The below will appear on the Refined page at Scope : FAQ
QUESTION | ANSWER |
|---|---|
What does whole organisation mean? | Whole organisation means that there are no networks excluded from the scope. |
Can a Cyber Essentials Plus scope be different from the scope of an existing Cyber Essentials certificate? | No, the scope of the Cyber Essentials Plus must be the same as the scope of the existing Cyber Essentials certificate. |
What is a virtual desktop? | A virtual desktop is a system where multiple users can remotely access data and services, for example Windows Server. |
What is meant by ‘organisational data and services’? |
|
What does BYOD mean? | BYOD is an acronym for Bring Your Own Device, which refers to devices not owned by the organisation which are used to access organisational data and services. A personally-owned device used to access company emails would be an example of BYOD. |
In an educational setting, what are the rules surrounding student BYOD and personal devices? | If you allow students access to your network, it is important that this is segregated on it’s own guest network, and must not be able to interact with your other organisational data or services. You can exclude this guest or student network from scope and still describe the certification scope as “whole organisation”. This is the exception to the rule, and no other parts of the network can be excluded to achieve whole school certification. |
What is a MAC address? | MAC stands for Media Access Control and a MAC address is a unique number assigned to every device on a network which allows other devices to communicate with it. |
What is a server? | A server is a computer, or a program running on a computer, which provides a service to other devices connected to it. These other devices are known as clients. In networking a server responds to requests for information from the clients such as emails, websites and so on. |
Are personally-owned (BYOD) devices in scope? | Yes, personally owned devices are in scope if they are accessing organisational data or services. |
If a home-worker has a firewall that wasn’t provided by their ISP or their company (for example they have bought their own) would this be in scope of the assessment? | They should make sure that the software firewalls on their devices are switched on. All widely used operating systems nowadays have a built-in firewall (e.g. Windows Defender). |
Where a device is connecting via tethering to a 5G or 4G network, where is the network boundary? | Where a device is instead connecting via a mobile broadband network, the network boundary is the device firewall and you should make sure that this is switched on. |
Are virtual machines and containers in scope for Cyber Essentials? | Yes, they are and the controls should be applied to them just as for any other device. It’s important to make sure that the end-point devices are protected as these could contain vulnerabilities. |
Can a proxy server be used to exclude devices from scope? | The presence of a proxy server does not exclude other devices from being in scope. |
Are end user devices connecting to virtual desktops in scope? | Yes, end user devices accessing services or data via virtual desktops are in scope and need to have the Cyber Essentials controls applied to them. |
Are switches in scope for Cyber Essentials? | No. |
Are printers in scope for Cyber Essentials? | No, printers are not deemed to be in the scope of Cyber Essentials. |
What is a segregated network? | A segregated network is part of a network that is behind a firewall or separated using a VLAN. If you are using this to remove devices from scope, any internet connections must also be blocked by the firewall or VLAN. |
What methods of segregation are acceptable for Cyber Essentials when creating a subset? | Segregation must be done using a firewall or VLAN and must be done at Layer 2 or Layer 3 of the OSI model. Segregation using user groups or micro-segmentation takes place at other layers of the OSI model and is not considered compliant for Cyber Essentials. |
If the network is not located in the UK, does this make a difference? | No, there are no location restrictions on Cyber Essentials. |
When segmenting a part of a network to remove it from scope, what are the rules about internet access for this segment? | No internet access means that all inbound and outbound connections must be blocked at the boundary of the segregated network. |
When a third party is managing your IT, must all third party employees have unique login credentials? | Yes, all third party employees must have unique credentials for accessing your system. Shared accounts are not compliant with Cyber Essentials. |
Does the Student Network in a University need to be included when looking to certify Whole Company? | The student network can be ignored in the scope when there is firewall separation and no organisational data is being accessed. |