting) or multi-factor authentication (MFA) applications then that device would not be in scope for Cyber Essentials. | LinkedIn_280723 |
MANAGED_OFFICE | SC0076 | For the purposes of completing CE does the cyber security set up of a managed office come in scope? I'm completing CE for a small team who come together for 2 days a week in a managed building and I have no sight of their security. | The applicant needs to try and get this information from the landlord. If they can not gain this information, then they can either set up another firewall behind the landlords, or relay on the software firewalls in the end user devices. | LinkedIn_280723 |
OTHER | SC0077 | Scope in 3.1 (and previous versions) states that requirements apply to all devices and software in scope which meet any of these conditions: can accept incoming network connections from untrusted internet-connected hosts, can establish user-initiated connections to devices from the internet or controls the flow of data between any of the above devices and the internet. Therefore, if your device is in scope, but meets none of those conditions, it is out of scope of the requirements? | We will discuss this further - thank you! | DigitalLoft240423 |
OTHER | SC0078 | 27.11 IN the 3 year training it clearly states scope must be agreed with the CB before marking the assessments, marking the whole pool assessment contradicts this. | Yes it needs to be agreed with the CB in this case because it's central pool IASME are that CB, so when it's your own client it's a lot easier for you to have that conversation and to find that scope before you carry on with the whole assessment. Ideally that's what we want but if you're coming through central pool its not a CB client its an IASME client. The bottom of 2.4 says if you're marking through the IASME central pool you must use the option of more information required and ensure you add appropriate comments to complete marking the assessment, we have clarified that now in the marking guide. | AW260423 |
OTHER | SC0079 | Marking CP CE. Applicant states at A2.7 'Staff either work out of a shared workspace in xxxx University (with no dedicated, or company-controlled, hardware) or from home...so we believe there is nothing "in-scope" from a networking perspective. my question is the as the Uni is managing/providing the 'shared workspace' they are acting as a service provider in essence and the Applicant should therefore seek details of how the environment is managed ie. router password changes, firewall password changes etc. Comments appreciated. | In this scenario the University own the network and controls should be applied on the boundary firewalls, they can not rely on the Software firewalls as the boundary. They should be checking with the Uni IT support that the controls have been applied. | YAMMER_280723 |
LOCATION | SC0080 | I have a pool assessment with all offices based in Netherlands. No UK offices. | There are no location restrictions on CE. Other than the holding of CE data; which must all be kept within the UK. | YAMMER_280723 |
LOCATION | SC0081 | For A2.3 a pool applicant has put "All UK (London) and US offices" - does CE cover the US offices? Do I need to ask them to remove it from the scope? | It's a matter of semantics, I know. However, this is the direction the NCSC want to go with scoping statements after discussions with Crown Commercial Services | YAMMER_280723 |
LOCATION | SC0103 |
| I can see that you have raised a ticket directly with us already, so one of the team will be in touch as soon as possible. | LINKEDIN_290923 |
PEOPLE | SC0082 | Differentiating user device in a scoping context, would it be helpful to focus on whether they are a consumer of a service the university provides or actively participating in the running of the university in any capacity? And if they are participating in the running of the organisation, are they directly managed by the organisation or are they present through some form of partnership? | 0 | UCISA_110523 |
PEOPLE | SC0083 | RE: students being out of scope - if Students are also staff, or staff are also students, I assume they are 'in scope' but only in relation to their staff role? | If they are considered staff for any period of time there devices should be considered as being in scope | UCISA_110523 |
PEOPLE | SC0084 | I'm not sure about that distinction with hourly paid staff.... where is the limit? - we could have hourly paid staff at one end of the spectrum who do 1hr work. At the other end of the spectrum we could have staff who do more hours work than some permanent staff. They will all be employees. | In this scenario all users should be treated as employees, but the important thing is their device security. | UCISA_110523 |
PEOPLE | SC0085 | I think there's an issue with how "scope" is used/defined. The spec seems to be saying that your scope is based on a sub-set (VLAN or firewall zone), but most of the discussions here about what is in/out of scope doesn't refer back to a sub-set; we're talking about groups of users who may or may not still need to access corporate resources. It's very confusing. | Scoping of assement is by Networks with boundaries defined by Firewall and Vlan, Cloud Services and those devices connecting. Network segementation is recognised as good cyber security control and is referenced in a lot of NCSC guidance. | UCISA_110523 |
PEOPLE | SC0086 | Question A2.7.1 How many staff are home workers? Is it really as wide ranging as it seems? The guys I am dealing with have a couple of people who are contracted to work remotely, a few that work from home one day a week, sales people who may, on occasion, work from home after they have finished their appointments (rather than returning to the office). In addition, the company let people work from home if they are preparing for exams or cover childcare issues as well as the odd occasion where it would benefit the employee to do so. Therefore, would all staff be included as Home Workers? | Yes it is. Anyone who works from home, regardless of how often, must be declared. | LinkedIn_280723 |
ROUTERS | SC0087 | If employees that work remotely will their home routers need to be included in the scope? | No - home routers are not in scope unless they have been provided by the company. | CHANGES 280423 |
ROUTERS | SC0088 | Can you clarify the scope where your core Router is a 5G/4G Sim based unit? Is this a mobile device? How does this differ from using (not sure anyone would) a smartphone with a hotspot as the internet access point? | This would be acceptable and you would be considered as accessing the internet from an untrusted network if the router does not have a firewall. In these instances, your boundary would be the individual software firewalls installed on your devices. | CHANGES 280423 |
ROUTERS | SC0089 | Question on homeworkers on Montpellier : Is it correct that we are now not asking for confirmation whether home routers are company supplied or ISP supplied? No longer appears mentioned in the marking guidance. | You wouldnt have to confirm that. We don't want the ISP supplied home routers, they're not in scope of Cyber Essentials, that's been the case for a while now. If there's no other option but to scope a home router to get through CE+ and they're your client, that would be acceptable because the director is the only person - it's their router and they can decide to scope it. The reason that they got taken out was because it was considered a risk to, say if you've got people working from home for a company and they still live with their parents, it's not theirs to control, but with a director it's their router, it's their home-supplied router if they're a sole trader they can use it. But we wouldnt necessarily be chasing them down for that confirmation. What you're looking for is that they've got boundaries in place on all of their networks, and if they've only got home networks it's completely acceptable for them to be software firewalls, but they may have issues moving on to CE+, so it's worth reminding them of that or dropping that hint to them. | AW280623 |
ROUTERS | SC0100 | Our team are contractors who work from home. Do we need to know about their router firmware? If so, what exactly should we ask them to provide? It also wouldn’t be our responsibility to fix any router problems they might have as the routers belong to them not to our company – how do we manage that under Cyber Essentials? | ISP Supplied home routers are not in scope for Cyber Essentials. If your contractors are third party and you wish to include their devices in your assessment, they will need to apply the controls to their software firewalls installed on their devices. Each device can then have it’s own individual boundary (This can only happen on untrusted networks not under the control of the organisation). | QUESTIONS_300823 |
SERVERS | SC0090 | In regards to the statement - All devices that are connecting to cloud services must be included. Do servers need to be included in the End user devices question? | There is a separate question for servers. | LinkedIn_280723 |
SERVERS | SC0091 | If an organisation uses three "servers", each running "Windows 11 Home 22H2", would they pass A2.5??? | There's nothing in the requirements to state you must use a "Server" Operating System. After all any Linux distro can be used as a desktop or a server. | YAMMER_280723 |
SERVERS | SC0102 | Is it fine to showcase our infrastructure residing in India while we opt for accreditation for our UK subsidiary? How to proceed if we do not have any infrastructure hosted within the UK region, if we opt for Micro organizations (0-9 users) considering laptop users alone sit in UK sales offices? | I can see that you have sent in a ticket and this has already been answered by one of the members of our team. | LINKEDIN_290923 |
SWITCHES | SC0092 | Does that include Layer 3 switches which route internet traffic? (does it make a difference if its a L3 switch which has the capability but doesnt use it?) | Layer 3 switches when used for internal network functionality are note in scope. Layer 3 switches when used to directly route trafic to the internet are in scope. | UCISA_110523 |
SWITCHES | SC0093 | If a layer 3 switch has the capability to route internet traffic, is it in scope? | If the switch is routing traffic directly to the internet then it is in scope. If the switch is being used for switch functionality only it is not in scope. | UCISA_110523 |
VDI | SC0097 | As I understand it, devices which connect via virtual desktops/RDP/RDG are also in scope, no matter how locked down the desktop is | End User devices acessing virtual desktops are in scope and need to meet the requirements of Cyber Essentials. | UCISA_110523 |
VIRTUAL | SC0094 | Can you please confirm that virtual machines running on in scope devices, e.g user laptop running a VM on their Windows 10 laptop is in scope too and needs to be compliant and have the controls applied etc? Heard a lot through the grapevine that they are not in scope but understand that they are and just want some confirmation | Yes, these VMs would be in scope. | DigitalLoft240423 |
VIRTUAL | SC0095 | If a VM running on an in scope device is not accessing org data and services, is it still in scope? | All software that's installed on that in scope device needs to be included in the scope. We are talking about virtual machines at the moment and potentially looking at alternative methods of segregation and subsetting for them, but we're not there yet, so yes, they would be in scope. | DigitalLoft240423 |
VIRTUAL | SC0096 | Is a VM with networking disabled suitable for scoping legacy systems? | Currently this is not accepted if the VM is installed on an in-scope device. This is being discussed at the moment on the Technical Working Group and if there are any changes to this position, we will let everyone know. | DigitalLoft240423 |
DESCOPING | SC0097 | To comply with CE when someone has an end-of-life device or software I understand it can be de-scope by segmenting it to an internet-restricted VLAN, two questions:
| Here are the requirements for sub-sets: | LINKEDIN_290923 |
SERVERS | SC0098 | Is it fine to showcase our infrastructure residing in India while we opt for accreditation for our UK subsidiary? How to proceed if we do not have any infrastructure hosted within the UK region, if we opt for Micro organizations (0-9 users) considering laptop users alone sit in UK sales offices? | I can see that you have sent in a ticket and this has already been answered by one of the members of our team. | LINKEDIN_290923 |
OTHER | SC0099 |
| I can see that you have raised a ticket directly with us already, so one of the team will be in touch as soon as possible. | LINKEDIN_290923 |
DESCOPING | SC0100 | We have 2 devices which use a generic login, used by more than one person. | This device would need to be segregated into a compliant subset using a firewall or a VLAN, this would descope this device from the scope and use an excluding statement within your scope description. If you then choose to remove all inbound and outbound internet connection at the boundary of that sub-set, you can still obtain whole organisation certification. | LINKEDIN_290923 |
CLOUD_SERVICES | SC0101 | we find the question of cloud services comes up a lot. Would Sumup, Stripe, WordPress be consider cloud or non-cloud. You can create admin and user accounts, but they are in themselves services? | All of the services you have listed are Cloud Services for the Cyber Essentials definition. | LINKEDIN_290923 |
MANAGED_OFFICE | SC0102 | For the purposes of completing CE does the cyber security set up of a managed office come in scope? I'm completing CE for a small team who come together for 2 days a week in a managed building and I have no sight of their security. | The applicant needs to try and get this information from the landlord. If they can not gain this information, then they can either set up another firewall behind the landlords, or relay on the software firewalls in the end user devices. | LINKEDIN_290923 |
BYOD | SC0103 | Can I clarify and confirm the scope of CE assessments for schools, does it include all student devices and BYOD devices? Is there anything that can be declared out of scope? | My advice is go and read the advice on IASME’s website and the scoping table in the requirements, which has this information. Student personally owned devices can be deemed out of scope, but they must NOT be connected to the in-scope network. The accounts issued by the school would still remain in scope and must have the controls applied. Student personally owned devices can be deemed out of scope, but they must NOT be connected to the in-scope network. The accounts issued by the school would still remain in scope and must have the controls applied. | AW291123 |
BYOD | SC0104 | Are all types of secondary and college student devices and services in scope for CE/CE+ assessment considering they have no access to corporate network. Would they have to be a subset to be out of scope? | Student and personally owned devices are not in scope of assessment, they cannot then bring the device into the educational establishment and connect to their network, they must connect to a separate network. | AW291123 |
CLOUD_SERVICES | SC0105 | Are all student cloud services in scope of MFA requirements? | Yes | AW291123 |
PEOPLE | SC0106 | Regarding SN students, my daughter is one, we used passwordless for her school to help her, she now doesn't have a password, and can also use strong authentication, allow listing when on school premises, passwordless is on my MS authenticator app for her. | Thanks for the feedback, thats great. | AW291123 |