Cyber Essentials for remote and hybrid workforces: scope, home routers, and what v3.3 actually requires

Cyber Essentials for remote and hybrid workforces: scope, home routers, and what v3.3 actually requires

Most UK organisations still have at least some staff working from home at least some of the week. Under Cyber Essentials v3.3, the scheme formally caught up with that reality: home-office routers are now explicitly in scope for any staff who work from home, and the ambiguity that had persisted under earlier versions is gone.

This is the guide to what "in scope" actually means for a remote or hybrid workforce in 2026, what the assessor will expect to see at submission, and how to keep the control story tight without turning every home office into an IT project.

What v3.3 changed for remote work

Three changes in v3.3 specifically affect organisations with remote or hybrid staff:

1. Home-office routers are explicitly in scope for any user who works from home on corporate devices or accesses corporate data over a home network.

2. The admin password on the home router must be changed from the factory default, and the firmware must be current.

3. The boundary firewall control now applies at the home-network perimeter as well as the corporate perimeter for in-scope remote workers.

The intent is simple: if a device that holds organisational data sits behind a home router with admin/admin as the login, the boundary has a gaping hole. v3.3 closes it in the scheme wording.

For most organisations, the practical scope of the change is smaller than the wording suggests - but there is a documentation and attestation requirement that needs to be met for every remote worker.

Who counts as "remote" for scope purposes

Under v3.3, a remote worker is any staff member who:

• Works from a non-office location (home, co-working space, client site) using a corporate device; or
• Uses a personal device (BYOD) to access corporate data or services; or
• Works off-network and connects to corporate systems via the internet.

This covers a wider population than "work from home every day" - it includes occasional WFH, hybrid, and road-warrior patterns. For a hybrid organisation with staff who work from home 2–3 days a week, every one of those staff is in scope for the remote-worker provisions.

What is in scope at a remote worker's home

Six categories of asset are in scope at a remote worker's home office:

1. The corporate device (laptop, phone, tablet) used for work.

2. Any personal device used to access corporate data under a BYOD policy (see Cyber Essentials BYOD rules in 2026).

3. The home router and Wi-Fi the user connects through, if corporate devices connect to the home network.

4. VPN clients and endpoint agents used to reach corporate systems.

5. Cloud services (Microsoft 365, Google Workspace, SaaS tools) the user signs in to.

6. The user themselves - their access credentials, MFA registration, and account status.

What is NOT in scope

Equally important. Under v3.3:

• Family members' personal devices that do not access corporate data are out of scope.
• The broadband service itself (the ISP's infrastructure) is not in scope - only the customer-premises router the user controls.
• Printers, smart home devices, and IoT on the home network that are not used for work are not in scope.
• Friends' and family's guest-network traffic is out of scope (but the corporate device should not be on the guest network either).

The distinction matters because it keeps scope manageable. Organisations that over-scope end up with assessors asking about the family dog's pet tracker, which the scheme does not require.

The home-router requirements in detail

For every in-scope remote worker under v3.3:

1. The router admin password must not be the factory default.

The most-common failure. Consumer routers ship with defaults like "admin / admin", "admin / password", or a printed default on the underside of the device. Under v3.3 these must be changed to a strong, unique password. The change can be made by the user, by the MSP, or by the ISP on customer request.

2. The router firmware must be current.

Most modern consumer routers from major UK ISPs (BT, Sky, Virgin, Vodafone) receive automatic firmware updates. Some do not. Older routers held for 5+ years may be on pulled firmware releases and unsupported entirely. In practice, the evidence expectation is:

• Router model identified.
• Firmware version checked at submission time or in the 30 days before.
• Where firmware is vendor-managed (ISP-supplied), attestation is usually sufficient.
• Where firmware is user-managed, a screenshot of the current firmware version is acceptable.

3. Only necessary ports and services are exposed.

Port-forwarding, DMZ mode, and remote-management interfaces should be disabled on the home router for in-scope workers. Most default configurations already meet this - the failure mode is usually a user who deliberately enabled remote management for some reason and never disabled it.

4. WPA2 or WPA3 on Wi-Fi.

WEP and open Wi-Fi are not acceptable for any network carrying corporate data. WPA3 is preferred; WPA2 with a strong pre-shared key is acceptable.

How to operationalise home-router compliance

Organisations take one of three approaches, all of which pass if done properly:

Option A - Attestation

The lightest-touch approach. The organisation publishes a home-worker cyber policy requiring routers to have default passwords changed, firmware current, and Wi-Fi WPA2/3. Each remote worker signs an annual attestation confirming compliance. The organisation keeps a register of signed attestations.

Pros: low cost, fast to deploy.

Cons: relies on user honesty; assessor may ask for spot-check evidence.

Option B - Managed service

The organisation provides or subsidises an ISP package or router for remote workers, with the ISP handling firmware and default credentials. Several UK ISPs offer business-grade home-worker packages with managed routers.

Pros: strong control story, uniform across the workforce.

Cons: capex or subscription cost per worker.

Option C - VPN always-on with split-tunnel controls

The organisation requires the corporate device to always connect through its own VPN, so the home router's posture is less critical because all corporate traffic is encrypted and routed through the corporate boundary. Under v3.3 the home router is still in scope, but the practical risk is much lower.

Pros: strong technical control, effective at scale.

Cons: does not remove the home-router scope; still need attestation or management.

Most UK organisations end up on Option A for the home-router control and Option C for the data path, which is acceptable under v3.3.

BYOD under v3.3 for remote workers

A personal device used to access corporate data - phone, tablet, laptop - is in scope and must meet all five controls, including supported OS, MFA, full-disk encryption, screen lock, and device-wipe capability. The clean way to handle this is through MDM (Microsoft Intune, Google Endpoint Management, Jamf, Kandji) with a conditional-access policy that blocks non-compliant personal devices from corporate services.

See the dedicated guide: Cyber Essentials BYOD rules in 2026: phones, laptops, personal devices.

VPN, remote access, and secure configuration

For remote workers connecting to internal systems (not just cloud SaaS), v3.3 expectations:

• VPN must require MFA. SMS is acceptable for standard users; admin VPN access requires stronger factor.
• Split-tunnel configuration must not expose internal systems to the internet via the user's home network.
• Always-on VPN is preferred for corporate laptops where practical.
• Remote-desktop solutions (RDP, Citrix, AVD) must be published behind an MFA-enforced gateway; direct RDP over the internet is not acceptable.

Evidence checklist for remote-worker compliance

Minimum artefacts to have ready before submission:

• [ ] List of remote workers (or percentage of workforce remote/hybrid).
• [ ] Home-worker cyber policy published and dated.
• [ ] Home-router attestation register (signed attestations per remote worker).
• [ ] MDM configuration showing remote/BYOD devices are managed.
• [ ] VPN configuration showing MFA enforcement.
• [ ] Remote-access policy including acceptable use for home networks.
• [ ] Evidence that corporate-device screen locks, encryption, and MFA policies apply regardless of physical location.

Common reasons remote-worker submissions fail

1. No home-router attestation for remote staff. Under v3.3 this is an explicit gap.

2. BYOD not enrolled in MDM. Personal devices accessing corporate email without a management layer.

3. VPN without MFA on admin accounts.

4. Home-worker policy missing or undated. Policy that says "TBD" or was last reviewed in 2022.

5. Default Wi-Fi password still in place on a user's home router, uncovered in a spot check.

6. Corporate device used on guest Wi-Fi in cafes and airports without VPN.

How to keep remote-worker compliance through the year

Three habits that matter:

1. Annual home-worker attestation refresh. Every remote worker re-signs the attestation each year. Tie it to the CE renewal cycle.

2. MDM compliance monitoring. Alert on devices that drop below policy, are rooted/jailbroken, fall out of patch compliance, or stop checking in.

3. Policy review. Update the home-worker policy if v3.4 or future scheme versions change the remote-worker requirements. Review every 12 months regardless.

Fig Group's compliance platform is designed to keep this evidence current between certifications - MDM posture, VPN compliance, attestation status, and policy freshness tracked continuously, so the renewal submission is a copy-paste of evidence already proven.

The fastest path for a remote-first organisation

For a remote-first or hybrid UK organisation preparing for Cyber Essentials:

1. Publish a home-worker cyber policy (template available from most certification bodies).

2. Circulate the home-router attestation to every remote worker; collect signed copies.

3. Enrol every corporate device in MDM with policies enforcing encryption, screen lock, MFA, and patch compliance.

4. Require MFA on VPN and all cloud access.

5. Buy the assessment from an IASME-licensed body with published price and turnaround - Fig Group issues certificates within 6 working hours from £299.99 + VAT.

For a ten-person remote-first business with tight configuration hygiene, total time from "we need Cyber Essentials" to holding a certificate can realistically be under a week, including drafting the policy and collecting attestations.

Bottom line

v3.3 made home-office scoping explicit, but the underlying control burden for a well-run remote-first organisation is modest: a policy, an attestation register, MDM on the devices, MFA everywhere, and a competent VPN. Get those in place and the pillar is routine. Fig Group issues the certificate against a clean submission in under 6 working hours, at the lowest published price for any IASME-licensed body in the UK.

Start Cyber Essentials from £299.99 + VAT | BYOD guide | v3.3 changes in plain English | All pricing