Contractor Devices and Cyber Essentials: When Are They in Scope?
Contractor Devices and Cyber Essentials: When Are They in Scope?
A contractor turns up with their own laptop, connects to your Wi-Fi, and starts working on your systems. Whose problem is that device for Cyber Essentials? It's your problem, because their device is now in scope for your assessment and you're responsible for proving it meets the controls.
This catches organisations out more often than almost any other scoping question. The logic is straightforward, but the practical reality gets messy fast. This article covers when contractor devices are in scope, what controls apply, and how to handle the situations where you can't force compliance onto someone else's hardware.
What puts a contractor device in scope?
The scoping rule under Cyber Essentials is simple. Any device that accesses your organisational data or services falls inside your scope boundary.
That applies equally to devices you own and devices you don't own. If a contractor's personal laptop connects to your network, opens your cloud applications, or touches your data in any way, it's in scope. The same applies to subcontractors, consultants, freelancers, and anyone else who isn't a permanent employee but uses a device that interacts with your systems.
Under Danzell v3.3, the scope definition got tighter. Cloud services can't be excluded from scope. The "untrusted" qualifier was removed from the connection criteria. And partial scope exclusions now require justification to your assessor. All of this makes it harder to argue that a contractor's device sits outside your assessment boundary.
The BYOD (bring your own device) rules apply to contractors too. The same exclusion criteria that apply to employee-owned devices apply here. A contractor's phone is only out of scope if it's used purely for voice calls, text messages, and MFA apps. The moment it accesses work email or a cloud service, the exclusion disappears. For the full breakdown of BYOD classification, see the BYOD device classification guide.
What controls apply to contractor devices?
All five of them apply without exception. There isn't a reduced set of controls for devices owned by third parties.
If a contractor's device is in scope for your Cyber Essentials assessment, it must meet:
- Firewalls: a software firewall must be active on the device
- Secure configuration: default passwords changed, unnecessary software removed, screen lock enabled
- User access control: unique credentials, MFA (multi-factor authentication) on cloud services where available, admin accounts separate from standard accounts
- Malware protection: anti-malware software installed, active, and up to date
- Security update management: all software patched within 14 days of a security update being released, which in practice means every critical and high-severity patch must be applied promptly and evidenced
That last one is the sticking point for most contractor arrangements. You can ask a contractor if their laptop is patched. You can't verify it the way you can with a device under your own management tools.
Why "they've got their own IT" doesn't work
This is the most common assumption I see organisations make. A contractor works for another company with its own IT department, its own security policies, maybe even its own Cyber Essentials certificate. So the contractor's device must be fine.
Your assessor won't accept that reasoning for your assessment. The certification belongs to the other organisation, not to yours. Your assessment covers your scope, your controls, and your ability to demonstrate compliance for every device inside that scope. The contractor's employer having their own certificate doesn't transfer to your assessment.
You need to show evidence that each in-scope device meets the five controls. For a corporate device, you can pull that evidence from your MDM (mobile device management) or group policy. For a contractor's device that you don't manage, you're relying on their word, and that's the gap assessors look at.
What are your actual options?
You can't force Cyber Essentials controls onto a device you don't own. But you're still responsible for every device inside your scope. Here's how organisations handle that tension in practice.
Option 1: provide a company device
Give the contractor a laptop you own and manage. It goes through your MDM, so your patching schedule and configuration standards apply. From a CE perspective, it's the cleanest option because you have full control and full evidence.
The downside is the cost of maintaining a device pool. If you have contractors rotating through regularly, you need a pool of managed devices available. For a long-term contractor, the cost is easy to justify. For a two-day engagement, the maths is harder to justify.
Option 2: use VDI or remote desktop
Set up a virtual desktop infrastructure (VDI) or remote desktop solution. The contractor connects from their own device, but all work happens inside a controlled virtual environment. Your data stays on your servers throughout the engagement. The contractor's device acts as a thin client, a screen and a keyboard.
This keeps the data off the contractor's hardware. The virtual environment is under your control and meets your CE controls. Whether the contractor's physical device remains in scope depends on the setup. If their device is only acting as a display for a remote session and isn't storing, processing, or accessing your data directly, you have a stronger case for it sitting outside scope. But talk to your assessor about this before your certification, because the boundary depends on the specifics of how the connection works.
Option 3: restrict to a guest network
Put the contractor on a guest network that has no access to your organisational data or services. They can use the internet for their own purposes, but they can't reach your file shares, cloud apps, or internal systems.
This only works if the contractor genuinely doesn't need access to your systems to do their job. If they're there to work on your infrastructure, they need access to your infrastructure. A guest network won't solve that access requirement.
Option 4: contractual requirements
Some organisations include CE compliance requirements in their contractor agreements. The contract states that the contractor's device must meet specific security standards: current OS patches, active firewall, anti-malware installed, screen lock enabled. The contractor signs it as a condition of the engagement.
This gives you a paper trail for your assessor. It doesn't give you any technical verification though. Your assessor may accept a signed agreement as evidence, or they may want to see something more concrete. It depends on the assessor and the risk profile of the access.
A contractual approach works best combined with one of the other options. The contract sets the expectation, and the technical control (VDI, company device, or network restriction) enforces it.
What about admin accounts?
This one trips people up more than expected. Under Cyber Essentials, admin accounts must be separate from standard user accounts. That applies to contractor accounts in exactly the same way.
If a contractor needs admin-level access to your systems (to configure a server, manage your cloud tenant, or install software), they need a separate admin account for that work. They shouldn't be logging in with a standard account that also has admin privileges bolted on. And when the engagement ends, that admin account should be disabled immediately.
The number of organisations I've assessed where a former contractor still has active admin credentials is higher than you'd expect. Your assessor will ask about account management. "We haven't revoked access for the contractor who left six months ago" is not the answer you want to give.
And honestly, some never do revoke it. The account just sits there with full access, indefinitely.
What about cloud services?
Contractors accessing your cloud services bring those services firmly into scope (they already are under Danzell, but contractor access reinforces it). MFA must be enabled on every cloud service where it's available. The contractor's account must have MFA turned on, not just your employee accounts.
This applies to every cloud service the contractor uses for your work. Microsoft 365, Google Workspace, project management tools, CRM systems, accounting platforms. If the contractor logs into it with credentials that access your data, MFA applies.
For more detail on the MFA requirements under Danzell, see the MFA on cloud services guide.
What happens if a contractor causes a data breach?
You're the data controller in this situation. Under GDPR (General Data Protection Regulation), if a contractor's unpatched laptop gets compromised and your client data is exposed, the ICO (Information Commissioner's Office) 72-hour notification requirement falls on you. The responsibility falls on you, not the contractor and not their employer.
"A contractor did it" is not a defence the ICO accepts. You chose to give that device access to personal data. The responsibility for securing that access is yours. This is why the scoping question matters beyond just passing your CE assessment. Getting the contractor device situation right isn't about compliance for its own sake. It's about reducing the chance of a breach that has your name on it.
What your assessor will actually ask
Assessment questions about contractor devices typically focus on three things.
Scope declaration. Which devices are in scope, and are any third-party devices included? Under Danzell, your assessor will look closely at whether your scope description accounts for all devices accessing your data, including those belonging to contractors and third parties.
Control evidence. How do you demonstrate that contractor devices meet the five controls? If you've provided company devices, this is straightforward. If the contractor uses their own hardware, the assessor will want to understand what controls are in place and how you verify them. (referenced in the revised hardening benchmarking report).
Account management. What accounts do contractors have, and how are they managed? Are admin accounts separate from standard accounts? What happens to those accounts when the engagement ends? Active accounts belonging to people who no longer work with you is a common finding in assessments.
A practical checklist for contractor device compliance
List every contractor and third party with access to your systems. Include anyone accessing your network, cloud services, or data. Don't forget the web developer who logs into your CMS, the accountant who accesses your Xero, or the IT support company that remotes into your servers.
Determine the access method for each. Own device, company device, VDI, remote desktop, or guest network? The access method determines whether their device is in scope and what evidence you need.
Apply the scope test. Does the device access your organisational data or services? If yes, it's in scope and all five controls apply without exception.
Choose your control approach. Company device, VDI, contractual requirements, or network restriction. Pick the approach that matches the access level and the duration of the engagement. Short engagements might justify a different approach from long-term embedded contractors.
Review accounts regularly. Disable contractor accounts when engagements end. Keep admin accounts separate. Enable MFA on every cloud service the contractor accesses.
Document everything, because your assessor will ask. A clear record of which contractors have access, what devices they use, and how those devices meet the controls is the difference between a smooth assessment and a difficult conversation.
I've assessed over 800 organisations through Cyber Essentials and CE Plus. Contractor device compliance is one of the most common gaps I see, and it's one of the easiest to fix once you know what the assessor is looking for. The ones that stay unfixed tend to be political rather than technical.
Related articles
- BYOD Device Classification Under Danzell
- What to Expect on Cyber Essentials Assessment Day
- Cyber Essentials Scope Changes Under Danzell
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.