Versions Compared

Version Old Version 7 New Version 8
Changes made by

Joe Checketts

Joe Checketts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue
idNavigation_Page

Area

Scope

Page Type

Content

Page Name

Subset Scoping Guidance

Last Updated

12/04/24

Update Notes

Reviewed

12/04/24

Reviewer

JC

Next Review

12/10/24

The following will appear on the Refined page at

TEST
Excerpt
nameIntro

Assessment and certification should cover the whole of the IT infrastructure used to perform the business of the applicant, or if necessary, a well-defined and separately managed sub-set.

A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.

This means that we would expect if an applicant chooses not to scope their whole organisation as part of an assessment, we would expect to see a scope description in A2.2 that declares what is being excluded which is described as sub-sets (or Networks).

The eaisest way to apply scoping is to think that everything is in scope, unless it is specifically excluded in a sub-set.

 

Scenario 1 - Excluding networks

The applicant wishes to only scope part of their organisation. This could be because some devices can not meet the requirements, or just because they only want to scope a small part of their organisation (For example a global company).

  • There is a boundary firewall between the production network and the development network (Or segregation can be applied via VLAN).

  • The devices on the de-scoped network would still access the internet.

  • The Production network and the development network devices can communicate with each other.

  • Scope Description = Whole Organisation Excluding Dev Network

...

Excerpt
nameScenario4

Scenario 4 - Student BYOD Exception

Student BYOD is the one exception that is currently in place for Cyber Essentials and is in place to allow a pragmatic approach to the scheme that came into place to help Universities and Higher Education establishments achieve Cyber Essentials, due to the high volume of student BYOD that was in use and outside of their control. It was decided that students would be treated like customers.

  • Student BYOD is out of scope for Cyber Essentials but must be moved to a designated student network that is segregated from the university / school networks by using a sub-set.

  • School-owned devices used by students are in-scope of Cyber Essentials.

  • Devices that are loaned out for remote learning would be out of scope for Cyber Essentials as long as they are on the student network. When returned to school they are back in scope.

  • Student BYOD must not connect to the in-scope school networks or they would be brought into scope.

  • Student BYOD is not brought into scope if they interact with cloud services.

  • All student accounts owned by the university or school are always in scope and the controls should be applied.

  • Staff BYOD can not be moved out of scope.

All of the bullet points above are pretty much the same rules that apply to scenario one. The exception given for student BYOD is that when they are de-scoped, whole organisation can still be achieved.