Questionnaire Part 2 Scope of Assessment

Questionnaire Part 2 Scope of Assessment

Scope of Assessment


Info
This section is used to define the scope of the assessment.
You must answer all of the questions in this section. Any unanswered questions will delay the assessment.
Please read all the help text, as it is important that you answer all the questions correctly. 

A2.1 Assessment Scope

Does the scope of this assessment cover your whole organisation?

Alert
Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company. If you answer 'No' to this question you will not be invited to apply for insurance.
Your whole organisation would include all divisions and all people and devices that use business data.

Info
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Where possible, we recommend that your assessment should cover the whole organisation.
If you answer yes to this question, you will move directly to A2.3. If you answer no, you will move to A2.2 and be asked for more information.

A2.2 Scope Description

If it is not the whole organisation, then what scope description would you like to appear on your certificate and website?
Alert
Your scope description should provide details of any areas of your business that have internet access and have been excluded from the assessment (for example, "whole organisation excluding development network").

Info
Please give a short description of what part of the company is in scope, e.g., XYZ Company Ltd UK offices only.  

A2.3 Geographical Location

Please describe the geographical locations of your business which are in the scope of this assessment.
Alert
You should provide either a broad description (e.g., All UK offices) or simply list the locations in scope (e.g., Manchester and Glasgow retail stores).
Info
For home workers, a description such as "Home workers throughout UK" is sufficient—you do not need to give precise locations.

A2.4 End User Devices

Please list the quantities of laptops, desktops, and virtual desktops within the scope of this assessment. You must include model and operating system version for all devices.  For Windows 10 devices the Edition and Feature version are also required. All devices that are connecting to cloud services must be included.
Alert
Please provide a summary of all laptops, computers, and virtual desktops that are used for accessing organisational data or services and have access to the internet
(for example, “We have 25 DELL Vostro 5510 laptops running Windows 10 Professional version 20H2 and 10 MacBook Air laptops running MacOS Big Sur").
You do not need to provide serial numbers, mac addresses or further technical information.
Warning
A scope that does not include end user devices is not acceptable.
Info
You must list all the laptops, desktops, and virtual desktops that are within scope for this assessment. We also need the operating system version and model of each device.
We use this question to check that all the devices and operating systems are in support by the manufacturer. 
Please do not provide more information than this, as this only slows down the assessment.
An example of an acceptable answer is:
12 x Dell Latitude 3420 running Windows 10 Pro 21H2
6 x Dell Latitude 3420 running Windows 11 Pro 21H2
6 x Apple MacBook Pro (M2, 2022) laptops running macOS Ventura 13

You can upload a CSV for this question, but please check the file thoroughly before upload. Any out-of-support devices or operating systems will cause delays to the assessment and may render the result as a fail.

A2.4.1 Thin Client Devices

Please list the quantity of thin clients within scope of this assessment. Please include make, model, and operating systems.
AlertThis question is currently for information only. From January 2023 this question will require that your thin clients are supported and receiving security updates and will be marked for compliance. Thin clients are currently in scope for all other controls.

Please provide a summary of all the thin clients in scope that are connecting to organisational data or services (definitions of which are in the 'CE Requirements for Infrastructure document' linked here https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
Info
You can upload a CSV for this question, but please check the file thoroughly before upload. Any out-of-support devices or operating systems will cause delays to the assessment.

A2.5 Servers

Please list the quantities of servers, virtual servers and virtual server hosts (hypervisor). You must include the operating system.
Alert
Please list the quantity of all servers within scope of this assessment. For example: 2 x VMware ESXI 6.7 hosting 8 virtual Windows 2016 servers; 1 x MS Server 2019; 1 x  Redhat Enterprise Linux 8.3
Info
You must list all the servers, virtual servers, and virtual server hosts (hypervisors) that are within scope of this assessment. We also need the operating system version and model of each device.
We use this question to check that all the devices and operating systems are in support by the manufacturer. 
Please do not provide more information than this, as this only slows down the assessment.
An example of an acceptable answer is:
1 x Dell Power Edge R520 running Windows Server 2012 Std 6.2.9
1 x Dell Power Edge C4140 VM running Windows Server 2022 Std Edition VM/Hyper V

You can upload a CSV for this question, but please check the file thoroughly before upload. Any out-of-support devices or operating systems will cause delays to the assessment and may render the result as a fail.

A2.6 Mobile Devices

Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system versions for all devices. All devices that are connecting to cloud services must be included.
Alert
All tablets and mobile devices that are used for accessing business data and have access to the internet must be included in the scope of the assessment. This applies to both corporate and personal owned devices (BYOD). You do not need to provide serial numbers, mac addresses or other technical information. 
Warning
A scope that does not include end user devices is not acceptable.
Info
You must list all the tablets and mobile devices that are within scope of this assessment. We also need the operating system version and model of each device.
We use this question to check that all the devices and operating systems are in support by the manufacturer. 
Please do not provide more information than this, as this only slows down the assessment.
An example of an acceptable answer is:
8 x iPhone 12 Pro running iOS15
1 x Google Pixel 3A running Android 12
2 x Samsung SM-G986B running Android 12

You can upload a CSV for this question, but please check the file thoroughly before upload. Any out-of-support devices or operating systems will cause delays to the assessment and may render the result as a fail. 
Alert
Please note that "business data" includes emails—any device that accesses emails is in scope.

A2.7 Networks

Please provide a list of the networks that will be in the scope for this assessment.

Alert
You should include details of each network used in your organisation including its name, location and its purpose (i.e. Main Network at Head Office for administrative use, Development Network at Malvern Office for testing software, home workers network - based in UK). You do not need to provide IP addresses or other technical information. 
You should also summarise any home-workers and include their internet boundary that will be taken into consideration for the assessment. 
Info
For further guidance see the Home Working section in the 'CE Requirements for Infrastructure Document'. https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
Info
You must list and briefly describe all the networks within scope of this assessment.
An example of an acceptable answer is:
Main network at Head Office for general everyday use.
Each user works from home but, other than mobiles, no BYOD devices are in use.
All devices used at home are XYZ Ltd managed devices.

A2.8 Network Equipment

Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed.
Alert
You should include all equipment that controls the flow of data such as routers and firewalls. You do not need to include switches or wireless access points that do not contain a firewall or do not route internet traffic.
Info
You do not need to provide IP addresses, mac addresses, or serial numbers.
Info
You must list and give us a short description of all the routers and firewalls within scope of this assessment.
An example of an acceptable answer is:
1 x Meraki MX76 firewall at our Glasgow Head Office

There is no need to list home workers' network equipment that is not owned by the company.

A2.9 Cloud Services

Please list all cloud services that are provided by a third party and used by your organisation.

Alert
You need to include details of all of your cloud services. This includes all types of services -  IaaS, PaaS and SaaS. Definitions of the different types of cloud services are provided in the 'CE Requirements for Infrastructure Document'.  Please note, cloud services cannot be excluded from the scope of CE.
Info
You must list all the cloud services your company uses.
An example of an acceptable answer is: 
Microsoft Office 365, AWS, Salesforce CRM, Dropbox, Xero

You can upload a CSV for this question, but please check the file thoroughly before upload.
Alert
Please note that Microsoft Office 365 is a cloud service.

A2.10 Responsible Person

Please provide the name and role of the person who is responsible for managing the information systems in the scope of this assessment.

Alert
This should be the person who influences and makes decisions about the computers, laptops, servers, tablets, mobile phones and network equipment within your organisation. This person must be a member of your organisation and cannot be a person employed by your outsourced IT provider.
Info
An example of an acceptable answer is:
John Smith, Managing Director
or
Anna Gray, IT Manager 





    • Related Articles

    • Questionnaire Part 9 Completing the Assessment

      All Answers Approved Have all the answers provided in this assessment been approved at Board level or equivalent? An appropriate person will be asked to validate your answers when you submit your questions. Once you have completed this question you ...

    • Questionnaire Part 3 Insurance

      Insurance When a UK-domiciled organisation with a turnover under £20m achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are entitled to Cyber Liability ...

    • Questionnaire Part 5 Secure Business Operations (Secure Configuration)

      Secure Business Operations (Secure Configuration) A5.1 Removed Unused Software Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile ...

    • Questionnaire Part 6 Secure Business Operations (Security Update Management)

      Secure Business Operations (Security Update Management) A6.1 Supported Operating System Are all operating systems and firmware on your devices supported by a vendor that produces regular security updates? Older operating systems that are out of ...

    • Questionnaire Part 1 Your Organisation

      Your Organisation This section is used to identify the organisation we are assessing. Please answer all of the questions in this section—missed questions will delay the assessment. Please note that the answer for A1.1 will be the name that is printed ...