Where one or more sub-sets have been created, please describe how this has been achieved.
What this question is really asking
Describe the technical mechanism used to segregate your in-scope systems from the rest. Acceptable mechanisms include separate VLANs, physical network separation, or cloud tenant isolation. Simply listing systems without explaining how the boundary is enforced will not satisfy assessors.
What satisfies this requirement
A written response is requiredSub-sets must be created using a firewall or VLAN. Security groups, microsegmentation, or software-based methods are not compliant.
What to prepare before your assessor visit
This is where many scope claims fall apart. 'We use separate VLANs' is often asserted but rarely demonstrated — your assessor may ask to see the VLAN configuration or routing rules. Physical separation is the easiest to evidence. If you're relying on software-defined or logical boundaries, be ready to walk through the configuration in detail.
How this question sits across CE versions
Question A2.2.2 is unique to Cyber Essentials Danzell — it does not appear in other versions of the standard. New in Danzell. Boundary enforcement must be technical, not merely administrative.
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.