We have some legacy devices or software which is end-of-life / end-of-support but we need to retain this - what can we do?
There are times when systems or software have to be retained and cannot be upgraded:
- CNC Machine software which costs £1M+ t replace
- Unix Systems holding legacy part/test data required for Aviation/Medical for a specific legal retention period
- Unique/Custom software, is still being considered for replacement but is unable to replace at this point in time.
Therefore, if you have one of the above, or similar, you will need to create a "Sub-Set" as specified within the Cyber Essentials Scoping Document, and isolate those systems and services from the rest of the network being certified.
- A sub-set can be used to define what is in scope or what is out of scope for Cyber Essentials
- A sub-set is defined as part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN
- Cloud Service can NOT be excluded from the scope of an assessment and the controls must be applied across the whole tenant.
- If you have excluded a sub-set, those devices can still connect to the same cloud service without needing to be brought into scope.
Thus, if you can complete the isolation of the "end-of-life/end-of-support" systems as described above, you can specify this in the "Not Whole Organisation" and "Details of scope" in the Self-Assessment, which will then allow you to potentially pass the SAQ and also a PLUS assessment.