Expert support and guidance is available if you need some help determining the scope. Simply purchase an hour of Live Online consultancy and get the answers you need.
Here is some further information to help you define the scope:
The scope should be clearly defined in terms of the organization or business unit managing it, the network boundary, and the physical location(s).
Regardless of whether the whole or a part of the organization is subject to certification, the name on the certificate must be consistent with the scope. The scope must be agreed before any testing starts.
The scope statement will appear on your Cyber Essentials certificate; the description will be used to verify that the scope, questionnaire responses, and subjects of the scan are consistent.
Determining the scope that Cyber Essentials applies to can be a complex task, especially if your organization is large or has an intricately structured network or network segmentation.
A simple way to determine this:
- SaaS (Software as a Service) is out of scope.
- PaaS (Platform as a Service) will, in all likelihood, also be out of scope, depending on the application that must be configured.
- Infrastructure as a Service (IaaS) will be in scope as you will be responsible for configuring the platform.
- If you have VPNs connecting sites, then, depending on the technology, the public IP address of the VPN connection is in scope even if you are using internal private addressing and route all Internet traffic through the VPNs to a central egress point.
If you use a private MPLS VPN, then there may not be public IP addresses.
Example scope description:
The Internet-facing infrastructure consists of the email server, SharePoint, and three firewalls. Company cell phones are out of scope as they only connect to a guest wireless network that connects straight out of the Internet and have no connection to the corporate network. External hosted systems include a custom ERP platform, which also connects to our infrastructure over the Internet and is in scope. Our externally hosted web servers are out of scope as they are wholly managed by third parties. We also use Google Docs and ShareFile cloud based services, which are also out of scope.
See this page for further information about defining the scope