Understanding the Cyber Essentials Scope

When initially looking to certify your organisation to the Cyber Essentials scope, one of the first questions which can be asked is, “What is the Scope of Assessment?”

This initial question can impact the rest of the certification process, and it is important to understand some of the specifics which it relates to.

The Scope of Assessment relates to which of your devices, services, and accounts must adhere to the Cyber Essentials certification standards and also which will not be included as part of the assessment or technical audit.

For many companies, all of their devices, services, and accounts will be included in the assessment, however for others, due to size, geographic regions, or network complexity, not all systems may need to be assessed.

Being able to accurately distinguish between systems which are inside the Scope of Assessment and outside the Scope of Assessment is therefore important to correctly define your scope and maintain your organisations compliance with the certification standard.

Defining The Cyber Essentials Scope

When defining your organisations scope for Cyber Essentials certification, there are three primary considerations for whether a device or service should be in scope for the assessment.

• Can the system accept incoming network connections which originate from untrusted internet-connected hosts.
  • This condition would typically incorporate any internet-facing devices your organization owns and manages, which may include physical and virtual servers.
  • Cloud services and infrastructure will also be incorporated into this condition
  • Web Applications owned and managed by your organisation will also be included within this definition
• Can the system establish user-initiated outbound connections to other devices, using the internet.
  • This definition will often incorporate most end-user devices such as desktops, laptops, phones, tablets, thin clients, and virtual desktop environments which are being used to connect to email services, browse the internet and other typical daily tasks.
• Can the system control the flow of data between any of the previously defined device types and the internet.
  • This definition will often refer to most networking equipment which may act as a boundary device between your company and the internet. This can include devices such as firewalls, routers, and sometimes wireless access points depending on their setup and configuration.

Systems that fall outside of these definitions are typically considered outside of the scope of Cyber Essentials, as the assessment is focused upon the majority of, and most common cyber threats, such as Phishing attacks and direct attacks on internet-facing systems.

Systems that do not receive a connection from the internet, do not connect out to the internet, or do not route data between the internet and your other devices are generally not considered to be under threat from the most common cyber attacks.

Defining A Sub-Set Scope For Cyber Essentials

In most cases the Cyber Essentials scheme will likely apply to your whole organisation, including all of the devices and services which you make use of.

However, the assessment does provide the option to define a sub-set of your organisation for the scope, rather than your whole organisation.

Why Define A Sub-Set Of Your Business For Certification

Although it will provide better security by applying the Cyber Essentials controls to the organisation as a whole, rather than only a segment of your organisation, certification is still possible using a sub-set of your business.

This may be useful for companies with a particularly large or complex set of networks and systems, where it is not possible for certain segments to perfectly align with the requirements of Cyber Essentials.

For example, some organisations that work with critical systems and services may not always be able to adhere to the operating system update requirements, but may still want to achieve certification for the rest of their business.

Requirements For A Sub-Set Cyber Essentials Certification

It is important to note that there are still requirements to meet when defining a sub-set of your business.

To achieve certification, and ensure segmentation between the sections of your business that are in and out of scope, the following principles will need to be applied:

• Cyber Essentials cannot be achieved without defining any end-user devices within the scope.
  • For example, it would not be possible to achieve Cyber Essentials exclusively for a set of Cloud Services, or managed Web Applications.
  • Some end-user devices, such as laptops and desktops, will always form part of the scope. For example, the devices which are used to login and manage such services would likely become part of the Cyber Essentials scope, or the owners of the business would likely make use of devices which would need to be considered in scope.
• Defining a sub-set for the scope can also not be done by arbitrarily labeling some users and devices within your business as in scope, and some as out of scope.
  • A sub-set scope requires very clearly defined boundaries to be established between the separate parts of your business.
  • This could be through separate physical office locations that have a clear separation of offices, equipment, and authentication systems.
  • A business may also have clearly established network segmentation which separates sections of the business through the use of Firewalls, Virtual Local Area Network (VLAN) solutions, and the use of other independent systems.

Devices Within The Cyber Essentials Scope

The Cyber Essentials scope extends to most devices, services, and accounts that can access your organisational data and services.

However, there are some exceptions and considerations to account for which can simplify the number of network devices that your company is required to manage to the Cyber Essentials standard.

Organisation Owned Devices

For devices bought and owned by the company, it is likely that most of the company’s IT Infrastructure will form part of the scope for Cyber Essentials, assuming the devices meet one of the previously defined conditions:

• Accept incoming network connections from untrusted internet-connected hosts
• Establish user-initiated outbound connections to devices via the internet
• Control the flow of data between any of the previous two device types and the internet

With these principles in mind, most of the following types of devices would be considered as part of your company assessment scope:

• Routers
• Firewalls
• Desktops
• Laptops
• Thin Clients
• Physical Servers
• Virtual Servers
• Mobile Phones
• Tablets

However, depending upon how a device is used it may exclude it from the scope of Cyber Essentials.

For example an internal server that doesn’t receive connections from the internet, and doesn’t have any user initiated outbound connections to the internet may be considered outside the scope for Cyber Essentials.

Wireless Access Points

A dedicated wireless access point will typically be out of scope for most companies, where the device isn’t directly accessible from the internet.

Only where the wireless access point is directly accessible via the internet should the device be considered in scope. This can apply in some cases, where the managed router or firewall for the company is also the wireless access point.

In most cases, wireless access points for a Home Office will also be outside of scope where they form part of the router provided by an Internet Service Provider (ISP) .

Home Working Devices

In most circumstances, personal devices within a Home Office are not considered in scope for Cyber Essentials unless they are used to access organisational data and services, such as logging into company emails with a personal laptop or connecting to the company VPN.

Although uncommon, if the company provided a router or firewall to home office workers, this device would then be considered as part of the scope and need to be managed according to the required specifications.

Routers provided by an Internet Service Provider (ISP) to provide home Internet access are typically not considered part of the assessment scope.

However, there is an exception to this setup, which can sometimes apply to small businesses, such as when a sole Employee or Director primarily works from home and has no other dedicated router or internet boundary device.

In this specific circumstance, the only external-facing internet device might be the ISP router, and this may form part of the scope and require the Cyber Essentials standards to be applied to the device.

Third Parties Devices

For third parties which use their own equipment to access or interact with company devices and organisational data, such as a Contractor or Managed Service Provider (MSP):

These devices are not considered in scope; however, the accounts being used by the Contractor or MSP to log into your services and devices will likely be in scope and need to be managed under the Cyber Essentials specification for user accounts and password requirements.

Bring Your Own Devices (BYOD)

The Cyber Essentials specification generally incorporates all devices which access organisation data into the scope, which can include personal laptops and phones which are used to login to email systems or services such as Microsft 365 and Google Workspace.

However, there are several exceptions that should be considered. For personally owned Bring Your Own Devices (BYOD), such as laptops and desktops. Depending upon who is using the device this can dictate whether the device will be in or out of scope.

In Scope Devices

• An employee using a personal device for work-related activities will be included within the scope.
• An organisation volunteer or trustee using a personal device will similarly be included within the scope of cyber essentials.
• Within an academic setting, a university research assistant will also have their personal devices included within the scope, when accessing organisation data and services.

Out-of-Scope Devices

• Within an educational environment, a student would not have their devices included within the scope.
• A Managed Service Provider that conducts administrative tasks for your company would not have their devices included within the scope.
• Similarly, a contractor for the company would not need to have their devices included within the scope.
• A client or customer of the business would also not have their devices included within the scope for cyber essentials.

For the devices that are not considered in scope for Cyber Essentials but still maintain a connection to your company’s systems, it is still recommended to implement a set of security standards to manage the accounts and verify the security of the devices wherever possible.

Mobile Devices

Where mobile devices are in use to access work emails, messaging services and other organisational data, the devices will be considered as in scope for the Cyber Essentials assessment. This can include company-issued devices or personal devices.

However, there are several situations in which mobile phones used in a limited capacity, are not considered part of the scope of assessment.

If mobile devices are only used to conduct the following tasks, they will be considered out of scope for the assessment.

• Receive calls through the native phone application and not through third-party business-dedicated apps
• Receive texts through the native text message application and not through third-party business-dedicated apps
• Receive Multi-Factor Authentication codes, through phone, text, or a dedicated application.

User Accounts

Within the Cyber Essentials requirements, all accounts which are owned by your organisation are in scope, which can include:

• Accounts issued to your employees, with varying permissions levels, such as standard user or administrator accounts
• Accounts used by a third party to access your devices and company data
• Accounts used by a Managed Service Provider or Contractor which access your devices and organisational data

Each of the accounts that are used to access your organisations devices and services must adhere to the specifications defined within the Requirements for IT infrastructure document, defined by the National Cyber Security Centre (NCSC).

These requirements are also outlined within the following Cyber Essentials Password Policy article.

Web Applications

For the majority of businesses, an internet-accessible web application will be in place, or several will be used with varying purposes. These applications will typically form part of the scope of Cyber Essentials.

There can also be specific scenarios that would result in a web application not being included within the Cyber Essentials scope, such as:

• Where the web application is not made publically accessible, it would not form part of the scope.
• Where the web application consists of bespoke and custom components, rather than off-the-shelf or commercial components, they would also not be considered in scope.

Cloud Services

Cloud services are always considered as in scope, where an organisations data, infrastructure or services are hosted by the cloud platform.

This can include different types of cloud services which can be labeled as the following:

• Infrastructure as a Service (IaaS). Which can include virtual infrastructure solutions such as the Amazon EC2 instances or the Google Compute Engine.
• Platform as a Service (PaaS). Which can include Web Services and Applications hosted by Azure or Amazon.
• Software as a Service (SaaS). Which can include solutions such as Google Workspace and Microsoft 365.

While the certifying company will always maintain responsibility for ensuring all of the Cyber Essentials controls are applied to each of their Cloud Services, some of the technical controls may be implemented or managed by the cloud service provider.

The specific division of controls and responsibility can depend on the service provider, and whether the service is IaaS, PaaS, or SaaS.

However, the certifying company will ultimately bear the responsibility for ensuring the controls are in place and working with a service provider that can provide assurance that the Cyber Essentials technical controls have been applied.

Conclusion

When initially progressing through the Cyber Essentials scheme, defining an accurate Scope of Assessment and collating all of the required information can sometimes be a lengthy process.

It can often help to initially implement some Asset Management methods to ensure that your organization maintains an accurate list of your Devices, User Accounts, Software, and Services.

This information can then be used to form a more accurate picture of your organisation and help to establish more effective management in the future.

For further guidance on achieving Cyber Essentials certification or progressing into Cyber Essentials Plus, the following articles may be useful:

• Requirements for the Cyber Essentials Scheme
• Preparing A Check List for Cyber Essentials
• Requirements for Cyber Essentials Plus

Where your business may be interested in implementing some additional security measures, the following articles may also be of use:

• Conducting a Cyber Security Audit
• Conducting A Security Risk Assessment
• Implementing A Vulnerability Management System
• Setting Up A Vulnerability Scan
• Prioritizing Your Vulnerabilities

Where you have any further questions regarding Cyber Essentials or different cybersecurity solutions, our consultants are available to address any concerns you may have.