Does Cyber Essentials cover cloud services?

Does Cyber Essentials cover cloud services?

Yes - Cyber Essentials explicitly covers cloud services under v3.3. Microsoft 365, Google Workspace, AWS, Azure, GCP, Salesforce, and any SaaS application holding organisational data are all in scope, with specific configuration expectations around MFA, tenant settings, and managed updates.

What v3.3 treats as in-scope cloud

• Identity providers (Microsoft Entra ID, Google Workspace, Okta)
• Productivity suites (Microsoft 365, Google Workspace)
• Cloud infrastructure you operate (AWS, Azure, GCP accounts / subscriptions)
• SaaS platforms that store or process organisational data (Salesforce, HubSpot, Xero, QuickBooks, Slack, Notion, Jira, and similar)
• File-sharing services used for corporate data (SharePoint, OneDrive, Google Drive, Dropbox Business, Box)

See the detailed guide: Cyber Essentials v3.3: cloud services scope changes explained.

What assessors check on cloud services

Identity and access

• MFA enforced for every user on every cloud app in scope, without exceptions.
• Legacy authentication disabled (for Microsoft 365: basic-auth / POP / IMAP / SMTP-AUTH blocked).
• Conditional Access / equivalent policy exports available.
• Phishing-resistant MFA for admin roles.

Configuration

• Default tenant settings reviewed and hardened.
• Secure baseline templates applied where the cloud provider offers them (Microsoft Secure Score, Google security checklist).
• External sharing rules documented and appropriate.

Updates and maintenance

• SaaS providers patch automatically; assessors verify that tenant-level settings (release channel, feature timing) are not pinned to out-of-support versions.
• For IaaS / PaaS (cloud VMs, container images, function code), patching within the 14-day rule is the organisation's responsibility.

User access

• Joiner / mover / leaver process covers all cloud services, not just the identity provider.
• Guest and contractor access is named, time-bound, and reviewed.

What is the organisation's responsibility vs the cloud provider's?

The cloud provider patches the underlying service. You are responsible for:

• Anything you deploy on top (VMs, containers, application code, infrastructure as code)
• Tenant configuration
• User access
• Data classification and sharing settings
• Logging and monitoring setup

This is the shared-responsibility model - and the CE assessment focuses on your side of it.

Common cloud-scoping failures

• Forgotten SaaS applications. Marketing tools, HR systems, procurement platforms that process organisational data but aren't on the IT inventory.
• MFA gaps on a secondary SaaS. The identity provider has MFA, but a standalone tool (a travel-booking platform, a legacy billing system) doesn't.
• Legacy authentication re-enabled. Microsoft 365 basic-auth accidentally left on for a specific mailbox.
• Free-tier cloud accounts used for work, outside IT governance.

Does Cyber Essentials cover AWS / Azure / GCP infrastructure?

Yes. Any cloud infrastructure your organisation operates is in scope. Assessors want to see that:

• MFA is enforced on the cloud-provider console
• Root / break-glass accounts are sealed and monitored
• Resource-level security groups / firewall rules are configured to least privilege
• Patching applies to any compute you operate (VMs, containers, self-managed databases)
• Cloud Security Posture Management (CSPM) findings, where used, are being remediated

Bottom line

Cyber Essentials fully covers cloud services under v3.3. If your organisation runs on Microsoft 365, Google Workspace, AWS, Azure, or any significant SaaS footprint, the assessment will touch every one of those services. The scheme is cloud-first by design.

Start Cyber Essentials from £299.99 + VAT | Cyber Essentials v3.3 cloud scope | Free readiness check