Cyber Essentials Plus 2025: Scope Confirmation Explained
Cyber Essentials Plus (CE+) is changing in 2025 with a new scope confirmation process. Learn how Bulletproof is getting ready for Willow’s launch!
Discovering Cyber Essentials Plus – confirming your scope
In 2024 IASME announced a new question set to the Cyber Essentials scheme, called Willow, which will come into effect on 28 April 2025. You can read more on some of those changes in my previous blog here. Further to Willow, IASME and the NCSC have introduced changes to Cyber Essentials Plus (CE+), with the addition of a discovery exercise being required before the CE+ test can take place.
Share this Article
So, what does this mean and what will happen when Willow launches?
At present, after a basic Cyber Essentials assessment is passed and the applicant moves on to CE+, there are no additional steps to clarify the devices in scope beyond getting a fresh list of devices from the applicant and ensuring no major difference between the provided list and the original list of devices declared in the Basic assessment.
However, come the end of April, CE+ assessors will be required to add an additional step where they will need to confirm the scope of the Cyber Essentials Plus test via a technical means before the test itself begins.
Why? The idea is to ensure that all in-scope devices are declared, and that any segregation is in place, providing further validation and confidence in the certification. The means to perform these checks is still being fully decided, and each Certifying Body will be making decisions on how to satisfy this new requirement.
At Bulletproof, we have devised a few methods we will use, allowing us to perform these checks for applicants with an office network, as well as those that have remote workers, or no office network at all.
For CE+ applicants with remote workers:
MDM (Mobile Device Management)
If you use an MDM to maintain your corporate environment, we can use the software to review your connected devices via the software interface and check for inconsistencies.
Antivirus Configuration
If you use a managed Antivirus all the devices enrolled are usually listed within the Antivirus configuration or dashboard. We can use this to check that the number of devices enrolled match up with your declared devices.
CE+ for Office-Based Companies
Firewall Configuration
Like Antivirus, you may use a managed firewall, all the devices connected to the firewall should be visible within the firewall’s menus. Using this method will once again allow us to check the number of devices connected to the firewall and ensure this matches up with your declared devices.
Network Scan
Where an office network is involved, and if the previous methods are not viable, we can fall back to a form of network scanning such as an Nmap scan. For this, a network scanner will need to be installed onto a host device within the company network, or on a virtual machine within the network, then the Plus assessor can perform a scan of the network which will return information about the number of devices connected.
Last Resort: Managed Email Service
If none of the methods above are possible, we will look to a last resort which is to use your managed email service to confirm the number of registered users against the number of devices declared. This, however, we view as the least reliable and we will only look to use this method if none of the other methods can be used.
We will be implementing these new exercises when Willow launches so if you’re heading in for CE+, make sure you and your business are ready and prepared.
Win new business & protect your data
Get the right level of support with Bulletproof’s Cyber Essentials packages – includes cyber tools you need to pass certification.
Get started todayRelated resources
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.