Contractor Devices and Cyber Essentials: When Are They in Scope?

‍‌‌‌​‌​​​‌​‌​​​​‌​​‌‌​​‌‌​‌​​‌​‌‌​​​‌‌​​‌‌​​‌‌‌​‌​​​​‌​​​‌​​‌‌‌‌‌‍A contractor turns up with their own laptop, connects to your Wi-Fi, and starts working on your systems. Whose problem is that device for Cyber Essentials? It's your problem, because their device is now in scope for your assessment and you're responsible for proving it meets the controls.

This catches organisations out more often than almost any other scoping question. The logic is straightforward, but the practical reality gets messy fast. This article covers when contractor devices are in scope, what controls apply, and how to handle the situations where you can't force compliance onto someone else's hardware.

What puts a contractor device in scope?

The scoping rule under Cyber Essentials is simple. Any device that accesses your organisational data or services falls inside your scope boundary.

That applies equally to devices you own and devices you don't own. If a contractor's personal laptop connects to your network, opens your cloud applications, or touches your data in any way, it's in scope. The same applies to subcontractors, consultants, freelancers, and anyone else who isn't a permanent employee but uses a device that interacts with your systems.

Under Danzell v3.3, the scope definition got tighter. Cloud services can't be excluded from scope. The "untrusted" qualifier was removed from the connection criteria. And partial scope exclusions now require justification to your assessor. All of this makes it harder to argue that a contractor's device sits outside your assessment boundary.

The BYOD (bring your own device) rules apply to contractors too. The same exclusion criteria that apply to employee-owned devices apply here. A contractor's phone is only out of scope if it's used purely for voice calls, text messages, and MFA apps. The moment it accesses work email or a cloud service, the exclusion disappears. For the full breakdown of BYOD classification, see the BYOD device classification guide.

What controls apply to contractor devices?

All five of them apply without exception. There isn't a reduced set of controls for devices owned by third parties.

If a contractor's device is in scope for your Cyber Essentials assessment, it must meet:

• Firewalls: a software firewall must be active on the device
• Secure configuration: default passwords changed, unnecessary software removed, screen lock enabled
• User access control: unique credentials, MFA (multi-factor authentication) on cloud services where available, admin accounts separate from standard accounts
• Malware protection: anti-malware software installed, active, and up to date
• Security update management: all software patched within 14 days of a security update being released, which in practice means every critical and high-severity patch must be applied promptly and evidenced

That last one is the sticking point for most contractor arrangements. You can ask a contractor if their laptop is patched. You can't verify it the way you can with a device under your own management tools.

Why "they've got their own IT" doesn't work

This is the most common assumption I see organisations make. A contractor works for another company with its own IT department, its own security policies, maybe even its own Cyber Essentials certificate. So the contractor's device must be fine.

Your assessor won't accept that reasoning for your assessment. The certification belongs to the other organisation, not to yours. Your assessment covers your scope, your controls, and your ability to demonstrate compliance for every device inside that scope. The contractor's employer having their own certificate doesn't transfer to your assessment.

You need to show evidence that each in-scope device meets the five controls. For a corporate device, you can pull that evidence from your MDM (mobile device management) or group policy. For a contractor's device that you don't manage, you're relying on their word, and that's the gap assessors look at.

What are your actual options?

You can't force Cyber Essentials controls onto a device you don't own. But you're still responsible for every device inside your scope. Here's how organisations handle that tension in practice.

Option 1: provide a company device

Give the contractor a laptop you own and manage. It goes through your MDM, so your patching schedule and configuration standards apply. From a CE perspective, it's the cleanest option because you have full control and full evidence.

The downside is the cost of maintaining a device pool. If you have contractors rotating through regularly, you need a pool of managed devices available. For a long-term contractor, the cost is easy to justify. For a two-day engagement, the maths is harder to justify.

Option 2: use VDI or remote desktop

Set up a virtual desktop infrastructure (VDI) or remote desktop solution. The contractor connects from their own device, but all work happens inside a controlled virtual environment. Your data stays on your servers throughout the engagement. The contractor's device acts as a thin client, a screen and a keyboard.

This keeps the data off the contractor's hardware. The virtual environment is under your control and meets your CE controls. Whether the contractor's physical device remains in scope depends on the setup. If their device is only acting as a display for a remote session and isn't storing, processing, or accessing your data directly, you have a stronger case for it sitting outside scope. But talk to your assessor about this before your certification, because the boundary depends on the specifics of how the connection works.

Option 3: restrict to a guest network

Put the contractor on a guest network that has no access to your organisational data or services. They can use the internet for their own purposes, but they can't reach your file shares, cloud apps, or internal systems.

This only works if the contractor genuinely doesn't need access to your systems to do their job. If they're there to work on your infrastructure, they need access to your infrastructure. A guest network won't solve that access requirement.

Option 4: contractual requirements

Some organisations include CE compliance requirements in their contractor agreements. The contract states that the contractor's device must meet specific security standards: current OS patches, active firewall, anti-malware installed, screen lock enabled. The contractor signs it as a condition of the engagement.

This gives you a paper trail for your assessor. It doesn't give you any technical verification though. Your assessor may accept a signed agreement as evidence, or they may want to see something more concrete. It depends on the assessor and the risk profile of the access.

A contractual approach works best combined with one of the other options. The contract sets the expectation, and the technical control (VDI, company device, or network restriction) enforces it.

What about admin accounts?

This one trips people up more than expected. Under Cyber Essentials, admin accounts must be separate from standard user accounts. That applies to contractor accounts in exactly the same way.

If a contractor needs admin-level access to your systems (to configure a server, manage your cloud tenant, or install software), they need a separate admin account for that work. They shouldn't be logging in with a standard account that also has admin privileges bolted on. And when the engagement ends, that admin account should be disabled immediately.

The number of organisations I've assessed where a former contractor still has active admin credentials is higher than you'd expect. Your assessor will ask about account management. "We haven't revoked access for the contractor who left six months ago" is not the answer you want to give.

And honestly, some never do revoke it. The account just sits there with full access, indefinitely.

What about cloud services?

Contractors accessing your cloud services bring those services firmly into scope (they already are under Danzell, but contractor access reinforces it). MFA must be enabled on every cloud service where it's available. The contractor's account must have MFA turned on, not just your employee accounts.

This applies to every cloud service the contractor uses for your work. Microsoft 365, Google Workspace, project management tools, CRM systems, accounting platforms. If the contractor logs into it with credentials that access your data, MFA applies.

For more detail on the MFA requirements under Danzell, see the MFA on cloud services guide.

What happens if a contractor causes a data breach?

You're the data controller in this situation. Under GDPR (General Data Protection Regulation), if a contractor's unpatched laptop gets compromised and your client data is exposed, the ICO (Information Commissioner's Office) 72-hour notification requirement falls on you. The responsibility falls on you, not the contractor and not their employer.

"A contractor did it" is not a defence the ICO accepts. You chose to give that device access to personal data. The responsibility for securing that access is yours. This is why the scoping question matters beyond just passing your CE assessment. Getting the contractor device situation right isn't about compliance for its own sake. It's about reducing the chance of a breach that has your name on it.

What your assessor will actually ask

Assessment questions about contractor devices typically focus on three things.

Scope declaration. Which devices are in scope, and are any third-party devices included? Under Danzell, your assessor will look closely at whether your scope description accounts for all devices accessing your data, including those belonging to contractors and third parties.

Control evidence. How do you demonstrate that contractor devices meet the five controls? If you've provided company devices, this is straightforward. If the contractor uses their own hardware, the assessor will want to understand what controls are in place and how you verify them. (referenced in the revised hardening benchmarking report).

Account management. What accounts do contractors have, and how are they managed? Are admin accounts separate from standard accounts? What happens to those accounts when the engagement ends? Active accounts belonging to people who no longer work with you is a common finding in assessments.

A practical checklist for contractor device compliance

List every contractor and third party with access to your systems. Include anyone accessing your network, cloud services, or data. Don't forget the web developer who logs into your CMS, the accountant who accesses your Xero, or the IT support company that remotes into your servers.

Determine the access method for each. Own device, company device, VDI, remote desktop, or guest network? The access method determines whether their device is in scope and what evidence you need.

Apply the scope test. Does the device access your organisational data or services? If yes, it's in scope and all five controls apply without exception.

Choose your control approach. Company device, VDI, contractual requirements, or network restriction. Pick the approach that matches the access level and the duration of the engagement. Short engagements might justify a different approach from long-term embedded contractors.

Review accounts regularly. Disable contractor accounts when engagements end. Keep admin accounts separate. Enable MFA on every cloud service the contractor accesses.

Document everything, because your assessor will ask. A clear record of which contractors have access, what devices they use, and how those devices meet the controls is the difference between a smooth assessment and a difficult conversation.

I've assessed over 800 organisations through Cyber Essentials and CE Plus. Contractor device compliance is one of the most common gaps I see, and it's one of the easiest to fix once you know what the assessor is looking for. The ones that stay unfixed tend to be political rather than technical.

---

Related articles

• BYOD Device Classification Under Danzell
• What to Expect on Cyber Essentials Assessment Day
• Cyber Essentials Scope Changes Under Danzell

netsec-canary-276a85848959.