Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Frequently Asked Questions about Scope

Scope 1.png

QUESTION

ANSWER

What does whole organisation mean?

Whole organisation means that there are no networks excluded from the scope.

Can a Cyber Essentials Plus scope be different from the scope of an existing Cyber Essentials certificate?

No, the scope of the Cyber Essentials Plus must be the same as the scope of the existing Cyber Essentials certificate.

What is a virtual desktop?

A virtual desktop is a system where multiple users can remotely access data and services, for example Windows Server.

What is meant by ‘organisational data and services’?

  • Organisational data includes any electronic data belonging to your organisation, for example, emails, documents, database data, financial data.

  • Organisational service includes any software applications, cloud applications, cloud services, user interactive desktops and mobile device management (MDM) solutions that your organisation owns or subscribes to. For example: web applications, Microsoft 365, Google Workspace, mobile device management containers, Citrix Desktop, Virtual Desktop solutions or IP telephony.

What does BYOD mean?

BYOD is an acronym for Bring Your Own Device, which refers to devices not owned by the organisation which are used to access organisational data and services. A personally-owned device used to access company emails would be an example of BYOD.

In an educational setting, what are the rules surrounding student BYOD and personal devices?

If you allow students access to your network, it is important that this is segregated on it’s own guest network, and must not be able to interact with your other organisational data or services. You can exclude this guest or student network from scope and still describe the certification scope as “whole organisation”. This is the exception to the rule, and no other parts of the network can be excluded to achieve whole school certification.

Do student-owned devices need to be listed in the scope questions?

No, you are not required to list student-owned devices in the scoping questions. These devices must connect to a separate guest network and not to the main network. However, any cloud services containing organisational data that are accessed by these devices do come into scope and must apply the controls.

What level of detail is required when listing your devices in the scoping questions?

The required information is make and operating system. This applies to laptops, desktops, mobile devices and servers.

What is a MAC address?

MAC stands for Media Access Control and a MAC address is a unique number assigned to every device on a network which allows other devices to communicate with it.

What is a server?

A server is a computer, or a program running on a computer, which provides a service to other devices connected to it. These other devices are known as clients. In networking a server responds to requests for information from the clients such as emails, websites and so on.

Are personally-owned (BYOD) devices in scope?

Yes, personally owned devices are in scope if they are accessing organisational data or services.

If a home-worker has a firewall that wasn’t provided by their ISP or their company (for example they have bought their own) would this be in scope of the assessment?

They should make sure that the software firewalls on their devices are switched on. All widely used operating systems nowadays have a built-in firewall (e.g. Windows Defender).

Where a device is connecting via tethering to a 5G or 4G network, where is the network boundary?

Where a device is instead connecting via a mobile broadband network, the network boundary is the device firewall and you should make sure that this is switched on.

Are virtual machines and containers in scope for Cyber Essentials?

Yes, they are and the controls should be applied to them just as for any other device. It’s important to make sure that the end-point devices are protected as these could contain vulnerabilities. 

For Cyber Essentials Plus, where there is a set of devices running (for example) Windows 11 Home 23H2 and Windows 11 Home 24H2, should these be treated as different versions for the purposes of sampling and testing?

‘Edition’ in this context refers to the name of the OS (Home, Professional, etc). ‘Version’ refers to the code (24H2, 23H2 etc).

Support differs between editions and versions of those editions, so 24H2 and 23H2 should be treated as separate for the purposes of sampling. In other words, if an applicant has for example 5 machines running Windows Professional 11 23H2 and 5 machines running Windows Professional 11 24H2, the sample should include 2 of each rather than 3 from the total of 10.

Can a proxy server be used to exclude devices from scope?

The presence of a proxy server does not exclude other devices from being in scope.

Are end user devices connecting to virtual desktops in scope?

Yes, end user devices accessing services or data via virtual desktops are in scope and need to have the Cyber Essentials controls applied to them.

Are switches in scope for Cyber Essentials?

No.

Are printers in scope for Cyber Essentials?

No, printers are not deemed to be in the scope of Cyber Essentials. 

What is a segregated network?

A segregated network is part of a network that is behind a firewall or separated using a VLAN. If you are using this to remove devices from scope, any internet connections must also be blocked by the firewall or VLAN.

What methods of segregation are acceptable for Cyber Essentials when creating a subset?

Segregation must be done using a firewall or VLAN and must be done at Layer 2 or Layer 3 of the OSI model. Segregation using user groups or micro-segmentation takes place at other layers of the OSI model and is not considered compliant for Cyber Essentials.

If the network is not located in the UK, does this make a difference?

No, there are no location restrictions on Cyber Essentials. 

When segmenting a part of a network to remove it from scope, what are the rules about internet access for this segment?

No internet access means that all inbound and outbound connections must be blocked at the boundary of the segregated network. 

When a third party is managing your IT, must all third party employees have unique login credentials?

Yes, all third party employees must have unique credentials for accessing your system. Shared accounts are not compliant with Cyber Essentials.

Does the Student Network in a University need to be included when looking to certify Whole Company? 

The student network can be ignored in the scope when there is firewall separation and no organisational data is being accessed.

  • No labels