Key Takeaways
- Scoping defines the boundary of your assessment, get it wrong and you are either under-protected or setting yourself up to fail.
- All devices that access organisational data or connect to the internet are in scope. Exclusions must be formally documented.
- Remote workers, BYOD, cloud services cannot be excluded. They are in scope by default.
- Cyber Essentials Plus audits scan every externally facing IP address and test a representative sample of devices. The scope you declared in writing is verified in practice.
- Network segmentation is a legitimate tool for managing scope, but it must be genuine, documented and verifiable.
Introduction
Most organisations focus on the five technical controls when preparing for Cyber Essentials. Fewer give the same attention to scoping and that is where assessments are quietly lost before a single question has been answered. The scope defines exactly which systems, devices, and services are being assessed. Too broad, without the right controls in place, and you create avoidable failure points. Too narrow, in an attempt to exclude complexity and you produce a certificate that does not reflect your real environment, something a Cyber Essentials Plus technical audit will reveal, very quickly.
This blog sets out what belongs in scope, what can legitimately be excluded and where organisations most commonly go wrong.
What Scoping Actually Means in Cyber Essentials
The NCSC’s Requirements for IT Infrastructure are clear on the starting point. Your assessment should cover the whole of the IT infrastructure used to carry out your organisation’s business or, if necessary, a well-defined and separately managed sub-set. Either way, you must define the scope boundary clearly and agree this with your Certification Body before the assessment begins.
The requirements apply to any device or service that can accept incoming connections from the internet, can establish outbound connections to the internet or control data flow between devices and the internet. A scope that excludes end user devices entirely is not acceptable. Under the updated Danzell question set, which went live from 27 April 2026, scope descriptions must be formally recorded in full and any areas excluded must be explicitly described. Our post on what is changing in Cyber Essentials in April 2026 covers those documentation changes in detail.
The important point is that organisations who certify their whole IT infrastructure achieve the best protection and give clients and partners the strongest assurance. Attempting to carve out sections to simplify the assessment is a short-term approach that creates long-term risk.
What is ‘In Scope’ and What Cannot Be Excluded?
These are the areas that consistently catch organisations off guard.
- Remote and home workers – Any device a home or remote worker uses to access organisational data or services is in scope. The ISP-provided broadband router at their home is out of scope but the End User Device (EUD) itself is not. If that device connects to organisational systems without a corporate VPN, a software firewall must be configured on it. If your organisation supplies the home worker’s router, that router is also in scope.
- BYOD (Bring Your Own Device) – If a personally owned device accesses organisational email, cloud services, or any other organisational data, it falls within scope. Many organisations discover mid-assessment that their informal BYOD approach has created a far wider scope than they anticipated.
- Cloud services. If your organisation’s data or services are hosted on cloud platforms, those platforms must be in scope. This covers Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) including Microsoft 365, Google Workspace, Dropbox, and similar tools. The Danzell update makes clear that cloud services cannot be excluded under any circumstances. Critically, multi-factor authentication (MFA) is now mandatory on every cloud service where it is available, whether it is included in the licence or requires a paid upgrade. Leaving MFA disabled is an automatic fail.
Network Segmentation: The One Legitimate Scoping Tool
If a part of your infrastructure is genuinely and verifiably separated from the rest of the network, it may be possible to exclude it from scope as a defined sub-set. Genuine segmentation means there are no shared credentials, no data flows crossing the boundary, and no connected pathways between the in-scope and out-of-scope environments enforced by a firewall or VLAN, not just described in a network diagram. This approach is used most commonly by organisations with operational technology (OT) or industrial control system (ICS) environments that are physically and logically separated from the corporate IT network. For those organisations, segmentation can be a proportionate and legitimate way to manage scope.
Saying you have kept two parts of your network separate is not enough but you need to be able to demonstrate it. During a Cyber Essentials Plus assessment, the assessor will check that the separation actually holds-up in practice before any testing begins. If it turns out the two sides of the network can still communicate, or share the same login credentials, the exclusion does not stand. At that point, what you thought was out of scope is back in and the assessment has to account for it. Which brings us directly to the CE+ picture.
How Cyber Essentials Plus Changes the Scoping Calculation
Cyber Essentials is a verified self-assessment. You describe your scope in writing, a director signs the declaration and an assessor reviews the answers. Cyber Essentials Plus puts that scope to the test in a way the self-assessment cannot. As an approved certifying body for both Cyber Essentials and Cyber Essentials Plus, Pera Prometheus guides organisations through this transition and the difference in what each level demands.
The CE+ assessor must verify that the declared scope matches the actual networks and systems before any testing begins. They then scan every externally facing IP address for known vulnerabilities. They test a representative sample of end user devices for patching, malware protection, and account separation and verify MFA is active on every cloud service in scope. Under the Danzell changes, the self-assessment must be finalised and ‘locked’ before testing starts. There is no opportunity to adjust the scope once the auditor is in.
Scope decisions that look reasonable on paper can unravel quickly once a scanner is running. Our post on Cyber Essentials vs Cyber Essentials Plus explains the full difference between the two levels and when each is required.
Common Scoping Mistakes That Cause Failures
The most common errors which come up repeatedly, in practice.
- Declaring a narrower organisational boundary than actually exists – Subsidiaries, joint ventures and companies sharing infrastructure with the applicant may need to be included. Under Danzell, all legal entities within the scope must be named with their registered company number and address. They cannot be added after certification is complete. Under CSM v4, Prime Contracting Authorities also carry flow-down liability, so a subsidiary’s lapsed or incorrectly scoped certificate is a commercial problem for the whole chain.
- Treating cloud services as someone else’s responsibility – A Managed Service Provider (MSP) or Cloud provider may implement certain controls on your behalf, but your organisation remains responsible for confirming those controls are in place and evidencing it in the assessment. “Our IT provider handles that” is not a scope exclusion.
- Assuming the ISP router covers remote workers – The ISP router is out of scope but the EUD behind it is not and should have a correctly configured software firewall.
- Not declaring all legal entities – Where multiple companies operate under the same certificate, each must be formally named before certification is complete. This is not an administrative afterthought. It is a requirement that cannot be corrected retrospectively.
Why Pera Prometheus?
Getting the scope right before the assessment begins saves time, cost and the frustration of having to restart. At Pera Prometheus, we have the knowledge and experience of working with defence contractors and commercial organisations on clarifying boundaries, identifying risk before the assessor does and certifying both Cyber Essentials and Cyber Essentials Plus as an approved certifying body. Our Cyber Essentials expert, Amy Osborne, has been helping organisations by explaining and guiding them through the certification process. Our dedicated Cyber Essentials Certification page provides all the required information. It is vital to engage early and scope this out properly from the start.
Frequently Asked Questions
Q: Can I exclude our cloud systems from the Cyber Essentials scope?
A: No. If your organisation’s data or services are hosted on cloud platforms, those platforms must be included in the scope and MFA must be enabled on every cloud service where it is available.
Q: We use BYOD, does that mean all our employees’ personal phones are in scope?
A: Only if those devices access organisational data or services. Devices used purely for voice calls, texts or MFA applications are exempt. Any personal device accessing organisational email, files or cloud services is in scope.
Q: We have two subsidiary companies on the same network, do we need separate certificates?
A: Not necessarily but both entities must be named in the scope declaration with their registered company number and address. Individual certificates can be requested for each legal entity at an additional cost. This must be agreed and declared before certification is complete.
Stay Safe, Stay Secure
