The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576974115/Scope+FAQ#
QUESTION | ANSWER |
|---|---|
What does whole organisation mean? | Whole organisation means that there are no networks excluded from the scope. |
Can a Cyber Essentials Plus scope be different from the scope of an existing Cyber Essentials certificate? | No, the scope of the Cyber Essentials Plus must be the same as the scope of the existing Cyber Essentials certificate. |
What is a virtual desktop? | A virtual desktop is a system where multiple users can remotely access data and services, for example Windows Server. |
What is meant by ‘organisational data and services’? |
|
What does BYOD mean? | BYOD is an acronym for Bring Your Own Device, which refers to devices not owned by the organisation which are used to access organisational data and services. A personally-owned device used to access company emails would be an example of BYOD. |
What is a MAC address? | MAC stands for Media Access Control and a MAC address is a unique number assigned to every device on a network which allows other devices to communicate with it. |
What is a server? | A server is a computer, or a program running on a computer, which provides a service to other devices connected to it. These other devices are known as clients. In networking a server responds to requests for information from the clients such as emails, websites and so on. |
Are personally-owned (BYOD) devices in scope? | Yes, personally owned devices are in scope if they are accessing organisational data or services. |
If a home-worker has a firewall that wasn’t provided by their ISP or their company (for example they have bought their own) would this be in scope of the assessment? | They should make sure that the software firewalls on their devices are switched on. All widely used operating systems nowadays have a built-in firewall (e.g. Windows Defender). |
Are virtual machines and containers in scope for Cyber Essentials? | Yes, they are and the controls should be applied to them just as for any other device. It’s important to make sure that the end-point devices are protected as these could contain vulnerabilities. |
Are end user devices connecting to virtual desktops in scope? | Yes, end user devices accessing services or data via virtual desktops are in scope and need to have the Cyber Essentials controls applied to them. |
Are switches in scope for Cyber Essentials? | No. |
Are printers in scope for Cyber Essentials? | No, printers are not deemed to be in the scope of Cyber Essentials. |
What is a segregated network? | A segregated network is part of a network that is behind a firewall or separated using a VLAN. If you are using this to remove devices from scope, any internet connections must also be blocked by the firewall or VLAN. |
What methods of segregation are acceptable for Cyber Essentials when creating a subset? | Segregation must be done using a firewall or VLAN and must be done at Layer 2 or Layer 3 of the OSI model. Segregation using user groups or micro-segmentation takes place at other layers of the OSI model and is not considered compliant for Cyber Essentials. |
If the network is not located in the UK, does this make a difference? | No, there are no location restrictions on Cyber Essentials. |
When segmenting a part of a network to remove it from scope, what are the rules about internet access for this segment? | No internet access means that all inbound and outbound connections must be blocked at the boundary of the segregated network. |
Does the Student Network in a University need to be included when looking to certify Whole Company? | The student network can be ignored in the scope when there is firewall separation and no organisational data is being accessed. |