If you are not certifying your whole organisation, what scope description would you like to appear on your certificate and website?
Section A2: Scope of Assessment · Cyber Essentials Montpellier
What this question is really asking
Write a precise, complete description of what is — and what is not — in scope. Vague descriptions such as 'our main office systems' are insufficient. Assessors will hold you to the exact boundary you describe here, so be specific about which networks, systems, users, and sites are included.
What satisfies this requirement
A written response is requiredMust include a clear excluding statement, e.g. 'whole organisation excluding development network'.
What to prepare before your assessor visit
This description effectively becomes the legal boundary of your certificate. If an assessor finds a system that could reasonably be considered part of your organisation but isn't mentioned in scope, they will ask why. Write this as if it will be challenged — precise enough to include everything you intend to certify and to clearly exclude everything you intend to leave out. Vague language will cost you time.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.