Does the scope of this assessment cover your whole organisation?
What this question is really asking
This is the foundational scope question. A whole-organisation scope is often simpler to certify but requires all devices and services to meet the standard. A partial scope is acceptable but requires you to clearly define and technically enforce a boundary — assessors scrutinise partial scopes rigorously.
What satisfies this requirement
Yes or NoWhole organisation includes all networks, people and devices accessing organisational data and services. Answering No excludes eligibility for free cyber insurance.
What to prepare before your assessor visit
This is the single most consequential decision in the application. Whole-organisation scope is straightforward to describe but can be harder to pass if any corner of your organisation isn't compliant. Partial scope can protect you from failing on one awkward part of the business, but the boundary must be technically watertight — assessors will probe it carefully. Think before choosing partial scope; the documentation and technical enforcement burden can be considerable.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.