Defining the scope for Cyber Essentials certification
The scope for certification to Cyber Essentials or Cyber Essentials Plus must be agreed by the certification body before any testing (assessment) can commence.
Certification can apply to the whole of an organisation’s enterprise IT or to a sub-set of the organisation. The scope must be declared at the Cyber Essentials stage for Cyber Essentials Plus. (The scope for both stages is the same).
The scope must be clearly defined in terms of:
the organisation or business unit managing it;
the network (infrastructure) boundary.
Whether the whole or a part of the organisation is subject to certification, the name on the certificate must be consistent with the scope.
The assessments are based on verifying the levels of protection against common, low-skilled, Internet-based threats as well as the broader risks they might face.
Testing covers the following three critical areas, depending on the level of certification that is being pursued (Cyber Essentials or Cyber Essentials Plus):
Types of testing:
Cyber Essentials and Cyber Essentials Plus
External Internet-accessible systems, including dedicated hosting platforms.
Cyber Essentials Plus
Internal systems – patching, configuration and vulnerabilities.
Internal systems – susceptibility of workstations and mobile devices, including tablets, to email- and web-based malware.
The Cyber Essentials scheme provides protection mainly where IT systems are based on commercial off-the-shelf (COTS) products, rather than large, heavily customised, complex solutions.
The systems that fall under the scope of Cyber Essentials include:
Internet-connected end-user devices (desktop PCs, laptops, tablets and smartphones)
Internet-connected systems (e.g. email, web and application servers).
In defining the scope, the organisation seeking certification will need to consider the role of service providers who, depending on the delivery of services, may be in scope. The important consideration is whether the organisation or the supplier retains responsibility for the relevant set of controls (boundary firewall and internet gateways, secure configuration, user access control, malware protection and patch management).
Organisations that use infrastructure as a service (IaaS) from a Cloud service provider, and have responsibility for any of the five control sets, will be required to include the service as part of the scope. In the case of software as a service (SaaS), where the organisation does not have responsibility for the controls, the service will be out of scope.
What is not in scope?
Cyber Essentials is not intended for use with bespoke IT systems, such as those found in manufacturing, industrial control systems, online retail and other environments.
Examples of these types of systems are:
Supervisory control and data acquisition (SCADA)
Distributed control systems (DCS)
Programmable logic controllers (PLC)
Point of sales (POS)
PIN entry devices (PED)
Source: CREST and the Cyber Essentials scheme
IT Governance offers three unique solutions to certification that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the three solutions for certification >>