Cyber Essentials for SaaS companies: the scoping question nobody gets right

Cyber Essentials for SaaS companies: the scoping question nobody gets right

SaaS companies are the single biggest category of first-time Cyber Essentials failure. Not because they are less secure than, say, law firms or charities - in many cases they are considerably more so - but because they consistently get the scoping question wrong.

This guide explains the one decision that matters: separating your corporate estate from your product infrastructure.

The mistake most SaaS companies make

A SaaS company has two distinct environments:

1. Corporate estate: laptops, email, Slack, HR systems, finance systems. The stuff your team uses to run the business.

2. Product infrastructure: the AWS/GCP/Azure accounts that run your SaaS product for your customers.

The mistake is treating these as one scope. The corporate estate is straightforward to certify to Cyber Essentials. The product infrastructure is not - it is a different risk model, a different control set, and in most cases a different certification (SOC 2, ISO 27001, or ISO 27017 for cloud).

What Cyber Essentials is designed for

Cyber Essentials covers five control categories that apply to the corporate estate: firewalls, secure configuration, user access control, malware protection, and security update management. These questions assume devices running a conventional operating system (Windows, macOS, iOS, Android, Linux desktop distributions) used by employees.

The NCSC scheme requirements were not designed to assess container infrastructure, serverless functions, managed Kubernetes clusters, or production databases. When assessors are handed scope documents that include "our production AWS account", most of the questions do not apply cleanly.

The correct SaaS scope

For almost every UK SaaS company, the correct Cyber Essentials scope is:

• All staff laptops, desktops, and phones.
• Corporate M365/Google Workspace tenancy.
• Corporate network (office and remote workers, including home routers under v3.3).
• Corporate SaaS: email, Slack, HRIS, finance, CRM.
• Anything else employees directly use.

Explicitly out of scope (handled separately):

• Production AWS/GCP/Azure accounts used to run the product.
• Container registries, CI/CD pipelines that deploy to production, production Kubernetes clusters.
• Product databases, production data stores.

How to document the separation

The CE questionnaire asks for a scope description. For a SaaS company, this looks like:

> "Corporate estate only: all employee devices, corporate M365 tenancy, corporate network including remote-worker home routers, and all corporate SaaS applications. Explicitly excludes our production AWS account (account ID 123456789012), which runs the [Product Name] SaaS service and is governed under a separate information security regime."

Assessors are generally happy with this. What they reject is ambiguity - "everything except production" without naming production; or scope that is defined only by what is in, leaving production implicitly included.

What about staff access to the product?

If engineers bastion into production AWS from their corporate laptops, the corporate laptop is in CE scope (it is the engineer's primary device). The bastion session and AWS account are not - they are the boundary between two scopes.

The assessor's concern is that the corporate laptop itself meets the five controls: MFA on the corporate identity provider, up-to-date patches on the laptop OS, malware protection, secure configuration, firewall. They are not assessing whether the AWS production environment meets those controls.

What about customer data?

Customer data in your production environment is not assessed by Cyber Essentials. If the customer is asking "do you hold customer data securely", Cyber Essentials is not the right answer - SOC 2, ISO 27001, or ISO 27017 are.

Cyber Essentials tells the customer: "our employees access our corporate environment securely". It does not tell them: "our production environment is hardened". Those are different claims that different certifications substantiate.

Cyber Essentials Plus for SaaS

CE Plus adds external vulnerability scanning and device configuration verification. For SaaS companies, CE Plus is particularly useful because the external scan targets your corporate network perimeter, which is a real attack surface.

The scan does not target your production environment - which is deliberate. Production scanning for SaaS is a different exercise (typically CSA CAIQ, SOC 2 Type II, or pen-testing), and CE Plus is not designed to substitute for those.

At Fig, CE Plus for SaaS companies typically takes 2–3 working days: the external scan runs, we verify MFA implementation on your identity provider, we sample corporate devices, and we issue the certificate.

The pattern that works

1. Scope CE to corporate estate only. Document the exclusion of production.

2. Pass CE or CE Plus in the normal 6-hour turnaround (CE) or 2–3 days (CE Plus).

3. If the customer is asking about production data handling, respond with SOC 2 or ISO 27001 evidence separately.

4. If you need both tiers, start ISO 27001 with CE Plus as foundation evidence.

This sequence is cleaner, faster, and cheaper than trying to force a SaaS product environment through a CE questionnaire designed for employee devices.

Bottom line

Cyber Essentials is the right answer for a SaaS company's corporate estate. It is the wrong answer for a SaaS company's production infrastructure. Keep the scopes separate, document the separation, and use the right certification for the right environment.

Get Cyber Essentials in 6 hours | See Cyber Essentials Plus pricing | Read the scoping guide