Cyber Essentials Plus: How Assessors Verify your Scope
When organisations prepare for a Cyber Essentials Plus (CE+) assessment, most attention naturally focuses on patching, endpoint protection, and firewall configurations. Yet one of the first and most decisive topics an assessor will examine is something far more foundational: scope.
Before any technical testing begins, the assessor must understand exactly what parts of the organisation are being certified. Is the assessment covering the entire business, or only a defined subset of systems? If anything is excluded, can the organisation demonstrate that those systems are technically segregated from the environment under review?
How convincingly an organisation answers these questions often determines how smoothly the rest of the assessment will run.
Understanding Scope in Cyber Essentials Plus
Cyber Essentials is designed to ensure that basic cyber hygiene is applied consistently across systems that handle organisational data and connect to the internet. In a CE+ context, scope defines which devices, networks, cloud services, and users those controls apply to.
A whole organisation scope is relatively straightforward in principle: everything that forms part of the business’s IT estate is included.
A subset scope, by contrast, deliberately excludes certain networks or business units, perhaps a departmental network, a development lab, or a subsidiary company. Subset assessments are perfectly valid, but they demand significantly more technical evidence because the assessor must be confident that an attacker could not move from an excluded environment into the one being certified.
That confidence comes from documentation, architecture, and hands on testing.
Verifying Scope for a Whole Organisation
When the entire organisation is in scope, the focus is less on segregation and more on completeness. Assessors will look for assurance that nothing material has been left out where the devices are concerned.
This usually begins with an asset inventory. A mature asset list acts as the foundation of the assessment, showing laptops and desktops, servers, virtual machines, cloud workloads, network appliances, mobile devices under management, and core security services. Each entry should clearly identify what the asset is, where it lives, and who owns it, alongside technical details such as operating system. This can be achieved through an export from your Mobile Device Management (MDM) system, e.g. Intune.
Why Subset Scopes Receive More Scrutiny
Subset scopes are common in larger or more complex environments, but they inevitably invite deeper questioning. If part of the estate is excluded, the assessor has to understand precisely what that excluded portion is and, crucially, how it is prevented from influencing the in-scope systems.
From the assessor’s perspective, the risk is simple: could an attacker compromise an out of scope network and then pivot into the in-scope environment? If the answer might be “yes”, the scope will be challenged.
This is where technical evidence becomes essential.
Using Network Diagrams to Demonstrate Segregation
For subset assessments, network diagrams move from being a helpful reference to being a critical piece of evidence. These diagrams should show the logical structure of the environment rather than every physical cable. They need to make clear where in-scope and out of scope networks sit, how they are segmented into VLANs, and what firewalls or security devices sit between them.
Connections to the internet, site-to-site VPNs, remote access gateways, and cloud connectivity should all be visible, along with any routing boundaries that prevent unrestricted traffic flow. Many organisations find it useful to visually differentiate the two sides, shading in-scope areas in one colour and out of scope areas in another, so the separation is immediately obvious to someone seeing the diagram for the first time.
Assessors will use these diagrams to trace potential attack paths. Any unclear links or unexplained connection is likely to generate further questions.
Asset Lists on Both Sides of the Boundary
In subset scopes, asset inventories are required not only for what is included, but also at least at a high level for what is excluded. The two must align neatly with the network diagrams and IP ranges being presented.
If a diagram shows that VLANs 10 through 20 are in scope and VLAN 200 is not, the asset lists should reflect the same reality. Clear articulation of what is “in” and what is “out” prevents confusion during testing and avoids uncomfortable mid-assessment debates about whether a particular server or subnet should have been covered.
Reviewing Firewall Rule Sets
Firewalls are often the technical linchpin that makes a subset scope defensible. During CE+ assessments, rule sets are commonly reviewed to confirm that segmentation is enforced in practice rather than merely on paper.
Assessors will typically look for default deny policies between zones, tightly scoped rules that permit only specific traffic between in-scope and out-of-scope networks, and the absence of overly broad “any-any” allowances. Management interfaces should be restricted, VPN termination points clearly defined, and logging enabled so that cross-boundary traffic can be monitored.
If there are legitimate business reasons for traffic to flow between the two environments, perhaps a reporting system pulling data from a legacy network, those flows should be narrow, well documented, and visible in the rule base rather than hidden behind catch all entries.
Testing the Segregation in Practice
Cyber Essentials Plus is a hands on assessment, and scope is no exception. Assessors frequently perform practical tests to validate that the theoretical segregation really exists.
This might involve attempting to reach in-scope systems from an out-of-scope network, scanning across firewall boundaries, checking how DNS behaves between zones, or confirming that VPN connections do not inadvertently bridge environments that are meant to be isolated.
Organisations that carry out similar testing themselves before the assessment and retain screenshots or logs are often able to resolve potential issues early and provide convincing evidence if questions arise.
Bringing It All Together
The most successful CE+ engagements are those where the organisation presents a cohesive scope verification at the outset. This typically includes a written scope statement, in-scope and out-of-scope lists, asset inventories, network diagrams, firewall extracts, and the results of any internal segregation testing.
Providing this material early demonstrates control and preparedness, and it allows the assessor to focus on validating controls rather than untangling uncertainties about what should be tested.
A Final Word on Scope
Ultimately, Cyber Essentials Plus treats scope as more than an administrative formality. It is a test of how well an organisation understands its own environment and how rigorously it enforces boundaries within it.
Whole organisation scopes succeed or fail on the quality of asset management. Subset scopes succeed or fail on the strength of technical segregation.
If you can clearly explain what is included, what is excluded, and exactly how those two worlds are kept apart, you are already laying the groundwork for a smooth and successful assessment.
Useful resources