top of page
Search

How to Scope Cyber Essentials



What’s in Scope for Cyber Essentials


When planning for Cyber Essentials certification, one of the first and most important decisions an organisation must make is establishing the scope of the assessment. Scoping defines what part of your IT systems and services your certification will cover. It influences everything from technical control implementation to evidence collection for your certification assessment. This blog explains how to think about scoping, what must be included, and how to approach more complex environments.


We will reference the official Cyber Essentials Requirements for IT Infrastructure document throughout, which you can read here:



Why Scoping Matters

Scoping determines the boundary of what will be assessed against the Cyber Essentials technical controls. It tells your Certification Body exactly what they are evaluating and gives your organisation clear confidence about where risk has been addressed. If scope is poorly defined, it can lead to unexpected gaps in coverage, additional work during assessment, or even a failed certification attempt.

Clear scoping also helps you:

  • Identify all systems and services that need controls applied.

  • Plan remediation or configuration work ahead of assessment.

  • Allocate responsibility for cloud services and external infrastructure.

  • Manage risk by understanding where unsupported or legacy technology lives.


What Must Be Included in Scope

The general principle is straightforward: include anything that could introduce risk into your business operations, especially via the internet or connectivity to organisational data and services.

According to the official Cyber Essentials standard:

  • Scope should cover the whole of the IT infrastructure that supports your business, or a clearly defined and segregated sub-set agreed with your Certification Body. NCSC

  • Devices and software in scope are those that:

    • can receive connections from internet-connected hosts,

    • can make outbound connections over the internet, or

    • control data flowing to/from internet-connected devices. NCSC

  • You cannot exclude endpoint devices (e.g., laptops, desktops, tablets, mobiles) from scope. NCSC

In practical terms, this means:


End-User Devices

All devices that your staff, volunteers, or contractors use to access organisational systems and data for business purposes are in scope. This includes:

  • Corporate laptops and desktops.

  • Mobile phones or tablets used for accessing email or cloud services.

  • Devices used for hybrid or home working.

Even “bring your own device” (BYOD) can be in scope if it accesses corporate data or services. IASME - Home.

For schools, colleges, universities there can sometimes be some exceptions for student devices. Please speak with us at www.getcybercertified.co.uk to find out more.


Servers, Virtual Machines and Network Infrastructure

Physical and virtual servers that host business services — whether on-premise or in hosted environments — are in scope. Network devices such as firewalls, switches, Wi-Fi controllers, and VPN concentrators are also included where they govern traffic to your IT infrastructure.


Cloud Services and SaaS

Any cloud service that stores or processes organisational data or provides business services must be in scope. Examples include:

  • Microsoft 365, Google Workspace or similar SaaS offerings.

  • Hosted virtual desktops or cloud firewalls.

  • Cloud-based applications where you have administrative control.

Cloud services cannot be excluded purely because they are “outsourced”; you remain responsible for ensuring that Cyber Essentials controls are implemented or evidenced for the services in scope. IASME - Home


Web Applications

Publicly accessible web applications that are part of your service delivery or customer interaction are in scope, particularly where they handle organisational data. This includes business-facing portals or bespoke applications you own and manage.


What Can Be Excluded from Scope

Exclusions are allowed, *but only if they are:

  1. Clearly defined,

  2. Technically segregated from the in-scope estate, and

  3. Justified in your scope statement with your Certification Body’s agreement.

Examples might include:

  • A guest Wi-Fi network that is isolated and does not access organisational data.

  • A development subnet that cannot affect or be reached from the production environment.

  • Legacy systems that cannot be secured but are fully isolated via VLANs or firewalls. IASME - Home

If you use exclusions, you must be able to explain and demonstrate the segregation and justification — for example, how that excluded subnet is physically or logically separate from in-scope assets.


Scope and School / Education Settings

For primary and secondary schools or Academy Trusts, several scenarios can be confusing:

  • Student or guest networks used for pupils or visitors can typically be excluded, if they are segregated and do not touch administrative systems.

  • Managed classroom devices (e.g., teacher laptops, admin desktops, curricular management systems) must be in scope.

  • If cloud platforms such as Microsoft 365 are part of school operations, they and any related services are in scope.

Remember, the scope isn’t just about devices — it’s about the data and services your organisation relies upon and protects.


Multi-Site or Complex Environments

For organisations with multiple locations, subsidiaries, or complex network architectures, the principle remains to define:

  • Network boundaries

  • Physical and logical location

  • Business units owning the infrastructure

Each part of the estate must map back to this agreed scope. If parts of your infrastructure cannot meet Cyber Essentials controls (e.g., legacy devices without vendor support), you will need to demonstrate isolation and mitigation strategies to justify exclusion.


Common Scoping Misunderstandings

Some frequently encountered misconceptions include:

  • “Only devices storing organisational data are in scope.”This is not correct. Devices that access organisational data or services are also in scope. IASME - Home

  • “Cloud services can be excluded because they are managed by a third party.”Not possible. Cloud services must be included in scope, with responsibility for controls clearly attributed. IASME - Home

  • “Personal devices used occasionally aren’t in scope.”If they access organisational services or data without proper separation, they are in scope.


Best Practices for Defining Scope

To ensure scoping goes smoothly:

  1. Start early before assembling evidence or filling in assessment questions.

  2. Document your scope boundary clearly — what’s included, what’s excluded, and why.

  3. Discuss scope with your Certification Body at the outset.

  4. Use the official Requirements for IT Infrastructure document (linked above) as your reference and checklist.

  5. Maintain an inventory of all devices, services, and applications that will fall in scope.


Final Thoughts

Well-defined scope is the foundation of a successful Cyber Essentials assessment. It ensures that you are protecting what matters most in your organisation and helps avoid costly rework or assessment delays. By thinking through your assets, cloud services, networks, and endpoints, and by aligning with the official standard, you can plan for certification with confidence.


My names Mark Kindred and i'm the senior assessor at Get Cyber Certified, an authorised and accredited IASME Certification body. If you need support defining scope or preparing for assessment, www.getcybercertified.co.uk can provide guidance tailored to your organisation’s size and complexity. We also include scoping with our supported services. Feel free to contact me with any questions.

Comments

bottom of page