Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Frequently Asked Questions about the Cyber Essentials Control

Question

Answer

Does CE+ allow printing from home computers where they are used for BYOC using Citrix, work cloud email (365 / Mimecast) or thin client?

Printers are not mentioned in the CE requirements and are considered out of scope of the assessment. CE+ absolutely allows printing from home computers/VDI. 

Is it mandatory to use a technical control for BYOD, or if policy or manual methods are mentioned, can we still issue an advisory that it should be done technically?

The controls should be applied using a mixture of technical controls and written policy. It is recommended that for larger companies this is managed through technical implementation, but it's not a control in itself.

If an organisation does NOT control admin activities on their 365 tenant (outsourced) does it fall out of scope as a "cloud service"?

It depends on how the 365 service is outsourced. If you've outsourced it to your MSP or IT support company to do the administration for, you are still subscribing to that service. You're paying the subscription and you will need to apply the controls of Cyber Essentials. Where you're outsourcing it to an MSP or an IT services company to do the administration for yourselves it remains in scope.

Does manufacturing machinery running proprietary software (often doesn't get updates) that needs to be connected to both the internet and company resources to operate correctly need to be declared out of scope or can it be moved to a separate VLAN with specific ports opened to lock it down? Or would these devices need to be declared as out of scope?

It would be highly advisable, if they're getting no updates or no support, that they are on a network segment. To be clear, a subset is effectively a network segment that is defined by a VLAN or firewall. And these particular manufacturing devices, if they require access to the Internet, you as an organization will not be able to obtain whole company certification, but you will still be able to obtain certification on the networks that meet the controls and the requirements. So you need to include an excluding statement which is question A2.2 of the question set explaining which networks are not included in the assessment.

Do you need to show evidence of Asset Management for CE?

Asset management is not part of the requirements, but it is regarded as very important - it's much easier to protect your assets if you know what they are.

  • No labels