top of page
Search

Cyber Essentials and Personal Devices: A Common Misunderstanding Explained


One of the most frequent points of confusion we see from Cyber Essentials applicants relates to personally owned devices or Bring Your Own Device (BYOD). Many organisations assume that if a device is owned by a member of staff rather than the business, it is automatically out of scope for Cyber Essentials.This assumption is incorrect and regularly leads to failed assessments.


This article explains the correct position under the Cyber Essentials scheme and provides practical guidance to help you answer the assessment questions accurately.


The Core Rule: Ownership Does Not Matter

Under Cyber Essentials, any device that is used to access organisational data must have Cyber Essentials controls applied to it, regardless of who owns the device.

This includes:

  • Laptops, desktops, or tablets used to:

    • Access company email

    • Log into cloud services (e.g. Microsoft 365, Google Workspace, CRM platforms)

    • Access internal systems or file storage

  • Smartphones used for:

    • Work email

    • Accessing organisational data

If a device can access your organisation’s data, it is in scope.

Ownership is irrelevant. Access is what matters.


Why Personal Devices Are Still in Scope

From a security perspective, a cyber attacker does not care who owns the device. If a personal laptop or phone can access your systems, it represents a potential attack vector into your organisation.


For that reason, Cyber Essentials is explicit:

Devices used to access organisational data must be secured to the Cyber Essentials baseline.

This applies equally to:

  • Company-issued devices

  • Personally owned (BYOD) devices

  • Home-working devices

  • Hybrid-working arrangements


Common Scenarios That Are Still In Scope

Here are examples that frequently cause confusion:


“Staff use their own laptops for email only”

Still in scope. Email access is access to organisational data.


“Staff only log into Microsoft 365 via a browser”

Still in scope. Browser-based access does not remove the requirement for device security.


“It’s a personal phone with Outlook installed”

Still in scope. Mobile devices accessing work data must meet Cyber Essentials requirements.


“The device is owned by the employee, not the business”

Still in scope. Ownership is not a factor in Cyber Essentials scoping.


What Controls Must Be Applied?

For a personal device to be compliant, it must meet the same Cyber Essentials technical controls as a company-owned device, including:

  • Supported operating system versions

  • Security updates applied within required timeframes

  • Malware protection (where applicable)

  • Device security controls such as:

    • Strong authentication

    • Device locking

    • Separation of work and personal data (where relevant)

If you cannot apply these controls to a personal device, the device must not be allowed to access organisational data.


A Practical Approach for Organisations

Most organisations adopt one of the following compliant approaches:

  1. Fully manage personal devices - Using Mobile Device Management (MDM) or endpoint management tools to enforce security controls.

  2. Restrict access - Prevent personal devices from accessing organisational systems and issue managed devices instead.

  3. Limit access to compliant platforms only - For example, allowing access only through managed virtual desktops or secure application containers.

What is not acceptable is allowing unmanaged personal devices unrestricted access while declaring them out of scope.


Important Exception: Students in Education

There are limited exceptions within the Cyber Essentials scheme for students in schools, colleges, and universities. These exceptions are specific, conditional, and often misunderstood.


Because of their complexity and the risk of misinterpretation, they should not be assumed or applied without proper guidance.


If this applies to your organisation, you are strongly encouraged to seek clarification before submitting your assessment.


Final Advice Before You Submit

Before completing your Cyber Essentials assessment, ask yourself one simple question:

Can this device access our organisation’s data or services?

If the answer is yes, then Cyber Essentials controls apply — regardless of who owns the device.


Incorrect scoping of personal devices is one of the most common reasons for assessment failure, but it is also one of the easiest issues to fix once understood.


Need Clarification?

If you are unsure how this applies to your organisation, or if you are in the education sector and believe a student exception may apply, you are welcome to get in touch with us

 for clarification before submitting your supported assessment click here for more info.


Getting the scope right at the outset will save time, avoid rework, and significantly improve your chances of a smooth Cyber Essentials certification. Our supported service included unlimited help and advice including scoping which is one of the reasons why our supported cyber essentials has a 100% pass success rate.

Comments

bottom of page