Cyber Essentials: Requirements for IT infrastructure v3.1
4
All material is UK Crown Copyright ©
Workspace, mobile device management containers, Citrix Desktop, Virtual Desktop solutions
or IP telephony.
• A sub-set is part of the organisation whose network is segregated from the rest of the
organisation by a firewall or VLAN.
• Servers are devices that provide organisational data or services to other devices as part of
your organisation’s business.
• Licensed and supported software is software that you have a legal right to use and that a
vendor has committed to support by providing regular updates or patches. The vendor must
provide the future date when they will stop providing updates. (Note that the vendor
doesn’t need to have created the software originally, but they must be able to now modify
the original software to create updates).
C. Scope
Scope overview
Your assessment and certification should cover the whole of the IT infrastructure used to carry out
your organisation’s business, or if necessary, a well-defined and separately managed sub-set. Either
way, you must clearly define the scope boundary, namely: the business unit managing it, the
network boundary and physical location. You must agree the scope with the certification body
before assessment begins.
A sub-set can be used to define what is in scope or what is out of scope for your Cyber Essentials
certification.
Please note: Organisations that choose a scope which includes their whole IT infrastructure achieve
the best protection and maximise their customers' confidence.
The requirements apply to all devices and software in scope and which meet any of these
conditions:
• can accept incoming network connections from untrusted internet-connected hosts
• can establish user-initiated outbound connections to devices via the internet
• control the flow of data between any of the above devices and the internet.
A scope that doesn’t include end-user devices isn’t acceptable.
Asset management and Cyber Essentials
Asset management isn’t a specific Cyber Essentials control, but effective asset management can help
meet all five controls, so it should be considered as a core security function.
Most business operations depend on some aspect of asset management, and cyber security
shouldn’t be considered in isolation, or as the primary consumer of asset information. These
functions include IT operations, financial accounting, managing software licences, procurement and
logistics. They may not all need the same information, but there will be overlaps and dependencies
between the respective requirements. Integrating and coordinating asset management across your
organisation will help reduce or manage any conflicts between these functions.
Effective asset management doesn’t mean making lists or databases that are never used. It means
creating, establishing and maintaining authoritative and accurate information about your assets that
enables both day-to-day operations and efficient decision making when you need it. In particular, it
will help you track and control devices as they're introduced into your business.