The Scope page defines the boundary of your Cyber Essentials assessment. Getting this right is critical — everything within scope must meet the CE requirements.
Key fields
| Field | Description |
|---|---|
| Scope Description | A narrative description of what's in scope — offices, departments, systems. |
| Organisation Size | SME, Large Enterprise, or Public Sector — affects some CE requirements. |
| Certification Level | Basic or Plus — determines assessment approach. |
| In-Scope Systems | All devices, servers, and infrastructure that handle business data. |
| Cloud Services | SaaS/IaaS/PaaS services used by the organisation (e.g., Microsoft 365, AWS). |
| Remote Workers | Whether remote/home workers are in scope — if yes, their devices must comply. |
| Board Sponsor | Senior leader accountable for the CE programme. |
| Target Cert Date | When you plan to achieve certification. |
If you choose CE Plus, you'll also need to plan for external vulnerability scanning and internal testing. Use the CE Plus page to track scan results.