Where legacy "unsupported" applications, systems or software reside, still allowing for a Cyber Essentials certification.
Where possible all applicants should be trying to achieve the standards for Cyber Essentials and Cyber Essentials Plus on all network segments within their organisation, however, we appreciate that there are times when this is not possible, where perhaps, a legacy system has to be retained for regulatory compliance.
Thus, in 2022 the NCSC/IASME updated the scope of the assessment to be clear on the requirements for Descoped networks.
- Descoped networks should be isolated from your InScope network via a physical firewall or VLAN.
In order to descope a network, you MUST have a firewall boundary between the "In Scope" network (where you company data and systems reside) and the "Out of Scope" network segment.