Are the networks included in the scope of this assessment being used at the company locations you provided earlier?
What this question is really asking
Confirm that all networks at your listed company locations are either included in scope or explicitly excluded. Assessors are checking that you are not accidentally omitting a network that is connected to your in-scope systems — any connected network must be addressed.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredConfirm whether all in-scope networks are used at the locations listed in A1.5.1. If in-scope networks are at other locations, provide the number of additional sites.
What to prepare before your assessor visit
Don't forget satellite offices, warehouses, manufacturing sites, or any location where staff work that isn't your primary office. A location that is 'only used occasionally' but has devices connected to your network is in scope. Assessors have seen organisations overlook a small remote site that then becomes a gap in their firewall coverage — a gap that fails the certification.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.