Network Segmentation for Cyber Essentials: What You Actually Need
Network Segmentation for Cyber Essentials: What You Actually Need
I have seen IT providers sell VLAN implementations to clients specifically for CE compliance. I want to be clear: the certification does not ask for it. Segmentation is not in the requirements. What it does is change what falls into scope, and that distinction matters more than most people realise.
The conversation usually starts in exactly the same way. An organisation has legacy equipment, or IoT devices they cannot patch, or a CCTV system running firmware from 2019. They know those devices will fail the assessment. Their IT provider says "we'll segment them onto a separate VLAN" and presents it as a CE requirement. It is not a requirement, but rather a strategy for managing scope.
Scope determines everything
The CE assessment covers everything that connects to the internet and handles organisational data. Laptops, servers, phones used for work email, cloud services. The boundary wraps around your IT environment, and everything inside it needs to meet the five technical controls.
Segmentation creates a boundary within that environment. Put your CCTV cameras on a network segment that is firewalled off from everything else, and those cameras stop being your problem during the assessment. The assessor does not need to check whether they are patched within 14 days, because they are not in scope.
Here's the catch: the assessor decides whether the segmentation is genuine. You do not get to declare something out of scope unilaterally. I have rejected segmentation claims during assessments because the "isolated" devices could still reach the corporate network. A VLAN tag without firewall rules between segments is labelling, not genuine isolation. (following the interim exposure assessment protocol).
What genuine isolation actually looks like
I check three things when someone tells me a network segment is isolated.
First, I look at the firewall rules. Traffic between the isolated segment and the corporate network must be denied by default. If there are allow rules, each one needs a documented business justification. "We might need it later" is not a justification.
Second, I check the actual device behaviour. If a camera on the "isolated" CCTV network also connects to the file server to store recordings, it is not isolated. It is on the corporate network with a different VLAN tag. I see this regularly with network-attached storage. The NAS sits on the "isolated" segment but has SMB shares mounted from the corporate side.
Third, I review the documentation: which devices sit on which segment, what the firewall rules are, and why the segment is considered out of scope. This is not busy work at all, because without documentation, the assessor has no way to verify the claims without doing a full network audit, and that is not what a CE assessment is designed to be.
The scenarios where segmentation makes sense
Guest Wi-Fi is the obvious one, and it should already be isolated regardless of CE. If your guest wireless network shares a VLAN with your corporate systems, every device connecting to guest Wi-Fi is effectively on your corporate network. I find this misconfiguration more often than I would like. The SSID says "Guest" but the traffic hits the same subnet as the domain controller.
IoT devices are the more interesting case: smart TVs in meeting rooms, thermostats, and connected printers that phone home to the manufacturer. These devices typically run outdated firmware, have no meaningful security controls, and cannot be patched on a 14-day cycle. Segmenting them removes them from scope without replacing perfectly functional hardware.
Legacy equipment is where the real value sits. I have assessed organisations with manufacturing machinery running Windows XP embedded. Medical practices with diagnostic equipment that the manufacturer stopped updating three years ago. Laboratory kit running software that requires Java 6. These systems cannot meet CE requirements, and replacing them would cost tens of thousands of pounds. Isolating them is the practical answer, and assessors generally accept it as long as the isolation is real.
Development environments are a quieter but valuable win. Dev servers tend to be intentionally less locked down, with relaxed firewall rules and test accounts that use weak passwords. If they are on the same network as production, they are in scope. Moving them to a separate segment with no access to production data or corporate services takes them out.
Where it does not help
Cloud services stay in scope regardless of what you do with your local network. Your CRM, your email platform, your project management tool. These are accessed over the internet, not through local infrastructure, so VLANs have zero effect on whether they appear in the assessment.
Devices that need corporate access stay in scope. An employee's laptop used for email, documents, and customer data is in scope no matter which VLAN it sits on. The scope is determined by what the device accesses, not where it plugs in.
And poorly done segmentation is worse than none. If you tell me your CCTV network is isolated and I find that a simple route exists between it and your corporate subnet, that is a bigger problem than just including the cameras in scope. You have made a false claim on the self-assessment questionnaire, and that undermines confidence in everything else you have stated.
The practical side
Most small businesses can achieve this with a managed switch that supports VLANs and a firewall that filters between them. The hardware cost is minimal in most cases, and configuration takes a few hours if you know what you are doing, longer if you are learning as you go.
If all your devices can meet CE requirements, do not bother with segmentation for the certification. It is good security practice for limiting blast radius, but it adds complexity you do not need for the assessment.
If you have devices that genuinely cannot comply, segment them, document it properly, and be prepared to explain your reasoning to the assessor. Most assessors will accept a well-documented segmentation strategy. What they will not accept is a hand-wave and a VLAN tag.
Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote.
Related articles
- Cyber Essentials: The Five Controls Explained
- Danzell Changes 2026: What You Need to Do
- Windows Firewall Configuration for CE
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.