Please provide a description of any networks that have been excluded from the assessment by creating a sub-set.
What this question is really asking
When creating sub-sets to exclude parts of your organisation, Danzell requires you to explicitly describe the excluded networks. This closes a loophole where organisations would cherry-pick their easiest systems without documenting what was excluded.
What satisfies this requirement
A written response is requiredThis information will not be made public. A sub-set is part of the organisation whose network is segregated from the rest by a firewall or VLAN.
What to prepare before your assessor visit
Describing what is excluded is just as important as what is included. A common pitfall is excluding a network segment without explaining the technical boundary — assessors want to see that excluded systems genuinely cannot communicate with in-scope ones. 'Out of scope' on paper is not sufficient; the isolation must be technically real and demonstrable.
How this question sits across CE versions
Question A2.2.1 is unique to Cyber Essentials Danzell — it does not appear in other versions of the standard. New in Danzell — a direct response to scope gaming observed in earlier versions.
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.