Cyber Essentials scope definition

Cyber Essentials scope definition under Evendine

By Tom Boughton Cyber Security Apprentice. The new Cyber Essentials Evendine standard was introduced in January, bringing with it some significant changes to the scheme requirements particularly around Cyber Essentials scope definition.

Key changes include:


The Cyber Essentials scope definition also changed under Evendine:

In order to have a “whole company” in scope, while still having a sub-set network (that contains legacy software, for example), the sub-set must be separated by a VLAN or firewall, and have Internet access removed. The sub-set network must not be able to initiate an inbound request to an in-scope network, but may respond to requests made from devices on the in-scope network.

To achieve “partial company” in scope, the segregated network must be given a name (such as “workshop network”). This must then be declared in Question 2.2 for example “Indelible Data Ltd network excluding workshop network”. The workshop sub-set may have connection to the internet but must not able to make inbound requests to an organisation’s in-scope network.

Alternatively, an organisation can scope a “sub-set” of their organisation and exclude the corporate network. This can be done by naming the sub-set, for example “development network”. This must then be declared in Question 2.2 in a statement such as “Indelible Data development network excluding corporate and training network”.

A detailed explanation of Cyber Essentials scope definition, can be found in our Lead Assessor Tony Wilson’s blog 

Other changes include:

Cloud Services

The security configuration for cloud services now comes under a shared responsibility model, where depending on the service, a Cyber Essentials applicant could be responsible for part of the cloud security configuration, with the provider being responsible for the rest. This varies between IaaS, PaaS, and SaaS. It is the responsibility of the applicant to ensure that a cloud service is correctly configured.

Home Working

The number of home workers in an organisation must now be declared in Question 1.7. Home workers who use ISP routers need not have their ISP home router in scope. Instead, software/host-based firewalls, or hardware firewalls can be used to separate devices from other home equipment.

Passwords and multi-factor authentication

Due to the wide availability of multi factor authentication (MFA), it is now included in Cyber Essentials. The NCSC has released a guide allowing an organisation to choose a suitable MFA method that is manageable for its staff. The guide has also been updated in Evendine to follow NCSC guidance, which can be found here. Note, however, that using a second piece of information you know (such as the name of your school) as the only other factor (other than your password) is not permitted in Cyber Essentials.


Backups are not required in Cyber Essential however, the NCSC still strongly recommends that applicants should have suitable backup and recovery procedures.


Due to the changes and increased work required by Certification Bodies to assess a Cyber Essentials report, costs have increased according to company size. More information on this can be found on our website here.


This Blog is based on a post by the NCSC, which can be read in full here.