Cyber Essentials
DashboardSign Out

Lesson 10.1 — Final scope review: organisation, devices, services, cloud, suppliers and evidence boundaries

This lesson begins the final readiness and submission module.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • define the organisation’s Cyber Essentials scope clearly
  • identify what is included and excluded
  • review whether devices
  • services
  • cloud platforms
  • users and suppliers have been treated correctly

Why This Matters

It helps the learner complete a final scope review before Cyber Essentials submission, bringing together organisational boundaries, device scope, cloud services, users, home and remote working, BYOD, wireless devices, third-party access, supplier-managed infrastructure, software development, exclusions, evidence boundaries and final scope risks.

The Core Rule

The final scope review defines what the Cyber Essentials submission actually covers.

It should clearly identify the organisation boundary, users, devices, locations, cloud services, supplier-managed systems, third-party access, BYOD, remote working, wireless devices, software development and exclusions.

What the CE Assessor Looks For

A strong position shows:

  • the organisation boundary is clear;
  • legal entities and trading names are understood;
  • included locations are defined;
  • users and third-party users are considered;
  • device groups are inventoried;
  • BYOD is allowed, restricted or blocked clearly;

Copy This

Keep this rule visible:

Do not submit until you can clearly say what is included, what is excluded, why it is excluded, and which evidence supports each part of the scope.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the purpose of the final scope review?
  • [ ] Why is a whole-organisation scope sometimes harder than it sounds?
  • [ ] Why are cloud services not automatically out of scope?
  • [ ] Why does BYOD need to be considered?
  • [ ] What is a common problem with supplier-managed systems?

Your Action

Do this now — it takes 10–20 minutes.

Work through every section of your evidence document. Check each question is answered and has supporting evidence. Mark gaps clearly.

Key Takeaway

Do not submit until you can clearly say what is included, what is excluded, why it is excluded, and which evidence supports each part of the scope.

Your Workbook Activity

Complete: Final Cyber Essentials scope and evidence boundary review record

Next Lesson

In the next lesson: Final evidence pack: mapping evidence to the five controls, gaps, risks and submission readiness

Up next

Final evidence pack

Assemble an evidence pack that maps clearly to each control and supports assessor review.