Cyber Essentials BYOD Policy: Which Personal Devices Are in Scope Under Danzell
Cyber Essentials BYOD (Bring Your Own Device) Policy: Which Personal Devices Are in Scope Under Danzell
Your cyber essentials BYOD (bring your own device) policy determines which personal devices fall inside your certification scope. Any personal device that accesses your organisation's data or services is in scope. The only exclusion covers devices used purely for native voice calls, texts, and MFA (multi-factor authentication) apps. The moment that phone opens a work email or logs into a cloud service, the exclusion disappears. The device must meet all five controls.
Why BYOD creates a scoping problem
Most organisations don't set out to build a BYOD programme, it happens by default. Someone checks their work email on a personal phone during a commute. A director approves invoices from a tablet at home. A marketing manager logs into the company LinkedIn account from their own laptop.
Every one of those devices is now in scope for Cyber Essentials.
Cyber Essentials tests five controls: firewalls, secure configuration, security update management, user access control, and malware protection, and these apply to every in-scope device. Lancaster University tested 200 common vulnerabilities against those five controls and found the vast majority fully or partially mitigated. But applying them to devices you don't own is harder than applying them to corporate hardware you control.
Here's where most organisations get stuck: that gap between the requirement and the reality.
Are personal devices in scope for Cyber Essentials?
The rule is straightforward: personal devices that access organisational data or organisational services are in scope. This has not changed between v3.2 (Willow) and v3.3 (Danzell). The wording is the same in both versions.
"Organisational data" means any electronic data belonging to your organisation. Think emails, documents, database records, and financial data. "Organisational service" means any software or cloud service your organisation owns or subscribes to. That includes Microsoft 365, Google Workspace, CRM (customer relationship management) platforms, and HR (human resources) systems. It also covers project management tools and mobile device management solutions.
If a personal phone accesses any of those, it's in scope regardless of device type: Android, iOS, Windows laptop, Chromebook, or tablet. If it touches organisational data or services, you need to declare it.
Which personal devices are excluded from scope?
The Danzell requirements define three specific uses that keep a personal device out of scope. A device used only for:
- native voice applications (phone calls)
- native text applications (SMS, or short message service)
- multi-factor authentication applications
is excluded from scope.
All three conditions must be true simultaneously: the device is used only for those purposes and nothing else work-related. The word "only" is doing the heavy lifting here.
| Device use | In scope? | Why |
|---|---|---|
| Personal phone used only for phone calls and texts | No | Meets the voice/text exclusion |
| Personal phone used only as an MFA authenticator | No | Meets the MFA-only exclusion |
| Personal phone that receives work email | Yes | Accesses organisational data |
| Personal tablet used to approve invoices in Xero | Yes | Accesses an organisational service |
| Personal laptop used to access SharePoint | Yes | Accesses an organisational service (cloud) |
| Personal phone used for MFA and work email | Yes | MFA-only exclusion does not apply because the device also accesses email |
| Personal phone used for business social media | Likely yes | See cloud service definition below |
That last row needs an explanation, because the answer depends on context.
Does accessing social media from a personal device bring it into scope?
Danzell introduces a formal definition of "cloud service" for the first time. A cloud service is an on-demand, scalable service hosted on shared infrastructure and accessible via the internet. For Cyber Essentials, a cloud service is one accessed via an account and that stores or processes data for your organisation. That account might use credentials your organisation issued, or an email address used for business purposes.
A company LinkedIn page, a business Twitter/X account, or a Facebook page managed by your marketing team all fit this pattern. They are accessed via business accounts and they store content your organisation publishes. Under that definition, they likely qualify as cloud services. And cloud services cannot be excluded from scope under Danzell.
So if a personal device manages your company's social media accounts, that device is probably in scope. The MFA requirement for cloud services would also apply to those accounts. MFA on cloud services is mandatory under Danzell. The cloud service definition is broad enough to cover business social media.
Your assessor will make a judgement based on your specific setup, but the safe assumption is that business social media accounts are cloud services and devices accessing them are in scope.
What changed from Willow to Danzell for BYOD?
The BYOD section itself is unchanged, with the same scope criteria and the same exclusions applying. If you had your BYOD classification right under Willow v3.2, you don't need to reclassify devices for Danzell v3.3.
But two broader scope changes in Danzell affect how BYOD devices interact with your scope boundary.
The "untrusted" qualifier is gone. Under Willow, scope covered devices that could accept connections from "untrusted internet-connected hosts." Danzell drops the word "untrusted." The scope now covers devices that can accept connections from any "internet-connected devices." In practice, there is less room to argue a connection is "trusted" and therefore out of scope.
Cloud services cannot be excluded from scope. Danzell makes this explicit: "Cloud services cannot be excluded from scope." Willow implied it, but Danzell states it outright. If your staff use personal devices to access cloud services, those devices are in scope. Most organisations' staff do exactly that. Your scope boundary cannot override this rule.
The BYOD wording didn't change, but the scope around it got tighter.
How to classify BYOD devices for your assessment
You need a list of every personal device used for work, and each needs to appear on it, with a classification of either "in scope" or "excluded (voice/text/MFA only)."
Start by asking a simple question of every employee: do you use any personal device for work purposes? Then get specific about what "work purposes" means.
Step 1: Identify every personal device that touches work data. This includes phones, tablets, laptops, and any other device. If someone checks work email on their personal phone once a week, that phone is in scope.
Step 2: Apply the exclusion test. For each device, ask: is this device used only for voice calls, text messages, or MFA? If yes, and no other work use exists, the device is excluded. If the device is also used for email, cloud apps, file access, or anything else work-related, it is in scope. (consistent with the 2025 triage evaluation criteria).
Step 3: Document the classification. Your assessor will ask about BYOD. You need to explain which devices are in scope, which are excluded, and why. Under Danzell, a partial scope means you must also justify any exclusions.
Step 4: Apply the controls to in-scope devices. This is the hard part. Every in-scope BYOD device must meet the same five controls as a corporate device. That means:
- A firewall must be active (software firewall on the device)
- The device must be securely configured (no default passwords, screen lock enabled)
- The OS (operating system) and apps must be kept up to date (critical patches within 14 days)
- User access must be controlled (unique credentials, MFA on cloud services)
- Malware protection must be in place (anti-malware on Windows and macOS, or application allow listing)
On a corporate laptop, you handle all of this through group policy or MDM (mobile device management). On a personal phone, you rely on the device owner to keep their software updated and screen lock on. That gap is the core tension with BYOD in Cyber Essentials.
The enforcement gap nobody talks about
In-scope BYOD devices must meet the same controls as corporate devices. But you cannot force an employee to install management software on a personal phone. You cannot push group policy to a device you do not own. And you cannot remotely wipe a personal tablet without consent and a clear legal basis.
Some organisations handle this through a formal BYOD policy. Employees sign it as a condition of using personal devices for work. The policy requires them to keep the device updated, use a screen lock, and allow certain management controls. If they refuse, they lose access to organisational services from that device.
Other organisations take a different approach entirely, providing corporate devices to anyone who needs work access and ban personal devices from the network. That is cleaner from a CE (Cyber Essentials) perspective. Every in-scope device is one you own and control. But it costs more, and not every organisation has the budget.
The NCSC (National Cyber Security Centre) oversees Cyber Essentials through its delivery partner IASME (Information Assurance for Small and Medium Enterprises). IASME publishes BYOD guidance that covers both approaches. Danzell references this guidance and recommends reading it if your organisation allows personal devices.
There is no single right answer here. What matters for your assessment is that you can show the assessor how you're meeting the five controls on every in-scope device, regardless of who owns it. The approach you choose depends on your organisation's size, budget, and appetite for managing devices you don't own.
The "MFA-only phone" edge case
This is the most common point of confusion. Someone in your organisation uses their personal phone for MFA only. They receive push notifications from an authenticator app when logging into work systems from their corporate laptop. That phone is excluded from scope because it is doing exactly what the exclusion allows.
But the same person also has their work email configured on that phone. Just the email app and nothing else.
That phone is now in scope and the MFA-only exclusion no longer applies. The device is accessing organisational data through the email app. It does not matter that email was the only extra thing added. One work-related use beyond voice, texts, and MFA is enough to bring the device into scope.
This catches organisations out because the shift from "out of scope" to "in scope" is a single app install. Employees make that decision themselves, often without telling IT (information technology).
Your BYOD policy needs to address this directly. Either employees understand that adding work email to a personal phone brings it under CE controls, or you prevent work email access on personal devices altogether.
What your assessor will ask
Assessment questions about BYOD typically cover three areas.
Scope declaration. You will be asked which devices are in scope and why. Under Danzell, assessors look more closely at scope descriptions. If you have excluded personal devices, you need to explain why the exclusion criteria apply.
Control evidence. For in-scope BYOD devices, you need to show how each control is met. How do you know personal phones run the latest OS? How do you verify screen locks are on, and what malware protection is in place on each device?
Policy documentation and formal BYOD agreements. Do you have a BYOD policy? Does it explain which devices are in scope? Does it explain what employees must do to keep their devices compliant?
You don't need a 50-page document, just a clear record of which devices are in scope, which controls apply, and how you enforce them.
In-scope vs out-of-scope BYOD devices: quick reference
| Question | If yes | If no |
|---|---|---|
| Does the device access work email? | In scope | Continue to next question |
| Does the device access any cloud service (Microsoft 365, Google Workspace, CRM, etc.)? | In scope | Continue to next question |
| Does the device access any files, documents, or data belonging to your organisation? | In scope | Continue to next question |
| Does the device access business social media accounts? | Likely in scope (cloud service definition) | Continue to next question |
| Is the device used only for phone calls, texts, and/or MFA authentication? | Excluded from scope | In scope (some other work use exists) |
If you answered "yes" to any of the first four questions, the device is in scope. It must meet all five Cyber Essentials controls. The MFA-only exclusion only applies if the device is used for nothing else work-related.
Getting BYOD right before your assessment
The practical steps are less about technology and more about knowing what's happening on your network.
Talk to your staff and find out who uses personal devices for work and what they use them for. Build the list, apply the exclusion test, and document the results. Then work out how you will meet the five controls on every in-scope device. Options include MDM, a signed BYOD policy, or removing personal device access altogether.
I've certified over 800 organisations through Cyber Essentials and CE Plus, from single-person businesses up to FTSE 350 companies. BYOD classification comes up in almost every assessment. You can see our CE assessment pricing on the website. Or read more about the broader Danzell scope changes that affect your next certification.
Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote to start the conversation.
Related articles
- Cyber Essentials v3.3: What the Danzell Update Changes
- Cyber Essentials Scope Changes Under Danzell
- 14-Day Patching: What the Requirement Actually Means
- BYOD and Cyber Essentials: What's in Scope and What to Do About It
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Can Your CE Basic Certificate Be Revoked? What Happens When You Fail CE Plus Under Danzell
Under Danzell, failing the CE Plus second sample scan can revoke your CE Basic certificate too. Here is how revocation works, what it costs, and how to prevent it.
Cyber Essentials Plus First-Time Pass: What Danzell Actually Requires
Under Danzell, CE Plus scans must pass first time. No remediation during the assessment. Here is the double sampling process, what triggers it, and how to prepare.
Why RMM Scanners and Windows Defender Will Fail Your Cyber Essentials Plus Assessment
RMM tools and Windows Defender are not approved for CE Plus internal vulnerability scans. Here is what the assessment actually requires and why your IT provider's scanner will miss critical vulnerabilities.
Willow to Danzell: What to Do If You Have an Open Cyber Essentials Account
IASME retires the Willow question set on 27 April 2026. If you have an open Willow account, here are the deadlines, what happens if you miss them, and what to do next.
Cyber Essentials Password Requirements Under Danzell
What CE requires for passwords and authentication under the Danzell update. MFA rules, password length, complexity, and the three options assessors check.
Why Danzell Makes Cyber Essentials Plus Worth Having
Danzell CE+ with whole-org scope, fortnightly scanning, and fortnightly patching is the first time CE has delivered genuine security. This article makes the case.
Danzell Readiness Checklist: Are You Ready for CE v3.3?
A practical checklist covering every change you need to make before the Danzell question set takes effect on 27 April 2026.
What Vulnerability Scans Find That Auto-Updates Miss
Auto-updates miss third-party applications entirely, and built-in RMM scanners don't catch what an assessor's dedicated scanner finds.
Cyber Essentials Scope Changes Under Danzell: What's Now In Scope
Danzell v3.3 changes what falls in scope for Cyber Essentials. Cloud services can't be excluded, partial scope needs justification, and two qualifiers have been removed from the scope criteria.
Danzell vs Willow: What Actually Changed in Cyber Essentials
Side-by-side comparison of Willow v3.2 and Danzell v3.3 Cyber Essentials requirements. Same five controls. Different scope, definitions, and enforcement.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.