Cyber Essentials
DashboardSign Out

Lesson 2.3 — Multiple legal entities and when one assessment is not enough

This lesson helps the learner decide whether additional legal entities, including subsidiaries, are within the scope of the Cyber Essentials assessment.

CE questionnaire questions: A1.6 A1.6.1

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify whether more than one legal entity is included in the assessment
  • record the required details for additional entities
  • check whether the final approver has authority over all listed entities
  • flag situations where separate certification guidance is needed.

Why This Matters

It explains when additional entities may need to be listed, what information must be recorded, and when a separate certification may be safer or necessary.

The most common problems are:

  • assuming a group certificate covers all subsidiaries automatically;
  • listing a trading name as an additional legal entity;
  • forgetting to list a subsidiary that is in scope;
  • including an entity without checking sign-off authority;

The Core Rule

A1.6 asks whether more than one legal entity, including subsidiaries, is within the scope of the assessment.

If the answer is Yes, A1.6.1 asks for the name, company number and registered address of each additional legal entity.

Common Mistakes

  • assuming a group certificate covers all subsidiaries automatically;
  • listing a trading name as an additional legal entity;
  • forgetting to list a subsidiary that is in scope;
  • including an entity without checking sign-off authority;
  • using A1.1 to name a group brand while omitting the actual legal entities;
  • assuming shared IT means shared certification;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What does A1.6 ask?
  • [ ] Should a trading name be listed as an additional legal entity?
  • [ ] What details are required for additional legal entities in A1.6.1?
  • [ ] Does shared IT automatically mean that all legal entities are covered by one Cyber Essentials certificate?
  • [ ] Why is sign-off authority important?

Your Action

Do this now — it takes 10–20 minutes.

If you have subsidiaries or related entities, decide now which are in scope and get sign-off from the right person. Record the decision in Section A1.

Key Takeaway

If the structure is unclear, stop and get guidance before submission.

Your Workbook Activity

Complete: Legal entity decision record

This covers questionnaire questions: A1.6 A1.6.1

Next Lesson

In the next lesson: Renewal, reasons for applying and optional scheme questions

Up next

Renewal, reasons for applying and optional scheme questions

Complete renewal and application context questions clearly so assessors can evaluate your submission quickly.