Assessment and certification should cover the whole of the IT infrastructure used to perform the business of the applicant, or if necessary, a well-defined and separately managed sub-set. A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. This means that we would expect if an applicant chooses not to scope their whole organisation as part of an assessment, we would expect to see a scope description in A2.2 that declares what is being excluded which is described as sub-sets (or Networks). The eaisest way to apply scoping is to think that everything is in scope, unless it is specifically excluded in a sub-set. Scenario 1 - Excluding networks The applicant wishes to only scope part of their organisation. This could be because some devices can not meet the requirements, or just because they only want to scope a small part of their organisation (For example a global company). There is a boundary firewall between the production network and the development network (Or segregation can be applied via VLAN). The devices on the de-scoped network would still access the internet. The Production network and the development network devices can communicate with each other. Scope Description = Whole Organisation Excluding Dev Network
Scenario 2 - Whole Organisation The applicant has an unsupported server which they need to move out of scope, but they still wish to certify as ‘Whole Organisation’. There is a boundary firewall between the production network and the development network (Or segregation can be applied via VLAN). The devices on the de-scoped network have all inbound and outbound internet connections blocked at the boundary of the sub-set. The Production network and the development network devices can communicate with each other. Scope Description = Whole Organisation.
Scenario 3 - Cloud Services Introduction A common question that we have is an assessor or applicant asking If we de-scope devices by moving them to the a sub-set, does interacting with a cloud service not bring them back into scope again? The Requirements state: In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services (as defined above) are in scope. This is true, but does not bring de-scoped devices back into scope again (In the same way that in scenario 1 the laptop on the dev network accessing the production server, does not bring that into scope again). De-scoping the infrastructure is carried through the use of sub-sets, interacting with a cloud service would not change this as they sit the other side of the firewall and are not in the boundary of the sub-set. As mentioned above - everything is in scope, unless it is specifically excluded using in a sub-set. Cloud services can not be de-scoped from Cyber Essentials but there are as always a couple of exceptions or edge cases that may need to be applied. When the cloud service is Infrastructure as a Service (IaaS), the service can not be de-scoped, however because firewall rules are applied an virtual networks created in an IaaS environment, these networks can be excluded. Firewall rules in cloud services are commonly referred to as Network Security Groups. If an organisation is scoping their infrastructure and no one on that infrastructure uses a cloud service, then it would not need to be included within the scope of an assessment. For example a global organisation that has cloud services only used in the US, would not need to be included if the scope was UK only.
Scenario 4 - Student BYOD Exception Student BYOD is the one exception that is currently in place for Cyber Essentials and is in place to allow a pragmatic approach to the scheme that came into place to help Universities and Higher Education establishments achieve Cyber Essentials, due to the high volume of student BYOD that was in use and outside of their control. It was decided that students would be treated like customers. Student BYOD is out of scope for Cyber Essentials but must be moved to a designated student network that is segregated from the university / school networks by using a sub-set. School-owned devices used by students are in-scope of Cyber Essentials. Devices that are loaned out for remote learning would be out of scope for Cyber Essentials as long as they are on the student network. When returned to school they are back in scope. Student BYOD must not connect to the in-scope school networks or they would be brought into scope. Student BYOD is not brought into scope if they interact with cloud services. All student accounts owned by the university or school are always in scope and the controls should be applied. Staff BYOD can not be moved out of scope. All of the bullet points above are pretty much the same rules that apply to scenario one. The exception given for student BYOD is that when they are de-scoped, whole organisation can still be achieved.
© The IASME Consortium Ltd 2025 All rights reserved.