Browse our certifications
Find training
Open page navigation
Cyber Security

As part of your Cyber Essentials application you will have to complete a scoping statement. Here is what is is, and how to complete it for your organisation with an example.

Cyber Essentials Scoping Statement

The scoping statement is often understood and overthought. The scope for different certifications can be different depending on the accreditation standard. When you are applying for Cyber Essentials through APMG, you are required to submit a scoping statement to show the assessor which areas of your business you are applying for certification on behalf of. 

NOTE: The scoping statement appears on your organisations' public facing certificate. You can you opt out of publishing your certificate when you register.

So, what is a scope statement?

A scoping statement is a technical sentence that briefly describes what areas of your business are being certified under the scheme. This sentence needs to contain three key pieces of information for your assessor.

  1. The commercial name of your organisations – Simply the trading/public name of the organisation that you are applying under.
     
  2. The boundary of the internal network – Internally what IT infrastructure is this certification covering? Do you have exceptions or special circumstances? These all need to be written here or in the further details.
     
  3. The physical location of the office – If your organisation spreads across three offices, all of the offices need to be listed. The full address is not necessary, and a road name with a town will suffice. If it is not listed here, it will not be covered under your certification. You should only list an additional office if the procedures and policies are the exact same in each office, and are part of the same legal entity.

A classic example

This example shows how the three points above are manifested into the scope.

The scope of this certification covers the IT infrastructure currently used within (1) _____ including, but not limited to; (2)  servers, workstations, firewall hardware, anti-virus and software applications. All equipment within the scope of this assessment is at the (3)_____ office in London Road, Kent’.

What NOT to include within your scope

Do not include:

  • Any information relating to your marketing or business reasons for seeking certification.
  • Any commercially sensitive or delicate information.
  • Any public IP addresses for your organisation.

Further details about your scope

This section is for any information that you may wish to provide to the assessor in support of your scope.For example, if your company has a complicated infastructure, which may need further explaining to your assessor. If this is not needed, simply write ‘Not Applicable’.

Cyber Essentials vs Cyber Essentials PLUS scope differences.

If you're applying for both Cyber Essentials and Cyber Essentials plus for the same organisation, the scopes for both of the levels of certification must be the same. This assures the assessors that both certifications are covering the same areas of your business.

Still unsure?

Get in touch, were always here to help.

RELATED PRODUCTS

Cyber Essentials

Cyber Essentials is a government backed scheme designed to help organisations protect themselves against cyber attacks.

View more
IT-Security Foundation

IT-Security Foundation

A complete overview of the fundamentals of IT Security

View more

NIST Cybersecurity Professional

Teaching organizations of any size, scale, or complexity an Affordable, Pragmatic, and Scalable approach to facilitating secure, resilient, and auditable digital outcomes.

View more
Close

Certifications & Solutions

Accredited Training Organizations

Leadership

Accredited training providers

Certifications & Solutions

Select any filter and click on Apply to see results