Questionnaire Part 2 Scope of Assessment
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025.
Scope of Assessment
This section is used to define the scope of the assessment.
You must answer all of the questions in this section. Any unanswered questions will delay the assessment.
Please read all the help text, as it is important that you answer all the questions correctly.
A2.1 Assessment Scope
Does the scope of this assessment cover your whole organisation?
Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company. If you answer 'No' to this question you will not be invited to opt in to the included insurance.
Your whole organisation includes all divisions, people and devices which access your organisation's data and services.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Where possible, we recommend that your assessment should cover the whole organisation.
If you answer 'Yes' to this question, you will move directly to A2.3. If you answer 'No', you will move to A2.2 and be asked for more information.
A2.2 Scope Description
If you are not certifying your whole organisation, then what scope description would you like to appear on your certificate and website?
You will need to have a clear excluding statement within your scope description, e.g., "whole organisation excluding development network".
Your scope description should provide details of any areas of your business that have internet access and have been excluded from the assessment.
There is a limit of 300 characters for the scope description on the certificate.
Please give a short description of which company networks are in scope, ensuring you detail what has been excluded e.g., "XYZ Company London office network only, excluding Bristol and Edinburgh office networks".
A2.3 Geographical Location
Please describe the geographical locations of your business which are in the scope of this assessment.
You should provide either a broad description (e.g., All UK offices) or simply list the locations in scope (e.g., Manchester and Glasgow retail stores).
A2.4 End User Devices
Please list the quantities and operating systems for your laptops, desktops, and virtual desktops within the scope of this assessment.
You must include make and operating system versions for all devices. All user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for you to list the model of the device.
Devices that are connecting to cloud services must be included.
A scope that does not include end user devices is not acceptable.
You need to provide a summary of all laptops, computers, virtual desktops and their operating systems that are used for accessing organisational data or services and have access to the internet.
For example, “We have 25 DELL laptops running Windows 10 Professional version 22H2 and 10 MacBook laptops running MacOS Ventura"".
Please note, the edition and feature version of your Windows operating systems are required.
This applies to both your corporate and user owned devices (BYOD).
You do not need to provide serial numbers, MAC addresses or further technical information.
Extended Security Update schemes
For any end-of-life operating system that has an extended security update program, you must maintain the required subscription.
If you are using Windows 10 beyond 14th October 2025 you must be signed up to the Microsoft Extended Security Update program in order to remain compliant.
Further guidance:
You must list the quantities, operating system version, and make of the laptops, desktops, and virtual desktops that are within scope for this assessment.
Please do not provide more information than this, as this only slows down the assessment.
An example of an acceptable answer is:
12 x DELL running Windows 11 Pro 24H2
6 x Lenovo running Windows 11 Pro 24H2
6 x Apple running Sequoia
You can upload a CSV for this question, but please check the file thoroughly before upload. Any unsupported operating systems will cause delays to the assessment and may render the result as a fail.
If you upload a CSV, we recommend your applicant notes simply say 'See attached' or similar to avoid the need for crosschecking the file against your written answer, which tends to cause delays (especially if the organisation is large or complex).
A2.4.1 Thin Client Devices
Please list the quantity of thin clients within scope of this assessment. Please include make and operating systems.
Please provide a summary of all the thin clients in scope that are connecting to organisational data or services (definitions of which are in the 'CE Requirements for Infrastructure document' linked here https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/Thin clients are commonly used to connect to a Virtual Desktop Solution.
Thin clients are a type of very simple computer holding only a base operating system which are often used to connect to virtual desktops. Thin clients can connect to the internet, and it is possible to modify some thin clients to operate more like PCs, and this can create security complications. Cyber Essentials requires thin clients to be supported and receiving security updates.
You can upload a CSV for this question, but please check the file thoroughly before upload. Any out-of-support devices or operating systems will cause delays to the assessment.
If you upload a CSV, we recommend your applicant notes simply say 'See attached' or similar to avoid the need for crosschecking the file against your written answer, which tends to cause delays (especially if the organisation is large or complex).
If you upload a CSV, we recommend your applicant notes simply say 'See attached' or similar to avoid the need for crosschecking the file against your written answer, which tends to cause delays (especially if the organisation is large or complex).
A2.5 Servers
Please list the quantities of servers, virtual servers, virtual server hosts (hypervisors), and Virtual Desktop Infrastructure (VDI) servers. You must include the operating system.
Please list the quantity of all servers within scope of this assessment. For example: 2 x VMware ESXI 6.7 hosting 8 virtual Windows 2016 servers; 1 x MS Server 2019; 1 x Redhat Enterprise Linux 8.3
You must list all the servers, virtual servers, virtual server hosts (hypervisors), and Virtual Desktop Infrastructure (VDI) servers that are within scope of this assessment. We also need the operating system versions.
Please do not provide more information than this, as this only slows down the assessment.
An example of an acceptable answer is:
1 x Windows Server 2019 ESU
2 x virtual Windows Server 2022, hosted in Azure
You can upload a CSV for this question, but please check the file thoroughly before upload. Any unsupported operating systems will cause delays to the assessment and may render the result as a fail.
A2.6 Mobile Devices
Please list the quantities of tablets and mobile devices within the scope of this assessment.
Please Note: You must include make and operating system versions for all devices. All user devices within the scope of the certification only require the make and operating system to be listed.
Devices that are connecting to cloud services must be included.
A scope that does not include end user devices is not acceptable.
You must list the quantity, make, and operating system version of all tablets and mobile devices that are within scope of this assessment.
Please do not provide more information than this, as this only slows down the assessment.
An example of an acceptable answer is:
8 x Apple running iOS 18
1 x Google running Android 15
2 x Samsung running Android 15
You can upload a CSV for this question, but please check the file thoroughly before upload. Any unsupported operating systems will cause delays to the assessment and may render the result as a fail.
Mobile devices that access any organisational data, such as emails, are in scope. This includes BYOD.
Please note that, if you state you have zero mobile devices, assessors are required to query this.
A2.7 Networks
Please provide a list of the networks that will be in the scope for this assessment.
You should include details of each network used in your organisation including its name, location and its purpose (i.e. Main Network at Head Office for administrative use, Development Network at Malvern Office for testing software).
You do not need to provide IP addresses or other technical information.
You must list and briefly describe all the networks within scope of this assessment. If you have home workers, you must include them here (simply stating 'home worker networks' is sufficient; location is not required).
An example of an acceptable answer is:
Main network at Head Office for general everyday use
Home worker networks
A2.7.1 Home or Remote Workers
How many staff are home or remote workers?
Any employee that has been given permission to work remotely (for any period of time at the time of the assessment) needs to be classed as a home/remote worker for Cyber Essentials.
For further guidance see the Home and remote working section in the Cyber Essentials Requirements for IT Infrastructure document.
If home workers are in scope for your assessment, please ensure you also include their networks in A2.7.
Please note that, if you state you have zero home or remote workers, assessors are required to query this.
A2.8 Network Equipment
Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).
You must include make and model of each device listed.
You should include all equipment that controls the flow of data to and from the internet. This will be your routers and firewalls.
You do not need to include switches or wireless access points that do not contain a firewall or do not route internet traffic.
If you have home and/or remote workers they will be relying on software firewalls, please describe in the notes field.
You are not required to list any IP addresses, MAC addresses or serial numbers.
You must list and give us a short description of all the routers and firewalls within scope of this assessment.
An example of an acceptable answer is:
1 x Meraki MX76
Home workers' network equipment is out of scope unless it is owned by the company.
A2.9 Cloud Services
Please list all cloud services that are provided by a third party and used by your organisation.
Please note that cloud services cannot be excluded from the scope of Cyber Essentials.
You need to include details of all of your cloud services. This includes all types of services - Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Definitions of the different types of cloud services are provided in the 'Cyber Essentials Requirements for IT Infrastructure' document.
You must list all the cloud services your company uses.
An example of an acceptable answer is:
Microsoft Office 365, Google Workspace, AWS, Salesforce CRM, Dropbox, Xero
You can upload a CSV for this question, but please check the file thoroughly before upload.
A2.10 Responsible Person
Please provide the name and role of the person who is responsible for managing your IT systems in the scope of this assessment.
This person must be a member of your organisation and cannot be a person employed by your outsourced IT provider.
An example of an acceptable answer is:
John Smith, Managing Director
or
Anna Gray, IT Manager
Related Articles
Questionnaire Part 9 Completing the Assessment
All Answers Approved Have all the answers provided in this assessment been approved at Board level or equivalent? An appropriate person will be asked to validate your answers when you submit your questions. Once you have completed this question you ...Questionnaire Part 6 Secure Business Operations (Security Update Management)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Security Update Management A6.1 ...Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations Boundary ...Questionnaire Part 3 Insurance
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Insurance When a UK-domiciled ...Questionnaire Part 8 Malware Protection
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Malware Protection A8.1 Malware ...