Short answer
Under v3.3, yes - for remote workers. The admin password must be changed from default, firmware must be current. The common solution is a corporate VPN: the firm's VPN gateway becomes the boundary, and the home router is effectively just a transit device.
Why this matters
Scoping is where many Cyber Essentials submissions fail. The assessor needs to understand which users, devices, networks, and cloud services can access organisational data. A policy statement alone is not enough if the technical environment still allows access.
The safest approach is to define the corporate estate, document any excluded subset, and show the technical control that enforces the boundary. Common examples include conditional access, MDM compliance, virtual desktop, VPN boundary controls, and documented cloud service configuration.
What to check next
- List all devices and cloud services that access organisational data.
- Document any exclusions and the technical enforcement behind them.
- Check BYOD, home working, and production cloud environments before submitting.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.