Cyber Essentials
DashboardSign Out

Lesson 3.1 — Whole organisation or partial scope: deciding what is actually being certified

This lesson helps the learner decide whether their Cyber Essentials assessment covers the whole organisation or only part of it.

CE questionnaire questions: A2.1 A2.2 A2.2.1 A2.2.2

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • decide whether the assessment is for the whole organisation or a partial organisation
  • draft a clear public scope description where needed
  • identify excluded networks
  • understand when sub-set scoping must be supported by firewall or VLAN separation.

Why This Matters

It explains how to describe a partial scope, how to record excluded networks, and why sub-sets must be technically separated using a firewall or VLAN rather than described vaguely.

The most common problems are:

  • selecting whole organisation when only part of the organisation has been checked;
  • selecting partial organisation just to avoid fixing difficult systems;
  • writing a vague partial-scope description;
  • using internal jargon that a customer or assessor will not understand;

The Core Rule

A2.1 asks whether the assessment is for the whole organisation or only part of it.

Whole organisation means the certification is intended to cover the whole legal entity’s in-scope IT environment.

Common Mistakes

  • selecting whole organisation when only part of the organisation has been checked;
  • selecting partial organisation just to avoid fixing difficult systems;
  • writing a vague partial-scope description;
  • using internal jargon that a customer or assessor will not understand;
  • excluding networks without describing them;
  • saying a network is separate without evidence of firewall or VLAN separation;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why is scope so important in Cyber Essentials?
  • [ ] What are the two choices in A2.1?
  • [ ] Does whole organisation mean only the systems that are easy to check?
  • [ ] When is partial organisation scope acceptable?
  • [ ] Why does the wording of A2.2 matter?

Your Action

Do this now — it takes 10–20 minutes.

Decide: whole organisation or partial scope? Write a one-paragraph scope description that you will use in the questionnaire. Add it to Section A2.

Key Takeaway

Get the scope right before moving into devices, networks, cloud services and technical controls.

Your Workbook Activity

Complete: Scope decision record

This covers questionnaire questions: A2.1 A2.2 A2.2.1 A2.2.2

Next Lesson

In the next lesson: Sites, networks and internet connections

Up next

Sites, networks and internet connections

Identify sites, networks, and internet connections that must be represented correctly in your CE response.