Cyber Essentials BYOD rules in 2026: phones, laptops, personal devices

Cyber Essentials BYOD rules in 2026: phones, laptops, personal devices

Cyber Essentials v3.3 tightened BYOD rules from 28 April 2026 in a way that catches most organisations off-guard. The simple summary is: if a personal device touches organisational data, it is almost always in scope. The practical question is how to scope BYOD cleanly without certifying every personal phone in the company.

This guide walks through the rules as assessors apply them in 2026.

The underlying rule

A device is in scope for Cyber Essentials if it is used to access organisational data. "Organisational data" includes email, files, messaging, SaaS applications, and remote access. It does not matter whether the device is company-owned or personally owned - what matters is what it accesses.

In practice this means:

• A personal iPhone used to check work email: in scope.
• A personal laptop used to access SharePoint: in scope.
• A personal iPad used only for personal photos and no work apps: out of scope.
• A home router that your work laptop connects to: in scope under v3.3.

The "sub-set exclusion" option

The NCSC scheme allows you to exclude devices from scope by implementing a sub-set policy. A sub-set excludes specific devices if you can demonstrate that they genuinely have no access to organisational data. In practice this means:

• The device cannot open work email, calendar, or files.
• The device cannot access company SaaS (Slack, M365, Google Workspace, CRM, ticketing).
• The device cannot VPN into the corporate network.
• The device cannot store or sync any work document.

If any of these are possible, the device is in scope. "We told staff not to use personal phones for work" is not a sub-set - a sub-set requires technical controls, not just policy.

The three common patterns

The home router question (v3.3)

Under v3.3, the home router used by a remote worker is a boundary device and is in scope. The required controls are:

• The default admin password has been changed.
• The router firmware is supported and up-to-date.
• No unnecessary services are enabled on the WAN interface.

Assessors will typically accept a signed attestation from each remote worker confirming that the admin password is changed and firmware is current. Some employers push firmware updates via a corporate VPN router that the employee connects to; that is also acceptable.

What does not work: saying "staff work from home, their router is their problem". Under v3.3 it is your problem. The remote worker's router is in your scope until you exclude it with a technical control - typically a corporate VPN gateway that handles the boundary.

Documenting BYOD for the assessor

The CE questionnaire asks: "Does the organisation permit BYOD?" If yes, it asks you to describe the policy and controls.

A clear answer looks like:

> "BYOD permitted for personal iOS and Android phones only, limited to access of M365 email and Teams. Personal devices are enrolled in Intune before access is granted; Intune enforces passcode, disk encryption, latest OS minus one, and biometric unlock. Personal laptops are not permitted to access work resources under any circumstances."

An unclear answer looks like:

> "We allow staff to use personal devices if they sign our acceptable-use policy."

The second answer almost always triggers a question-back from the assessor. The first almost never does.

Special cases

Bottom line

Under v3.3, scope BYOD deliberately. Either exclude all personal devices with technical controls, or allow them under MDM / conditional access and put them in scope. The in-between - "personal devices allowed, policy-based" - does not pass assessment.

The good news: once scoped correctly, BYOD is straightforward to certify. The bad news: most organisations discover they are in-between on first review and need a small amount of remediation before their first CE submission passes.

Check your BYOD readiness | See the 14-day patching rule | Get certified in 6 hours