Cyber Essentials is a UK government-backed certification designed to help organisations protect themselves from common cyber threats. But achieving certification isn’t just about ticking boxes, it requires a clear understanding of your IT infrastructure and how it supports your business.

What’s in Scope?

To be certified, organisations must define the IT infrastructure covered by the assessment. Ideally, this includes all systems and devices used to run the business. In some cases, a clearly separated and self-contained subset may be certified, but it must be agreed with the certification body ahead of time. Scoping out end-user devices is not permitted, as these are critical to cybersecurity.

Any device or software that connects to the internet, accepts inbound connections, initiates outbound connections, or controls internet-bound data flow falls within the scope. The broader the scope, the more effective the protection—and the greater the confidence clients and partners can place in your security posture.

The Role of Asset Management

Although not a named control in the Cyber Essentials framework, asset management is foundational to achieving compliance. Maintaining an accurate record of all hardware and software ensures organisations can apply security measures consistently. Integrating asset data across IT, finance, and procurement functions improves visibility and strengthens decision-making, ultimately reducing risks across the board.

Special Considerations

Bring Your Own Device (BYOD):
Personal devices accessing company data or systems are included in scope. Exceptions exist for devices used only for calls, texts, or authentication purposes. Due to the variability of user-owned devices, strong access policies are essential.

Home Working:
Any device used for remote work, whether company-issued or BYOD, must be included in the certification scope. If the company provides a router, it too is included. Routers supplied by internet providers are excluded, but devices using a company VPN are protected by corporate firewalls and still fall within scope.

Wireless Devices:
Wireless devices capable of internet communication must be covered. However, devices isolated from the internet or embedded in ISP-supplied home routers are not assessed.

Cloud Services:
When business data or services are hosted in the cloud, the cloud environment must be included. Responsibilities differ depending on whether the service is Infrastructure, Platform, or Software as a Service (IaaS, PaaS, SaaS). Organisations must ensure their providers meet Cyber Essentials requirements as part of the shared responsibility model.

Third Parties and Outsourced Services:
If third parties use accounts or infrastructure owned by the organisation, these are in scope. Even if devices are not owned by the business, it is still accountable for ensuring secure interaction with company data and systems.

Web Applications:
Commercial, publicly available web applications must be assessed. While custom code components are technically out of scope, adhering to secure development best practices, such as those from the OWASP ASVS, remains critical.

Conclusion

Defining a clear and comprehensive scope is one of the most important steps toward achieving Cyber Essentials certification. It ensures no critical system or connection is overlooked and that security controls are applied where they’re needed most.

From managing assets and cloud environments to overseeing third-party access and remote working practices, success lies in understanding your full digital footprint. By following these guidelines, organisations not only meet the certification criteria but also strengthen trust with stakeholders and take a meaningful step toward long-term cybersecurity resilience.

If you’d like to hear more about Intrepid Technology Auditing and Intrepid Advisory Services then please reach out to sales@beintrepid.co.uk to set up a free consultation and Q&A session about what types of technology evaluations you’d like to conduct.