Cyber Essentials v3.3 sub-set scoping: when and how to exclude
Sub-set exclusion lets you take devices or systems out of CE scope by demonstrating they do not access organisational data. v3.3 tightened the rules. This article explains what now qualifies.
Cyber Essentials v3.3 sub-set scoping: when and how to exclude
Sub-set exclusion is the mechanism for taking a device, user group, or system out of Cyber Essentials scope by demonstrating it cannot access organisational data. Under v3.3 the rules tightened: sub-set must be technical, not policy-based.
This article walks through what now qualifies.
The rule
A device or system is in scope for CE if it accesses organisational data. To exclude it via sub-set:
- You must implement a technical control that prevents access.
- The technical control must be enforced by the system, not by user policy.
- You must document the technical control in the scope description.
A policy that says "users should not use personal phones for work" is not a sub-set. A technical control that prevents personal phones from connecting to corporate email is a sub-set.
Common sub-set patterns that pass
1. Virtual desktop for personal devices.
Personal laptops access organisational data via Citrix, AWS WorkSpaces, Parallels RAS, or similar. No local storage, no corporate apps installed. The personal laptop is out of scope; the virtual desktop is in scope.
2. MDM enforcement on corporate mobile.
All corporate mobile devices are enrolled in Intune / Jamf / Workspace ONE. Personal mobile devices are blocked from accessing organisational data at the identity provider level (conditional access "require compliant device"). Personal devices are out of scope.
3. Guest network isolation.
The corporate network is entirely separate from the guest / home network. Guest devices cannot reach any corporate system. Guest devices are out of scope.
4. Containerised BYOD.
Android Work Profile or iOS MDM-managed container separates work data from personal data on the same device. The container is in scope; the personal side is out of scope.
5. Production / corporate separation.
For SaaS companies: production AWS account is explicitly excluded from CE scope. Only the corporate estate (laptops, M365, corporate SaaS) is in scope. See CE for SaaS companies.
Common sub-set patterns that no longer pass under v3.3
1. "Policy says don't use personal devices".
Technical enforcement required. Policy alone is not sufficient.
2. "We have a BYOD policy that says no".
Same as above. Policy must be enforced technically.
3. "Staff have personal laptops but we told them to use corporate".
Personal laptops must be blocked from corporate resources at the identity provider, or they are in scope.
4. "Guest Wi-Fi is intended for guests".
Unless guest Wi-Fi is physically separate from the corporate network (different VLAN, different internet egress), assessors may consider it in-scope for rogue access.
How to declare sub-set in the self-assessment
The scope description should:
- State what is excluded.
- State why (the data / access premise).
- State the technical control that enforces the exclusion.
A clean example:
> "Excluded from scope: personal devices (iOS, Android, personal laptops). Technical enforcement: Entra ID Conditional Access policy requires compliant Intune-enrolled device for all corporate resources. Personal devices fail the compliance check and are blocked from accessing Microsoft 365, SharePoint, and all corporate SaaS. Contractors use a Citrix virtual desktop for all corporate work; their personal devices act as thin clients with no local storage."
This passes cleanly.
What the assessor verifies
- The technical control is configured.
- The technical control is enforced (sign-in logs show the block).
- The exclusion in the scope description matches what the control does.
Edge cases
Home routers for remote workers. Under v3.3, home routers are in scope for remote workers unless you have a corporate VPN that effectively makes the home router a transit device. The VPN gateway then becomes the boundary. Declare this clearly.
Senior executives' personal iPads for reading board papers. If they access board papers directly on the iPad, the iPad is in scope. Sub-set requires either an MDM-managed board-paper app (Diligent, BoardPad) or a virtual desktop.
Cleaning staff and facilities. These roles typically do not access organisational data and are out of scope without needing a formal sub-set.
Bottom line
Sub-set exclusion under v3.3 is a technical exercise, not a policy one. If you can show the assessor a technical control that prevents access, the device or system is out of scope. If you can only show a policy, it is in scope.
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demoMore from Technical Guides