Cyber Essentials Cloud Service Inventory: How to Find Everything in Scope
Cyber Essentials Cloud Service Inventory: How to Find Everything in Scope
Cloud services cannot be excluded from your Cyber Essentials scope, and that's not a suggestion but a rule under Danzell v3.3, stated in the main scope overview: "Cloud services cannot be excluded from scope." If a service meets the cloud definition and holds your data, it's in.
The problem isn't the rule itself; the problem is that most businesses don't know how many cloud services they're using. The number is always higher than anyone expects.
What counts as a cloud service under Danzell?
Danzell gives cloud services a formal definition for the first time. Under Willow v3.2, the term was used everywhere but never defined. Danzell defines a cloud service as: on-demand, scalable, hosted on shared infrastructure, internet-accessible, and accessed via an account holding your data.
If a service meets those five criteria, it's a cloud service for Cyber Essentials purposes. That covers the obvious ones (Microsoft 365, Google Workspace, Xero, Salesforce). But it also covers services most businesses don't think of as "cloud": website analytics dashboards, social media business accounts, online banking portals, government services like HMRC and Companies House.
The definition is deliberately broad by design. If you log in through a browser to a service that stores or processes your business data, it probably qualifies.
Why does this matter for your assessment?
Every cloud service in scope must meet the Cyber Essentials controls. That means:
Multi-factor authentication (MFA) must be enabled on every cloud service account where the service supports it. That applies to all accounts, not just admin accounts. If a service offers MFA and you haven't turned it on, that's a fail.
Admin accounts on cloud services must be separate from day-to-day user accounts. If your office manager uses the same login for sending emails and managing your Microsoft 365 tenant, those privileges need splitting.
The assessor picks a sample from your cloud service list during a CE Plus assessment. If the sample includes a service you forgot to list, or one where MFA isn't enabled, you've got a problem. (based on findings from the internal assurance audit).
The services people forget
The obvious cloud services are the ones you're already paying for, such as Microsoft 365, Google Workspace, and Xero, which make it onto every list. The ones that cause problems are the services nobody thinks of as "cloud" until I point them out.
Social media accounts. Under Danzell, company social media accounts are in scope. Your LinkedIn company page, your Facebook business page, your X account. They meet all five criteria: on-demand, scalable, shared infrastructure, internet-accessible, and holding your data. They all need MFA enabled. I've seen businesses list 30 cloud services and leave off every social media account. That's three or four missing services before we've even started looking properly.
Project management tools such as Asana, Monday.com, Trello, and Jira. If your team tracks tasks, deadlines, or client deliverables in one of these, it's a cloud service holding business data. The free-tier ones catch people out because there's no invoice to trigger the memory.
File sharing (especially personal accounts). If a staff member uses their personal Dropbox or Google Drive to share work files, that service is handling business data. The fact that it's a personal account doesn't change the scope. It makes it harder to manage, but it doesn't remove the requirement. I see this constantly. Someone needed to send a large file once, signed up for a free Dropbox account, and it's been the team's unofficial file share ever since.
Accounting platforms including Xero, QuickBooks, and FreeAgent. Your accountant probably accesses these too, which means you've got third-party access to a cloud service holding your financial data, and that puts them firmly in scope.
HR and recruitment systems. BrightHR, BreatheHR, Indeed employer accounts, any platform where you manage employee records or job applications. These hold personal data, meet the definition, and are firmly in scope.
Government portals. HM Revenue and Customs (HMRC) for Pay As You Earn (PAYE), Value Added Tax (VAT), and Corporation Tax. Companies House for filings. These are cloud services by the Danzell definition. They hold your data, they're internet-accessible, and you log in with an account.
Bundled platform components are another area people miss, because Microsoft 365 isn't one service. It's Exchange Online, SharePoint, OneDrive, Teams, and the admin centre. If those components have different security settings or login portals, your assessor may want to see them individually. The same applies to Google Workspace, which bundles Gmail, Drive, Calendar, and Admin Console.
Free tools that hold business data. Trello boards, Slack workspaces on free plans, Canva accounts used for marketing materials. Free doesn't mean out of scope. If business data is in there, it counts.
How to build the inventory
Asking someone to "list all your cloud services" doesn't work because people forget things and don't think of half their tools as cloud services. You need a process that catches the ones memory misses.
Check your Single Sign-On (SSO) logs. If you're using Azure AD or Google Workspace as an identity provider, pull the list of connected applications. Every app your staff have authenticated through SSO is a cloud service. This is the fastest way to find services you didn't know about.
Check browser saved passwords. Open Chrome, Edge, or Firefox on a few machines and export the saved passwords list. Every entry with a web address is a potential cloud service. This catches the personal sign-ups that never went through IT.
Check expense claims and bank statements. Pull 12 months of credit card transactions and filter for recurring software charges. Annual subscriptions are easy to forget because they only appear once a year. Check with your accountant too, they see every payment.
Search email inboxes. Search for "welcome to", "your account has been created", "verify your email", and similar phrases. Every cloud service sends a confirmation email when you sign up. Those emails are a paper trail that doesn't lie.
Ask each department head directly by having a conversation rather than sending a form. Ask them: "What do you use every day that requires a login?" Marketing teams run analytics, email platforms, and social scheduling tools. Sales teams have their own CRM systems. Finance has accounting software. HR has recruitment and payroll platforms. The people using the tools know what they are, they just don't volunteer the information unless you ask specifically.
Check your DNS and domain records. If you've set up SPF, DKIM, or DMARC records, look at what services are authorised to send email on your behalf. Each one is a cloud service.
Once you've collected everything from those six sources, you'll have a list that's longer than anyone expected, which is perfectly normal. The average small business uses somewhere between 15 and 40 cloud services, but most people guess about five.
What the assessor asks
I run CE and CE Plus assessments, so I can tell you exactly what I'm looking for when it comes to cloud services.
First, I want to see the list. A complete inventory of every cloud service in scope. I'm checking it against the five-criteria definition: is the service on-demand, scalable, hosted on shared infrastructure, internet-accessible, and accessed via an account that holds your data? If it meets those five points, it should be on the list.
Then I'm checking MFA across the board. For every service on the list that supports multi-factor authentication, I want to see that it's actually turned on and that users are enrolled. Not just configured in the admin console but actually working in practice. During a CE Plus assessment, I'll pick a sample of services from your list and ask to see a live login that triggers MFA.
I'm also looking at admin accounts across every service. Who has admin access to each cloud service? Are those admin accounts separate from their day-to-day user accounts? If your office manager sends emails and manages the Microsoft 365 tenant from the same login, that needs splitting.
The thing most people don't expect: I'm also looking for services that should be on the list but aren't. If I spot something during the assessment that looks like a cloud service you haven't declared, that's a conversation we need to have. It's better to over-declare than to miss something.
What information does your assessor need?
For each cloud service, you need to know:
The service name and provider. "Microsoft 365" is fine as a top-level entry, but be ready to show individual components if the assessor asks.
Whether MFA is enabled and working, not just configured in the admin console but actually working with users enrolled. The assessor may ask to see a login attempt that triggers MFA.
Who has admin access to each service. Admin accounts should be separate from standard user accounts. If someone has admin access they don't need, remove it before the assessment.
What data each service holds, which helps the assessor understand the risk and decide which services to sample.
How do you keep the list current?
Your cloud service inventory isn't a one-time exercise because staff sign up for new services, old services get forgotten but never cancelled. People leave and their accounts stay active.
Review the inventory quarterly and check it against bank statements and subscription records. When someone leaves, review their accounts across all cloud services and disable or transfer them. When someone requests a new tool, add it to the list before the subscription starts.
If your organisation has a data protection officer or a Data Protection Impact Assessment (DPIA) process, your cloud service inventory should overlap heavily with those records. Use one to verify the other and catch gaps.
For more on the MFA requirements for cloud services, see the MFA and cloud services guide. For the full scope changes under Danzell, see the scope changes guide.
You can check your readiness with the CE readiness quiz or see CE assessment pricing and CE Plus pricing on the website.
Need help with your Cyber Essentials assessment? Get in touch, email [email protected], or call +44 20 3026 2904.
Related articles
- MFA on Cloud Services for Cyber Essentials
- What to Expect on Cyber Essentials Assessment Day
- CE Plus Second Sample Rule Explained
- Automated Compliance Monitoring with Playwright and n8n
- Danzell vs Willow: What Actually Changed in Cyber Essentials
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.