The blog outlines the scope and requirements for achieving Cyber Essentials certification, which is a UK government-backed scheme designed to help organizations protect themselves from common cyber threats.

Scope Overview

The certification process must cover the entire IT infrastructure an organisation uses to conduct its business. Alternatively, a well-defined and separately managed subset of the infrastructure can be certified, provided it is clearly defined in terms of business unit, network boundary, and physical location. The scope must be agreed upon with the certification body before the assessment begins.

Organisations that include their entire IT infrastructure within the scope achieve the highest level of protection and inspire the most confidence among their customers. The requirements apply to all devices and software within the defined scope that meet any of the following criteria:

• Can accept incoming network connections from untrusted internet-connected hosts.

• Can establish user-initiated outbound connections to devices via the internet.

• Control the flow of data between any such devices and the internet.

A scope that excludes end-user devices is not acceptable for certification.

Asset Management and Cyber Essentials

While asset management is not a specific control under Cyber Essentials, it plays a crucial role in meeting all five controls of the certification. Effective asset management helps organizations track and control devices introduced into the business, thereby enhancing security. Integrating asset management across various functions like IT operations, financial accounting, and procurement can reduce conflicts and improve decision-making.

The goal of asset management is to maintain accurate, authoritative information about assets that supports both day-to-day operations and long-term security.

Specific Scope Considerations

1. Bring Your Own Device (BYOD):

   • User-owned devices that access organizational data or services are in scope.

   • Devices used only for native voice or text applications, or multi-factor authentication (MFA), are out of scope.

   • BYOD complicates consistent implementation of security controls, so strong access policies are recommended.

2. Home Working:

   • All corporate or BYOD devices used for home working are in scope.

   • If the organisation provides a router to the home worker, it is also in scope; otherwise, routers provided by ISPs are out of scope.

   • Devices using a corporate VPN have their internet boundary at the company firewall or virtual/cloud firewall.

3. Wireless Devices:

   • Wireless devices that can communicate via the internet are in scope.

   • Devices that cannot be attacked directly over the internet or are part of an ISP router at a home location are out of scope.

4. Cloud Services:

   • If organisational data or services are hosted on cloud services, those services must be in scope.

   • Responsibilities for implementing controls vary depending on the type of cloud service (IaaS, PaaS, SaaS). Organisations must ensure that their cloud providers implement necessary controls, as defined in the shared responsibility model.

5. Third-Party Accounts and Managed Infrastructure:

   • All accounts owned by the organisation, even if used by third parties like suppliers or Managed Service Providers (MSPs), are in scope.

   • Organisations must ensure that external services meet Cyber Essentials controls and can demonstrate compliance during assessments.

6. Devices Used by Third Parties:

   • End-user devices owned by the organization and loaned to third parties must be included in the assessment scope.

   • Devices not owned by the organization are generally out of scope, but the organization remains responsible for ensuring they interact correctly with organizational services and data.

7. Web Applications:

   • Publicly available commercial web applications are in scope.

   • Custom components of web applications are out of scope, but organizations should follow best practices like the OWASP Application Security Verification Standard to mitigate vulnerabilities.

Conclusion

The importance of clearly defining the scope of Cyber Essentials certification to ensure comprehensive protection is clear. We’ve highlighted the necessity of including all relevant devices, software, and services, particularly in contexts like BYOD, home working, and cloud services. Proper asset management and careful coordination with third-party service providers are also crucial for maintaining security and achieving certification.

This certification process requires a thorough understanding of the IT infrastructure, the risks it faces, and the steps necessary to mitigate those risks. By adhering to these guidelines, organizations can achieve robust cyber security and build greater trust with their customers.

If you’d like to hear more about Intrepid Technology Auditing and Intrepid Advisory Services then please reach out to sales@beintrepid.co.uk to set up a free consultation and Q&A session about what types of technology evaluations you’d like to conduct.