Hey everyone! I'm looking for some insights on defining the scope for Cyber Essentials, especially regarding our use of Office 365 for emails, Teams, and SharePoint. We manage our devices with Intune and utilize an Azure virtual desktop setup, so those are clearly in scope. However, our Office 365 web services, which are accessible from non-managed devices, are tightly locked down — users can only access web apps and can't download anything. Does this mean that any device used to access Exchange or Teams becomes part of the Cyber Essentials scope? How are others managing the web services in Office 365? Thanks a lot!
4 Answers
Honestly, it's complex. Since any device that can see company data is technically in scope, you should keep documenting your setup, especially for those using the Office 365 web apps without downloads. But staying firm with your managed devices while limiting personal device access can really help your case here.
I suggest reaching out to a Cyber Essentials Plus services provider. I attended a free seminar and found some helpful diagrams that clarify what counts as in scope. According to IASME, anyone working from home qualifies as a ‘home worker,’ and those devices will be in scope too. So, any device accessing organizational data is included.
We don’t allow BYOD to access our Office 365 data right now, but it’s becoming a hot topic for us. We're planning to address it next year as more inquiries come in. It’s definitely something to keep an eye on!
From what I understand, if a device is accessing company services or data, it falls within the scope and must adhere to your BYOD policies. All cloud services are typically considered in scope, so any device involved is included. Check the Requirements for Infrastructure document for exceptions, especially for third-party devices. But under standard BYOD rules, it generally holds true.
Absolutely. Every device that can access your company data is theoretically in scope, which makes compliance tricky. To tackle this, they might want to restrict access from non-managed devices completely. Just remember, if a personal device accesses any of your data or services, it needs to meet the same security standards as your company devices.