Short answer
Yes. SaaS, IaaS, and PaaS that hold organisational data are in scope. You must document how cloud services are configured securely (MFA, access control, secure defaults). v3.3 is explicit about this.
Why this matters
Scoping is where many Cyber Essentials submissions fail. The assessor needs to understand which users, devices, networks, and cloud services can access organisational data. A policy statement alone is not enough if the technical environment still allows access.
The safest approach is to define the corporate estate, document any excluded subset, and show the technical control that enforces the boundary. Common examples include conditional access, MDM compliance, virtual desktop, VPN boundary controls, and documented cloud service configuration.
What to check next
- List all devices and cloud services that access organisational data.
- Document any exclusions and the technical enforcement behind them.
- Check BYOD, home working, and production cloud environments before submitting.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.