SCOPING & PROCESS
How to scope a Cyber Essentials assessment — and why getting it wrong is costly.
Scope is where most Cyber Essentials problems start. Define it too broadly and you create unnecessary work. Define it too narrowly and your certificate may not satisfy your client. Here is how to get it right.
What scope means in Cyber Essentials
The scope of a Cyber Essentials assessment defines which systems, devices, and users are included in the certification. Everything in scope must meet the Cyber Essentials requirements. Everything out of scope is excluded from the assessment — but that exclusion has consequences.
The default scope for Cyber Essentials is your entire IT estate. You can reduce the scope to a subset of your organisation, but you must be able to demonstrate clear boundaries between in-scope and out-of-scope systems, and your certificate will reflect the limited scope.
Why scope matters to your client
If a client has asked for Cyber Essentials, they are asking for assurance that your organisation meets baseline security controls. A certificate with a narrow scope — covering only part of your organisation — may not provide the assurance they need.
Before you define your scope, understand what your client is actually asking for. If they need confidence that their data will be handled securely, the systems that handle their data must be in scope. A certificate that excludes those systems is not what they asked for, even if it is technically valid.
Common scoping mistakes
The most common mistakes are: scoping too broadly (including legacy systems or BYOD devices that cannot meet the requirements, creating unnecessary remediation work), scoping too narrowly (excluding systems that handle client data, making the certificate meaningless to the buyer who asked for it), and unclear boundaries (defining a scope that cannot be clearly distinguished from out-of-scope systems, creating confusion during assessment).
How to define scope correctly
Start with your client requirement. What systems handle their data or connect to their environment? Those must be in scope.
Then identify clear boundaries. If you are excluding part of your organisation, there must be a genuine technical or organisational separation. "We decided not to include those systems" is not a valid boundary.
Finally, verify that everything in scope can meet the requirements. If you have systems in scope that run unsupported software or cannot be patched, you have a problem that needs to be resolved before assessment — not during it.
SCOPE DEFINES WHAT YOUR CERTIFICATE MEANS
A Cyber Essentials certificate is only as meaningful as its scope. Before you finalise your scope, ask yourself: if my client saw this scope statement, would they be satisfied that it covers what they asked for?
NOT SURE WHAT TO INCLUDE?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.