Cyber Essentials BYOD rules in 2026: phones, laptops, personal devices

Cyber Essentials v3.3 tightened BYOD rules from 28 April 2026 in a way that catches most organisations off-guard. The simple summary is: if a personal device touches organisational data, it is almost always in scope. The practical question is how to scope BYOD cleanly without certifying every personal phone in the company.

This guide walks through the rules as assessors apply them in 2026.

A device is in scope for Cyber Essentials if it is used to access organisational data. "Organisational data" includes email, files, messaging, SaaS applications, and remote access. It does not matter whether the device is company-owned or personally owned - what matters is what it accesses.

In practice this means:

• A personal iPhone used to check work email: in scope.
• A personal laptop used to access SharePoint: in scope.
• A personal iPad used only for personal photos and no work apps: out of scope.
• A home router that your work laptop connects to: out of scope under v3.3 (Danzell). The boundary follows the laptop, not the network. The laptop's software firewall handles the home-network boundary.

The NCSC scheme allows you to exclude devices from scope by implementing a sub-set policy. A sub-set excludes specific devices if you can demonstrate that they genuinely have no access to organisational data. In practice this means:

• The device cannot open work email, calendar, or files.
• The device cannot access company SaaS (Slack, M365, Google Workspace, CRM, ticketing).
• The device cannot VPN into the corporate network.
• The device cannot store or sync any work document.

If any of these are possible, the device is in scope. "We told staff not to use personal phones for work" is not a sub-set - a sub-set requires technical controls, not just policy.

Under v3.3 (Danzell A2.5), normal home routers used by remote workers are explicitly out of scope. The Danzell assessor guide is unambiguous: "Details of routers and firewalls in the home environment must not be included." The boundary instead follows the device that touches organisational data; the device's software firewall handles enforcement against the home network.

What is in scope for a remote-working solicitor is therefore:

• The work laptop, with its software firewall enabled, default-deny on inbound, and configured so a standard user cannot disable it.
• The MDM or device-management posture if applied (Intune, Jamf, Conditional Access).
• The cloud services accessed (M365, Google Workspace, practice management).

Reliance on the software firewall for home and remote workers must be noted in A2.5 of the questionnaire. The Danzell guide expects something like: "Home and remote workers rely on the device's software firewall as the boundary; no home routers in scope."

Where the home router IS in scope: if the firm supplies a corporate router to the home worker (i.e., issues the router as managed kit, not the worker's own ISP-provided router), that router is corporate equipment and is in scope. Assess it as you would any office-edge device.

What does not work: saying "staff work from home, their router is their problem" without the software-firewall notes. The Danzell rule is clear that home routers are excluded, but the device-level firewall picture must be described.

The CE questionnaire asks: "Does the organisation permit BYOD?" If yes, it asks you to describe the policy and controls.

A clear answer looks like:

> "BYOD permitted for personal iOS and Android phones only, limited to access of M365 email and Teams. Personal devices are enrolled in Intune before access is granted; Intune enforces passcode, disk encryption, latest OS minus one, and biometric unlock. Personal laptops are not permitted to access work resources under any circumstances."

An unclear answer looks like:

> "We allow staff to use personal devices if they sign our acceptable-use policy."

The second answer almost always triggers a question-back from the assessor. The first almost never does.

Under v3.3, scope BYOD deliberately. Either exclude all personal devices with technical controls, or allow them under MDM / conditional access and put them in scope. The in-between - "personal devices allowed, policy-based" - does not pass assessment.

The good news: once scoped correctly, BYOD is straightforward to certify. The bad news: most organisations discover they are in-between on first review and need a small amount of remediation before their first CE submission passes.

Check your BYOD readiness | See the 14-day patching rule | Get certified in 6 hours