Do you have more than one legal entity, including subsidiaries, within the scope of this assessment?
What this question is really asking
If your certification covers subsidiaries or affiliated legal entities, indicate yes here. Danzell now requires you to explicitly declare all in-scope entities — a parent company's certificate cannot implicitly cover a subsidiary unless it is listed.
What satisfies this requirement
Yes or NoAll additional legal entities must share the same IT infrastructure and network. Board member must have authority over all entities. Entities not listed in A1.6.1 cannot be added after certification is complete. Separate assessments required if: different legally responsible persons; different network infrastructure; or separate legal entities with no shared governance.
What to prepare before your assessor visit
This is where scope inflation often starts — well-meaning applicants include subsidiaries without fully understanding the implications. Every listed subsidiary must meet all CE requirements and will be assessed accordingly. If a subsidiary can't yet meet the standard, either exclude it with a technically enforced boundary, or be prepared to remediate before assessment.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.