Why Network Segregation Matters: Cyber Security and Scoping Cyber Essentials

By Mark Kindred, Senior Assessor – Get Cyber Certified Estimated reading time: 5 minutes

One of the first things I do when I start working with an organisation on their Cyber Essentials certification is talk through scope. It sounds straightforward — define what's in, define what's out — but in practice it's one of the areas where I see organisations come unstuck most often. And more often than not, the root cause is a misunderstanding of network segregation, or a network that simply hasn't been segregated at all.

In my experience as a senior assessor, getting your scope right is the single most important step in the certification process. And understanding network segregation is central to doing that well. With the significant changes coming to the scheme in April 2026, this has never been more relevant.

What Is Network Segregation?

Network segregation — sometimes called network segmentation — is the practice of dividing your IT network into smaller, isolated sections, each separated by a control such as a firewall or a VLAN (Virtual Local Area Network). I often describe it to clients as being like the compartments in a submarine: if one section floods, the bulkheads prevent the whole vessel from going under.

In a business context, this might mean separating your guest Wi-Fi from your corporate systems, isolating a legacy server that can no longer be patched, or keeping a development environment completely separate from your live production network.

The main technical mechanisms for achieving this are:

• Firewalls — hardware or software controls that manage and restrict traffic between different network segments

• VLANs — logical separation of network traffic, even where physical infrastructure is shared

• Subnetting — splitting a network into smaller sub-networks using IP address ranges

None of these are especially complex in concept. But I regularly see organisations that have assumed their network is segregated when, on closer inspection, it isn't — or where a VLAN has been configured but never properly tested. The configuration has to be real, and it has to be verifiable.

Why Segregation Matters for Cyber Security

Even with solid perimeter defences in place, a determined attacker who gains an initial foothold inside your network will immediately start looking for ways to move sideways. The security industry calls this lateral movement — and it is one of the primary ways that a relatively minor initial compromise can escalate into a significant breach.

The NCSC's guidance on preventing lateral movement is clear that network segmentation is one of the most effective countermeasures you can deploy. By separating systems that have no legitimate need to communicate with each other, you force an attacker to overcome additional barriers at every stage. That slows them down and — critically — increases your chances of detecting the intrusion before it reaches something important.

I see this connection play out in IoT environments too. As we covered in our article Securing Your IoT Devices: Why Cyber Essentials is Crucial for Protection, IoT devices are frequently running outdated firmware and default credentials that nobody has ever changed. If those devices sit on the same network as your file servers, your cloud management consoles, or your finance systems, a compromised smart device becomes a potential gateway into your entire estate. Network segregation is what stops that from happening.

Segregation and Scoping Cyber Essentials

This is where network segregation moves from a general cyber security best practice into a direct requirement — at least in practice — for your Cyber Essentials certification.

Whole Organisation Scope: Always the Starting Point

My starting point with every client is always whole-organisation scope. As I explain in our guide How to Scope Cyber Essentials, this is the ideal — it gives your organisation the most complete protection, and for UK businesses with a turnover below £20 million, it also unlocks the cyber liability insurance that comes bundled with the certification at no extra cost.

Whole-organisation scope captures everything: every device capable of sending or receiving internet traffic, every cloud service processing organisational data, every server, virtual machine, and end-user device used for business purposes. You can't exclude endpoints or cloud services simply because they're inconvenient to certify. The scheme doesn't allow it, and frankly, it wouldn't make sense from a security perspective either.

Sub-Set Scoping: Only Valid With Genuine Segregation

There are legitimate situations where certifying a sub-set of your organisation is the right approach. The most common scenario I encounter is where an organisation has legacy systems or unsupported devices that can no longer meet Cyber Essentials requirements because the manufacturer no longer supports them. Rather than failing the assessment because of one isolated legacy system, the right approach is to exclude that system from scope — but only if it is genuinely and technically isolated from the rest of the network.

As IASME's scoping guidance makes clear, a sub-set scope is only valid where the in-scope network is separated from out-of-scope systems by a firewall or VLAN. That segregation must control access to the in-scope portion and protect it from vulnerabilities that exist on the excluded network.

What I want to emphasise here, based on what I see during assessments, is that this has to be demonstrated — not just stated. Telling me your development environment is separate isn't enough. I need to see the evidence: the VLAN configuration, the firewall rules, or whatever technical control is in place. If you can't show it, it doesn't count.

For a full walkthrough of what qualifies as an acceptable exclusion and how to document it properly, I'd encourage you to read our How to Scope Cyber Essentials article.

MSPs and Third-Party Devices

I get asked regularly about Managed Service Providers and how their devices affect scope. The rule is straightforward: MSP devices are only in scope for Cyber Essentials if they have been purchased by the organisation being certified. Devices that are owned and operated by the MSP themselves fall outside your assessment scope.

It's worth being clear on this before you start building your asset inventory — and if there's any ambiguity in your specific arrangement, raise it with your certification body before you begin your application rather than discovering the issue mid-way through.

Common Mistakes I See During Assessments

Before moving on, it's worth calling out three misconceptions I come across repeatedly:

• "Only devices that store our data are in scope" — this is wrong. Any device that accesses organisational data or services is in scope, regardless of whether it stores anything locally.

• "We can exclude our cloud services because a third party manages them" — it depends on the service, but broadly you remain responsible for ensuring that Cyber Essentials controls are applied to cloud services your organisation uses. Outsourcing management may not outsource responsibility.

• "Personal devices that staff use occasionally don't count" — if those devices are accessing your organisational systems or data without proper technical separation, they are in scope.

I cover all of these in more detail in the How to Scope Cyber Essentials guide.

What the April 2026 Changes Mean for Segregation

The April 2026 update — bringing in Requirements for IT Infrastructure v3.3 — raises the bar on scoping and segregation considerably. I've written a full breakdown in New Cyber Essentials Changes Announced for April 2026, but the headline points as they relate to this topic are:

• Out-of-scope areas must now be explained and justified — you must describe what has been excluded from scope, why it has been excluded, and how it is segregated from in-scope systems. A vague scope statement won't cut it under v3.3.

• Ambiguous terminology has been removed — the old qualifiers "untrusted" and "user-initiated" are gone. Any device capable of making or receiving an internet connection is in scope unless it sits in a properly segregated network segment.

• Cloud services have a formal definition and cannot be excluded — if a cloud service processes or delivers organisational services, it's in scope. Full stop.

• Unlimited scope descriptions — certificates will now record both what is in scope and what is out of scope, making transparency a published part of the certification.

These changes apply to all new assessment accounts created on or after 27 April 2026, with a six-month transition period for accounts opened before that date. The full updated requirements document is available on the NCSC website.

Practical Steps Before Your Assessment

Whether you're coming to Cyber Essentials for the first time or renewing ahead of the April changes, here's the checklist I work through with clients:

1. Start with our scoping guide — How to Scope Cyber Essentials covers the full picture, from simple whole-organisation scopes to complex multi-site environments.

2. Map your network properly — document your segments, what sits in each, and what controls separate them. If you don't have a network diagram, now is the time to create one.

3. Identify everything in scope — work through every device capable of internet connectivity, every cloud service in use, and every end-user device used for business purposes.

4. Document and evidence any exclusions — if you're excluding systems, show me the VLAN config or the firewall rules. The documentation needs to exist before the assessment starts, not be assembled during it.

5. Read the April 2026 changes — the New Cyber Essentials Changes article explains exactly what is changing and when.

6. Test your segregation — don't assume it works. Verify it. I've seen firewall rules that looked correct on paper but weren't functioning as intended.

7. Talk to your assessor before you start — this is genuinely the most valuable step. Scoping decisions made at the beginning of an assessment are easy to manage. Scoping problems discovered halfway through are not.

Final Thoughts

In my time as a senior assessor, scoping issues are the single most common reason I see organisations run into difficulty during a Cyber Essentials assessment. And almost every scoping problem comes back to one of two things: either the organisation doesn't fully understand what needs to be in scope, or they've assumed their network is segregated when it isn't.

Network segregation, done properly and evidenced correctly, gives you real security benefits and the flexibility to define a scope that accurately reflects your organisation. Get it wrong, and it creates gaps — both in your protection and in your certification.

If you'd like support with scoping, network architecture review, or your full Cyber Essentials certification journey, please feel free to get in touch. At Get Cyber Certified, scoping support is included in our supported service, and I'm always happy to talk through a specific situation before you commit to an approach.

Further Reading

• 📄 How to Scope Cyber Essentials

• 📄 New Cyber Essentials Changes Announced for April 2026

• 📄 Securing Your IoT Devices: Why Cyber Essentials is Crucial for Protection

• 📄 The Importance of Cyber Essentials Certification

External Resources

• IASME – Scoping Cyber Essentials

• IASME – April 2026 Cyber Essentials Changes

• NCSC – Preventing Lateral Movement

• NCSC – Cyber Essentials Requirements for IT Infrastructure v3.3

Mark Kindred is the Senior Assessor at Get Cyber Certified, an IASME-accredited Cyber Essentials certification body. For support with your certification, visit www.getcybercertified.co.uk or email team@getcybercertified.co.uk.