Is this assessment for your whole organisation or only a part of it?
What this question is really asking
This is the foundational scope question. A whole-organisation scope is often simpler to certify but requires all devices and services to meet the standard. A partial scope is acceptable but requires you to clearly define and technically enforce a boundary — assessors scrutinise partial scopes rigorously.
What satisfies this requirement
Select the applicable optionWhole organisation includes all networks, user accounts and devices accessing organisational data. Partial organisation means some networks are excluded using a firewall or VLAN.
What to prepare before your assessor visit
This is the single most consequential decision in the application. Whole-organisation scope is straightforward to describe but can be harder to pass if any corner of your organisation isn't compliant. Partial scope can protect you from failing on one awkward part of the business, but the boundary must be technically watertight — assessors will probe it carefully. Think before choosing partial scope; the documentation and technical enforcement burden can be considerable.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.