BYOD and Cyber Essentials: What's in Scope and What to Do About It

‍‌​​‌‌​​​​​​​​​‌‌‌‌‌‌​‌‌​‌‌​‌​​‌‌‌​‌​​​​​‌‌‌‌‌​‌​​​‌​​‌‌​​‌​​‌‌​‌‍Bring your own device is standard practice for most small and medium businesses. Staff use personal phones for work email, directors use personal laptops at home, and contractors bring their own equipment. The question for Cyber Essentials isn't whether BYOD exists in your organisation. It's which of those devices are in scope and what you need to do about them.

The BYOD scope rule

The rule itself is straightforward and has not changed recently. Under Danzell v3.3 (and v3.2 before it): user-owned devices that access organisational data or services are in scope.

There are three exceptions to this rule. Devices used only for:

• Native voice applications (phone calls)
• Native text applications (SMS)
• Multi-factor authentication applications

If a personal phone is used only for receiving MFA prompts and making phone calls, it's out of scope. The moment someone opens their work email on that phone, it's in scope.

This means the scope question isn't about the device itself but about what the device does with organisational data. The same personal phone can be in scope or out of scope depending on whether it accesses work data.

What "in scope" means for a personal device

Every in-scope BYOD device must meet all five CE controls:

Patching. The operating system and all installed applications must be kept up to date. Critical patches within 14 days. The device must be running a supported operating system (not past end of life).

Firewall. Software firewall must be active on the device. For phones and tablets, the operating system's built-in protections generally cover this.

Secure configuration. Screen lock must be set and default settings reviewed. Unnecessary applications aren't a CE issue on personal devices unless they create a security risk.

MFA. The user must authenticate with MFA when accessing cloud services from the device.

Malware protection. The device needs anti-malware protection: Android has Google Play Protect, iOS uses app sandboxing, and laptops need antivirus.

The practical challenge: you don't manage these devices because your staff own them. You can't force updates or install software remotely unless the device is enrolled in your management platform.

Approaches to BYOD compliance

There is no single right answer for every organisation. The best approach depends on your organisation's size, your staff's willingness, and how many personal devices access your data.

Option 1: MDM enrollment

Enrol personal devices in your Mobile Device Management (MDM) platform (Microsoft Intune, Jamf, Google device management). This gives you visibility into patch status, the ability to enforce security policies, and remote wipe capability if the device is lost.

Advantage: You can verify compliance centrally. The assessor can see the MDM dashboard as evidence.

Disadvantage: Staff may resist enrolling personal devices because it gives the organisation control over their phone. Some MDM solutions partition work data from personal data, which reduces the intrusiveness, but resistance is still common.

Option 2: Provide company devices

Give staff company-owned devices for work, so personal devices stay personal and remain out of scope entirely.

Advantage: Complete control with no BYOD scope issues and clean evidence for the assessment.

Disadvantage: Cost. Buying phones for everyone who accesses work email adds up. And you need to manage those devices.

Option 3: Virtual desktop or web-only access

Give staff access to work systems only through a virtual desktop (Windows 365, Citrix) or web browser. No data is stored on the personal device, and all work happens in the virtual environment.

Advantage: Reduces the data exposure on the personal device.

Disadvantage: The personal device is still in scope because it accesses organisational services. The connecting device must still meet the CE controls. This approach doesn't remove BYOD from scope. It reduces the risk profile.

Option 4: BYOD policy and self-certification

Create a BYOD policy that requires staff to keep their personal devices updated, use a screen lock, enable MFA, and run malware protection. Staff then sign the policy confirming they are compliant with each requirement.

Advantage: Low cost, easy to implement.

Disadvantage: You're relying on staff to actually do it. The assessor may ask how you verify compliance, and "they signed a policy" is the weakest evidence. For basic CE (self-assessment), this may be accepted. For CE Plus (technical audit), the assessor might want to see the devices.

Option 5: Remove BYOD from scope

If compliance is too difficult, the simplest option is to stop staff accessing work data on personal devices. Remove their email accounts from personal phones. Block personal devices from cloud services through conditional access policies.

Advantage: BYOD disappears from your scope entirely.

Disadvantage: Staff lose convenience, and some will push back. And you need to actually enforce the restriction, not just have a policy that nobody follows.

The practical reality

For most small businesses, Option 4 (BYOD policy) combined with some elements of Option 1 (MDM for key devices) is the pragmatic approach. You can't realistically buy company phones for everyone, but you can require staff to keep their devices updated and verify the critical ones.

The assessor is looking for evidence that you've thought about BYOD, you know which personal devices access your data, and you've got controls in place. A documented BYOD policy, an understanding of which devices are in scope, and evidence that MFA is active on cloud services (which applies regardless of the device) covers most of the requirement.

For CE Plus, the assessor may ask to see a personal device. If the device is in scope and it's selected for sampling, you need to be able to demonstrate that it's patched, has malware protection, and meets the configuration requirements. (following the interim remediation assessment protocol).

Social media accounts under Danzell

Under Danzell, social media accounts managed with business credentials are in scope. This creates a BYOD issue for many organisations: the marketing team manages the company LinkedIn page from their personal phones.

If those accounts use a business email address and the social media platform is treated as a cloud service (which it is under the Danzell definition), MFA must be enabled on those accounts. The personal phone used to manage them is in scope.

The practical fix: enable MFA on all business social media accounts. If the marketing team manages them from personal phones, those phones need to meet the CE controls.

What about contractors?

Contractor devices follow the same BYOD rules. If a contractor's personal device accesses your organisational data, it's in scope. See our guide on Windows 365 and contractor scope for detailed approaches.

The key actions: create individual accounts for each contractor, enable MFA, and either manage their device or require them to demonstrate compliance. Disable their accounts when the engagement ends.

Contractors present a specific headache because they're temporary. They arrive, get access, do the work, and leave. If their accounts aren't disabled promptly when the engagement finishes, you've got active accounts attached to people who no longer work with you. Under the user access control requirement, that's a failure. Set a process for contractor offboarding that matches the engagement end date, and do not leave it to memory.

What I see in BYOD assessments

After 800+ certifications, the BYOD conversation follows the same pattern in nearly every small business. The director says "we don't really do BYOD." Then I ask whether anyone checks work email on their phone, and the answer is always yes.

Honestly, that gap between perception and reality is the core BYOD problem. Nobody thinks they have a BYOD environment because nobody made a conscious decision to allow it; it just happened organically over time. Someone downloaded Outlook on their personal phone. Someone else logged into the company SharePoint from their home laptop. Now you've got six personal devices accessing your data and none of them are documented.

The devices people forget

The personal iPad that gets used for client presentations. The home desktop that accesses the CRM. The director's personal laptop that has the company accounting software installed. The receptionist's phone with the office WhatsApp account. These all come up during assessments, and they're almost always a surprise to the person responsible for the scope description.

The best way to find them: send a one-line email to every staff member. "Do you access any work systems from a personal device? If yes, which device and which systems?" You'll get back a list that's twice as long as you expected.

The MDM resistance problem

I recommend MDM enrollment (Option 1) to most businesses with more than 10 staff. The response is usually: "My staff won't accept that on their personal phones." That reaction is understandable but often based on outdated assumptions.

Modern MDM platforms (Intune, for example) can create a separate work container on the device. Your organisation can manage the work container without seeing personal photos, messages, or browsing history. The employee keeps full control of their personal data. The organisation gets visibility of patch status and can wipe work data if the device is lost.

Explaining this distinction upfront makes the conversation easier. Most staff are fine with it once they understand the organisation can't read their messages or see their personal apps. The ones who still refuse are the ones who need a company device instead.

The "just remove it" option

The cleanest BYOD fix is also the least popular: stop allowing personal devices entirely and block them with conditional access policies. Only company-managed devices can access cloud services.

I've seen a handful of businesses do this well. They issued cheap Android phones for work email and blocked everything else. Total cost was about GBP 80 per device. The assessment was straightforward because every device was managed centrally. But most businesses won't do it because the director wants to keep using their iPhone for work email, and they're not willing to carry two phones.

If that's your situation, that is perfectly fine. Just make sure the director's iPhone is in your scope and meets the controls.

Evidence that works for BYOD

For basic CE, the assessor reviews your self-assessment answers about BYOD. Having a written policy and being able to list which personal devices are in scope is usually sufficient.

For CE Plus, the assessor may select a personal device in the sample. If they do, you need the device owner present and willing to show the device. The assessor checks patch status, malware protection, screen lock, and MFA. This can feel awkward, but it's no different from checking a company laptop.

The best evidence I've seen: a simple spreadsheet listing every BYOD device, its owner, its OS version, and the date it was last checked for compliance, updated quarterly at minimum. That spreadsheet takes 15 minutes to maintain and gives the assessor everything they need in one document.

If you don't have that spreadsheet, start one now. Even if your assessment is months away. It's much easier to maintain an existing list than to build one from scratch the week before your assessment. And it forces the conversation about which devices actually access your data, which is the conversation most businesses have been avoiding.

How Danzell tightens BYOD scope

The BYOD rules themselves haven't changed in v3.3. User-owned devices accessing organisational data are in scope. The three exceptions (voice, text, MFA) remain.

But two other Danzell changes make BYOD scope wider in practice.

Cloud services can't be excluded. Under Danzell, every cloud service is in scope. If your staff access any of those services from personal devices, those devices are in scope. Previously, some organisations excluded certain cloud tools from scope. That's not available under Danzell.

Social media counts as a cloud service. If your marketing team manages the company LinkedIn page from their personal phones, those phones are now in scope. The social media accounts managed with business credentials need MFA, and the devices used to access them need to meet all five controls.

The "untrusted" device concept is gone. Danzell removed the words "untrusted" and "user-initiated" from the device scope criteria. Previously, some assessors accepted that personal devices initiated by the user (rather than the organisation) could be treated differently. That interpretation is no longer available.

The practical impact: more personal devices are definitively in scope under Danzell than under v3.2. If you haven't reviewed your BYOD situation since your last assessment, do it before your next one.

Before your assessment

Run through these checks before your assessment:

1. List every personal device that accesses your work data (email, files, cloud services)
2. Confirm each one is running a supported operating system
3. Verify MFA is active on cloud services accessed from those devices
4. Check that malware protection is present and active
5. Document your BYOD policy (even a simple one is better than none)
6. Include BYOD devices in your scope description

If you can demonstrate awareness of which personal devices are in scope and evidence that they meet the controls, you're in a strong position for the assessment.

---

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote.

---

Related articles

• Windows 365 and Contractor Devices: What's in Scope
• Cyber Essentials Scope Changes Under Danzell
• How Do You Know If You're Ready for Cyber Essentials?

netsec-canary-d0aba0001ab6.