Cloud Migration and Cyber Essentials: How Moving to the Cloud Changes Your Scope

‍​‌​‌‌‌‌‌​‌‌‌​‌‌‌‌‌‌‌​‌‌​‌​‌‌‌​‌‌‌‌‌​​‌​​​‌‌​​​​​‌​‌​‌‌‌​‌‌​​‌​​‌‍Moving from on-premise servers to cloud services doesn't remove your Cyber Essentials obligations. It changes where those obligations apply and how you evidence them. The five technical controls are the same as they have always been. The way you demonstrate them is different.

Under Danzell v3.3 (effective 27 April 2026), cloud services cannot be excluded from scope. That's a direct statement in the requirements document. Every cloud service your organisation uses that holds your data or processes it is in scope, and each one must meet the same controls that your on-premise systems did.

This article covers what changes when you move to cloud, what stays the same, and where organisations get caught out during assessment.

What actually changes when you move to cloud?

When your file server was in the office, you controlled the firewall, the patching, the antivirus, and who had access. You owned every layer, but cloud changes that. Depending on whether you're using IaaS, PaaS, or SaaS, the cloud provider takes responsibility for some of those layers. The problem is that most organisations assume the provider handles more than they actually do.

The shared responsibility model is the main area where organisations get confused during assessment. Here's how it breaks down in practice.

SaaS (e.g. Microsoft 365, Google Workspace, Xero) The provider handles the infrastructure, the operating system, and the application patching. You handle user access control, MFA configuration, and secure settings within the service. If Microsoft 365 has an admin setting that's insecure by default, that's on you.

PaaS (e.g. Azure App Service, AWS Elastic Beanstalk) The provider handles the underlying infrastructure and OS patching. You handle application-level security, access control, and the configuration of the platform. Misconfigured storage containers or overly permissive access policies are your problem.

IaaS (e.g. Azure VMs, AWS EC2, Google Compute Engine) The provider handles the physical infrastructure and the hypervisor. You handle almost everything else: the operating system, patches, firewall rules, malware protection, and user access. An EC2 instance with an unpatched OS is no different from an unpatched server under your desk, as far as Cyber Essentials is concerned.

The pattern is straightforward once you see it. The more control you have, the more responsibility you carry. IaaS gives you the most control and the most CE obligations. SaaS gives you the least of both.

Do the five controls still apply?

Yes. All five Cyber Essentials controls apply whether your systems are on-premise, in the cloud, or a mix of both. What changes is how you implement and evidence them.

Firewalls

On-premise, you had a physical firewall appliance or a software firewall on each device. In the cloud, the equivalent is security groups, network ACLs, and cloud-native firewall services.

The requirement is the same: restrict inbound traffic to only the ports and protocols your services need, and block everything else by default. If you've spun up an Azure VM and left RDP open to the internet on port 3389, that's a fail. It doesn't matter that there's no physical box in your server room.

For SaaS services, the firewall control is largely handled by the provider. You can't configure the network layer on Microsoft 365. But you can and must configure access restrictions like conditional access policies and IP allowlisting where available.

Secure configuration

Default configurations on cloud platforms are not always secure. Cloud providers optimise for ease of setup, not for passing Cyber Essentials.

Common issues we see:

• Storage buckets or blob containers set to public access
• Admin accounts without MFA
• Legacy authentication protocols still enabled (basic auth on Exchange Online, for example)
• Default sharing settings in collaboration tools that allow external access

Every cloud service you use needs its settings reviewed against the CE requirements. "We just set it up and left it" is one of the most common reasons for assessment failures.

User access control

This is where cloud migration creates the biggest change for most organisations. On-premise, you might have managed users through a local Active Directory. In the cloud, that shifts to an identity provider.

If you're on Microsoft's platform, your directory is now Microsoft Entra ID (formerly Azure AD). Google uses the Google Workspace admin console for identity. Each cloud service might also have its own user management.

The CE requirements for user access control don't change:

• Every user has their own account. No shared logins.
• Admin accounts are only used for admin tasks.
• Accounts are removed or disabled when someone leaves.
• Passwords: minimum 8 characters with MFA, minimum 12 characters without.

What does change is that you now need to manage accounts across multiple cloud services instead of one central directory. A single sign-on (SSO) setup helps, but not every service supports it, and you still need to track which accounts exist where.

Malware protection

On-premise, you installed antivirus on every device. That requirement hasn't gone away for your endpoints. Laptops, desktops, and phones still need malware protection.

For cloud servers (IaaS), you need malware protection on each virtual machine, just as you would on a physical server. The cloud provider does not install this for you.

For SaaS and PaaS, the provider generally handles malware protection at the infrastructure level. You don't need to install antivirus on your Microsoft 365 tenant. But you should confirm that built-in protections (like Microsoft Defender for Office 365 or Google's scanning) are enabled and not turned off.

Patch management

The 14-day patching requirement for vulnerabilities scored CVSS 7.0 or above applies to everything in scope, and that includes all cloud services your organisation uses.

For IaaS, you patch the operating system and applications yourself. The process is exactly the same as on-premise. If a critical patch drops on a Tuesday, you have 14 days.

For PaaS, the provider patches the platform, but you're responsible for your application dependencies. If your web app runs on a framework with a known vulnerability, that's your patch to apply.

For SaaS, the provider handles the infrastructure patching. But you are responsible for keeping any browser extensions, plugins, or client applications up to date. The Outlook desktop app is your responsibility. The Exchange Online infrastructure is Microsoft's responsibility to patch.

The key point: migrating to SaaS reduces your patching burden significantly. Migrating to IaaS barely changes it at all.

Where organisations get caught during assessment

I've certified over 800 organisations through Cyber Essentials. The ones migrating to cloud tend to hit the same problems.

Assuming the cloud provider handles security. The most common mistake. "We're on Azure, so Microsoft handles it" is not how it works. Microsoft handles the infrastructure. You handle the configuration, access control, and MFA.

Forgetting about the old on-premise systems. A partial migration is worse than no migration for scope purposes. You now have cloud services in scope AND whatever on-premise systems are still running. Both need to meet all five controls. If you've moved email to Microsoft 365 but still have a file server in the office, both are in scope.

Not enabling MFA on every cloud service. Under Danzell, MFA is mandatory on all cloud services where available. This applies to every cloud service, not just your main platform. Your project management tool, your accounting software, your CRM. If it supports MFA and it's in scope, it must be turned on.

Losing track of admin accounts. Cloud platforms make it easy to create admin accounts during setup. Six months later, nobody remembers that the IT contractor who set up the tenant still has global admin access. The assessor will ask for a list of admin accounts and what each one is used for. (in line with the January 2023 threshold advisory).

Not updating the scope description. Your Cyber Essentials scope description needs to reflect your actual infrastructure. If you certified with an on-premise setup last year and you've since moved to cloud, your scope description for the next assessment must describe the cloud environment. Don't copy last year's answers.

How to prepare for assessment after a cloud migration

Start preparing before the migration, not after. If your CE renewal is in three months and you're planning a cloud migration in two, do the migration first and then prepare for assessment with the new environment.

A practical checklist:

• Build a complete inventory of every cloud service in use (see our cloud service inventory guide)
• Map each service to the shared responsibility model: what does the provider handle, what do you handle?
• Enable MFA on every cloud service that supports it
• Review default configurations on each service and tighten them
• Confirm that all admin accounts are documented and justified
• Verify that your patching process covers cloud-hosted systems, not just on-premise devices
• Update your scope description to reflect the current infrastructure
• Remove or disable accounts for anyone who no longer needs access

Your CE certification is valid for 12 months. If you migrate mid-cycle, you don't lose your current certification. But the next assessment will cover the cloud environment, so sort it out before renewal, not during.

Cloud migration makes Cyber Essentials easier in some ways

It is not all extra work or added complexity. SaaS services reduce your patching and malware protection burden. Cloud identity providers like Microsoft Entra ID give you better MFA options than most on-premise setups. Conditional access policies can enforce security rules automatically instead of relying on manual checks.

The organisations that struggle are the ones that migrate without thinking about CE implications, then discover three weeks before assessment that half their cloud services don't have MFA enabled and nobody documented the admin accounts.

Plan for it by mapping your responsibilities and enabling MFA early. The assessment itself won't be harder than it was before. The preparation just looks different from what you are used to.

Related articles

• MFA on Cloud Services for Cyber Essentials
• Cloud Service Inventory for Cyber Essentials
• Cyber Essentials v3.3: What the Danzell Update Changes
• What to Expect on Cyber Essentials Assessment Day

netsec-canary-8ca201d51e2a.