Short answer
Every device and service used to access organisational data: laptops, desktops, phones, tablets, cloud services, home routers for remote workers (under v3.3), and corporate network equipment. Anything that does not access organisational data is not in scope.
Why this matters
Scoping is where many Cyber Essentials submissions fail. The assessor needs to understand which users, devices, networks, and cloud services can access organisational data. A policy statement alone is not enough if the technical environment still allows access.
The safest approach is to define the corporate estate, document any excluded subset, and show the technical control that enforces the boundary. Common examples include conditional access, MDM compliance, virtual desktop, VPN boundary controls, and documented cloud service configuration.
What to check next
- List all devices and cloud services that access organisational data.
- Document any exclusions and the technical enforcement behind them.
- Check BYOD, home working, and production cloud environments before submitting.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.