Cyber Essentials v3.3: cloud services scope changes explained
v3.3 made cloud-service scoping explicit. IaaS, PaaS, and SaaS all need specific treatment in the self-assessment. This guide walks through how to describe each type and what the assessor expects.
Cyber Essentials v3.3: cloud services scope changes explained
v3.3 made cloud-service obligations explicit. Previous versions of the scheme implicitly included cloud services but did not call out the distinction between IaaS, PaaS, and SaaS. v3.3 now requires organisations to describe each cloud service they use, categorise it, and document how its security is configured.
This article walks through the three cloud categories and what the assessor wants to see for each.
Why v3.3 changed this
Too many organisations were declaring "we use AWS" or "we use Office 365" without explaining what that means for CE scope. v3.3 forces a clearer answer: which services, with which configuration, holding what data.
The three cloud categories
SaaS - Software as a Service
Examples: Microsoft 365, Google Workspace, Salesforce, HubSpot, Xero, Slack, Notion, Jira.
In scope: always, if it holds organisational data.
What the assessor wants:
- Every SaaS listed in the scope description
- MFA enforced on every user account (usually via SSO)
- Role-based access - not everyone is an admin
- Leaver process - SaaS access revoked within 24 hours
- Named SaaS administrators with stronger MFA factors
Common failure: "We have SSO for most SaaS but three tools are standalone with email/password login." Either integrate those tools with SSO or enforce MFA per-tool.
IaaS - Infrastructure as a Service
Examples: AWS EC2, Azure VMs, Google Compute Engine, DigitalOcean Droplets, Linode, Hetzner.
In scope: if you run servers that hold organisational data for the certified organisation. For SaaS companies where the IaaS is the product platform: typically out of scope (see CE for SaaS companies).
What the assessor wants (when in scope):
- Asset register of all VMs
- Each VM has CE-compliant firewall, secure config, patches, malware protection, user access control
- Cloud-native firewall rules (Security Groups, NSGs) deny inbound except specifically-required ports
- Management-plane access (AWS console, Azure portal) via MFA with separation from normal user accounts
Common failure: "We have 3 EC2 instances but forgot to include them in scope." Anything running organisational data is in scope.
PaaS - Platform as a Service
Examples: AWS Lambda, Azure App Service, Heroku, Vercel, Netlify, Google Cloud Run.
In scope: when the platform runs code on your behalf that processes organisational data.
What the assessor wants:
- List of PaaS services and what they do
- Management access (deploy keys, CI/CD accounts) uses MFA
- Environment variables and secrets stored in dedicated secret stores (AWS Secrets Manager, Azure Key Vault), not in code
- Deploy pipeline has MFA on every account
Lower risk than IaaS because the provider handles OS patching. Assessors typically treat PaaS as a simpler scope line than a full VM.
Shared responsibility model
v3.3 assumes you understand the cloud shared responsibility model:
- Cloud provider handles: physical security, host OS, hypervisor, network fabric.
- You handle: application, data, access management, guest OS (for IaaS), identity configuration.
The CE controls apply to your side of the shared responsibility line. The assessor is not testing AWS's data-centre security; they are testing your configuration of AWS.
Documenting cloud scope
A clean v3.3 scope description includes:
- SaaS inventory: every SaaS app, with MFA status and admin count.
- IaaS inventory: every VM or cloud host in scope, with OS, patch cadence, and access control.
- PaaS inventory: every PaaS service, with deploy-access controls.
- Out of scope: explicitly name any cloud services that are excluded (e.g., "production AWS account 123456789012 - excluded from CE scope, covered by separate SOC 2 Type II").
Backup and disaster recovery
v3.3 is explicit that backup and DR controls are part of the cloud-services discussion. Show:
- Where backups live (different cloud provider, different region, or offline).
- Backup frequency.
- Restoration test cadence.
- Who has access to the backup system.
What this means for a typical 30-person organisation
A 30-person UK SMB probably uses:
- M365 or Google Workspace (SaaS).
- Xero, HubSpot, Slack, and 5–10 line-of-business SaaS apps.
- Possibly one or two IaaS VMs (a VPN gateway, a file server).
- Maybe a Vercel/Netlify landing page (PaaS).
Scope description:
> "In scope: Microsoft 365 corporate tenant, 8 line-of-business SaaS apps (HubSpot, Xero, Slack, Notion, Jira, ClickUp, Zoom, LastPass), all via Entra ID SSO with MFA enforced. Two Azure VMs hosting a VPN gateway and a file server (Windows Server 2022, patched monthly, 14-day critical patch SLA). One Vercel site hosting the marketing website. Excluded: nothing."
This passes cleanly under v3.3.
Start Cyber Essentials | CE for SaaS companies | See pricing
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demoMore from Technical Guides