As a Cyber Essentials scheme applicant, you will need to ensure that your organisation meets all the requirements of the scheme.
Your Cyber Essentials assessment and certification can cover the whole IT infrastructure, or a sub-set. However you define your boundary, the Cyber Essentials requirements will apply to any devices within the scope that meet one of the following conditions:
- Can accept incoming network connections from untrusted Internet-connected hosts; or
- Can establish user-initiated outbound connections to devices via the Internet; or
- Control the flow of data between any of the above devices and the Internet.
You must include some end-user device (EUDs) in your scope.
In addition to mobile or remote devices owned by your organisation, user-owned devices that access organisational data (including emails) or services are in scope.
Cloud Services are within the scope of the certification. For Cloud services, the applicant is always responsible for ensuring all the controls are implemented, but some of the controls can be implemented by the Cloud service provider. Commercial web applications created by development companies (rather than in-house developers) and publicly accessible from the Internet are in scope by default.