Defining the scope for Cyber Essentials certification
The scope for certification to Cyber Essentials or Cyber Essentials Plus must be agreed by the certification body before any testing (assessment) can commence.
Certification can apply to the whole of an organization’s enterprise IT or to a sub-set of the organization. The scope must be declared at the Cyber Essentials stage for Cyber Essentials Plus. (The scope for both stages is the same.)
The scope must be clearly defined in terms of:
The organization or business unit managing it
The network (infrastructure) boundary
Whether the whole or a part of the organization is subject to certification, the name on the certificate must be consistent with the scope.
The assessments verify the level of protection against common, low-skilled, Internet-based threats as well as broader risks.
Testing covers the following three critical areas, depending on the level of certification:
Types of testing:
Cyber Essentials and Cyber Essentials Plus
External Internet-accessible systems, including dedicated hosting platforms.
Cyber Essentials Plus
Internal systems—patching, configuration and vulnerabilities.
Internal systems—susceptibility of workstations and mobile devices, tablets, and email- and web-based malware.
The Cyber Essentials scheme provides protection mainly where IT systems are based on commercial off-the-shelf (COTS) products, rather than large, heavily customized, complex solutions.
Systems that fall under the scope of Cyber Essentials include:
Internet-connected end-user devices (e.g. desktop PCs, laptops, tablets, and smartphones)
Internet-connected systems (e.g. email, web, and application servers)
In defining the scope, the organization seeking certification will need to consider the role of service providers that may be in scope. The important consideration is whether the organization or the supplier retains responsibility for the relevant set of controls (boundary firewall and Internet gateways, secure configuration, user access control, malware protection and patch management).
Organizations that use infrastructure as a service (IaaS) from a Cloud service provider and are responsible for any of the five control sets will be required to include the service as part of the scope. In the case of software as a service (SaaS), where the organization does not have responsibility for the controls, the service will be out of scope.
What is not in scope?
Cyber Essentials is not intended for use with custom IT systems, such as those found in manufacturing, industrial control systems, online retail, and other environments.
Examples of these types of systems are:
Supervisory control and data acquisition (SCADA)
Distributed control systems (DCS)
Programmable logic controllers (PLC)
Point of sales (POS)
PIN entry devices (PED)
Source: CREST and the Cyber Essentials scheme
IT Governance offers three unique solutions to certification that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the three solutions for certification >>