Versions Compared

Version Old Version 5 New Version Current
Changes made by

Joe Checketts

Joe Checketts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties

Subject

Scope

Type

FAQ

hiddentrue

Document number:

DOC-XXX-XXXXXX

Document type:

Public

Responsibility for implementation & training:

Cyber Essentials Manager

CB contract doc/ schedule:

YES

Scheme

Cyber Essentials

Reason for change:

Initial Version

Approved by:

Approved date:

Next review:

Review and consultation process:

Reviewed Annually by CEO

Master Link:

Associated documentation:

Distribution:

Refined Knowledge Hub

Page Properties
hiddentrue
idNavigation_Page
idNavigation_Page

Area

Scope

Page Type

Content

Page Name

Scope : FAQ

Last Updated

04/11/24

Update Notes

Reviewed

04/11/24

Reviewer

JC

Next Review

14/10/25

Frequently Asked Questions about Scope

Image RemovedImage Added

Image RemovedScope 1.pngImage Added

Question

Answer

Does CE+ allow printing from home computers where they are used for BYOC using Citrix, work cloud email (365 / Mimecast) or thin client?

Printers are not mentioned in the CE requirements and are considered out of scope of the assessment. CE+ absolutely allows printing from home computers/VDI. 

Is it mandatory to use a technical control for BYOD, or if policy or manual methods are mentioned, can we still issue an advisory that it should be done technically?

The controls should be applied using a mixture of technical controls and written policy. It is recommended that for larger companies this is managed through technical implementation, but it's not a control in itself.

If an organisation does NOT control admin activities on their 365 tenant (outsourced) does it fall out of scope as a "cloud service"?

It depends on how the 365 service is outsourced. If you've outsourced it to your MSP or IT support company to do the administration for, you are still subscribing to that service. You're paying the subscription and you will need to apply the controls of Cyber Essentials. Where you're outsourcing it to an MSP or an IT services company to do the administration for yourselves it remains in scope.

Does manufacturing machinery running proprietary software (often doesn't get updates) that needs to be connected to both the internet and company resources to operate correctly need to be declared out of scope or can it be moved to a separate VLAN with specific ports opened to lock it down? Or would these devices need to be declared as out of scope?

It would be highly advisable, if they're getting no updates or no support, that they are on a network segment. To be clear, a subset is effectively a network segment that is defined by a VLAN or firewall. And these particular manufacturing devices, if they require access to the Internet, you as an organization will not be able to obtain whole company certification, but you will still be able to obtain certification on the networks that meet the controls and the requirements. So you need to include an excluding statement which is question A2.2 of the question set explaining which networks are not included in the assessment.

Do you need to show evidence of Asset Management for CE?

Asset management is not part of the requirements, but it is regarded as very important - it's much easier to protect your assets if you know what they are.

Insert excerpt
CKHR:M_Scope : FAQ
CKHR:M_Scope : FAQ
nameM_FAQ_Scope
nopaneltrue