Cyber Essentials for remote and hybrid workforces: scope, home routers, and what v3.3 actually requires

Most UK organisations still have at least some staff working from home at least some of the week. Under Cyber Essentials v3.3, the Danzell v9.0 marking guide confirms how the scheme handles that reality: the home network is treated as untrusted, the in-scope device's software firewall is the boundary, and normal home routers are explicitly excluded from scope (Danzell A2.5).

This is the guide to what "in scope" actually means for a remote or hybrid workforce in 2026, what the assessor will expect to see at submission, and how to keep the control story tight without turning every home office into an IT project.

Three points in v3.3 specifically affect organisations with remote or hybrid staff:

1. Home routers not supplied by the organisation are out of scope (Danzell A2.5 / A4.2.1). The certification boundary follows the device that touches organisational data, not the home network.

2. The in-scope device's software firewall enforces the boundary against the untrusted home network. Where the organisation supplies and manages a router as corporate kit, that router IS in scope and must meet the boundary-firewall control.

3. MFA is mandatory on every user account accessing organisational data (cloud or remote systems), and must be enforced (not merely available).

The intent is straightforward: the home network and its router are treated the same way coworking and serviced-office Wi-Fi are - as untrusted infrastructure - and the corporate device's own controls do the boundary work.

Under v3.3, a remote worker is any staff member who:

• Works from a non-office location (home, co-working space, client site) using a corporate device; or
• Uses a personal device (BYOD) to access corporate data or services; or
• Works off-network and connects to corporate systems via the internet.

This covers a wider population than "work from home every day" - it includes occasional WFH, hybrid, and road-warrior patterns. For a hybrid organisation with staff who work from home 2-3 days a week, every one of those staff is in scope for the remote-worker provisions.

Five categories of asset are in scope at a remote worker's home office:

1. The corporate device (laptop, phone, tablet) used for work, including its software firewall configuration.

2. Any personal device used to access corporate data under a BYOD policy (see Cyber Essentials BYOD rules in 2026).

3. VPN clients and endpoint agents used to reach corporate systems.

4. Cloud services (Microsoft 365, Google Workspace, SaaS tools) the user signs in to.

5. The user themselves - their access credentials, MFA registration, and account status.

Equally important. Under v3.3 (Danzell A2.5):

• The home router the worker connects through is out of scope, provided it has not been supplied by the organisation. Details of home routers and firewalls "must not be included" in the scope description.
• The broadband service itself (the ISP's infrastructure) is not in scope.
• Family members' personal devices that do not access corporate data are out of scope.
• Printers, smart home devices, and IoT on the home network that are not used for work are not in scope.
• Friends' and family's guest-network traffic is out of scope (but the corporate device should not be on the guest network either).

The exception: where an organisation supplies and manages a router as part of corporate kit (e.g., issued to a home worker by the IT team), that router is treated as corporate equipment and IS in scope.

Because the home router is excluded, the boundary firewall control for remote workers is enforced by the software firewall on the in-scope device (Danzell A2.5 supporting note: "If you have home and/or remote workers, they will be relying on software firewalls").

For every in-scope remote-worker device under v3.3:

1. The software firewall is enabled and configured to block unsolicited inbound traffic.

Default-on for Windows Defender Firewall, macOS Application Firewall, and most Linux desktop distributions. The evidence expectation is a screenshot or MDM policy showing the firewall is enabled across the device fleet.

2. Only necessary inbound services are permitted.

File-sharing, remote-desktop services, and listening ports for development tools should not be exposed unless required and protected.

3. The device meets the standard endpoint controls.

Supported OS, current security updates, MFA on the user account, full-disk encryption, screen lock, and (for BYOD) MDM-enforced compliance. These are the controls that take responsibility for the device on an untrusted home network.

4. Wi-Fi: WPA2 or WPA3.

Where the worker chooses the home Wi-Fi configuration, WPA3 is preferred; WPA2 with a strong pre-shared key is acceptable. Open Wi-Fi and WEP are not acceptable for any network carrying corporate data, but the assessment focuses on the device, not on auditing the home router itself.

Organisations take one of three approaches, all of which pass if done properly:

Option A - Endpoint hardening + attestation

The lightest-touch approach. The organisation enforces software-firewall-on, OS update, MFA, and disk-encryption policy via MDM (Intune, Jamf, Kandji, Google Endpoint Management) and has each remote worker sign an annual home-working attestation. The organisation keeps a register of signed attestations and an MDM compliance report.

Pros: low cost, fast to deploy, focuses effort on the in-scope device where the assessor wants evidence.

Cons: relies on the MDM stack being deployed to every device.

Option B - Corporate-supplied router for home workers

The organisation provides a managed router to home workers as corporate kit. The router is in scope and must meet the boundary-firewall control: non-default admin password, current firmware, no unnecessary inbound services. Several UK ISPs offer business-grade home-worker packages with managed routers.

Pros: strong control story, uniform across the workforce, useful where workers handle highly sensitive data.

Cons: capex or subscription cost per worker; brings the router into scope (which Option A avoids).

Option C - Always-on VPN with split-tunnel controls

The organisation requires the corporate device to connect through its own VPN, so corporate traffic is encrypted and routed through known egress points. Under v3.3 (Danzell A2.5) the home router is out of scope regardless of VPN posture - the VPN is useful for confidentiality and traffic monitoring, not for keeping the router out of scope.

Pros: strong technical control for confidentiality, effective at scale, simplifies traffic egress monitoring.

Cons: adds latency for cloud services, adds operational burden of running a VPN gateway. Not required to keep the home router out of scope - that exclusion is automatic under v3.3.

Most UK organisations end up on Option A as the baseline, with Option C layered on for sensitive data paths.

A personal device used to access corporate data - phone, tablet, laptop - is in scope and must meet all five controls, including supported OS, MFA, full-disk encryption, screen lock, and device-wipe capability. The clean way to handle this is through MDM (Microsoft Intune, Google Endpoint Management, Jamf, Kandji) with a conditional-access policy that blocks non-compliant personal devices from corporate services.

See the dedicated guide: Cyber Essentials BYOD rules in 2026: phones, laptops, personal devices.

For remote workers connecting to internal systems (not just cloud SaaS), v3.3 expectations:

• VPN must require MFA. SMS is acceptable for standard users; admin VPN access requires stronger factor.
• Split-tunnel configuration must not expose internal systems to the internet via the user's home network.
• Always-on VPN is preferred for corporate laptops where practical.
• Remote-desktop solutions (RDP, Citrix, AVD) must be published behind an MFA-enforced gateway; direct RDP over the internet is not acceptable.

Minimum artefacts to have ready before submission:

• [ ] List of remote workers (or percentage of workforce remote/hybrid).
• [ ] Home-worker cyber policy published and dated.
• [ ] Home-router attestation register (signed attestations per remote worker).
• [ ] MDM configuration showing remote/BYOD devices are managed.
• [ ] VPN configuration showing MFA enforcement.
• [ ] Remote-access policy including acceptable use for home networks.
• [ ] Evidence that corporate-device screen locks, encryption, and MFA policies apply regardless of physical location.

1. No home-router attestation for remote staff. Under v3.3 this is an explicit gap.

2. BYOD not enrolled in MDM. Personal devices accessing corporate email without a management layer.

3. VPN without MFA on admin accounts.

4. Home-worker policy missing or undated. Policy that says "TBD" or was last reviewed in 2022.

5. Default Wi-Fi password still in place on a user's home router, uncovered in a spot check.

6. Corporate device used on guest Wi-Fi in cafes and airports without VPN.

Three habits that matter:

1. Annual home-worker attestation refresh. Every remote worker re-signs the attestation each year. Tie it to the CE renewal cycle.

2. MDM compliance monitoring. Alert on devices that drop below policy, are rooted/jailbroken, fall out of patch compliance, or stop checking in.

3. Policy review. Update the home-worker policy if v3.4 or future scheme versions change the remote-worker requirements. Review every 12 months regardless.

Fig Group's compliance platform is designed to keep this evidence current between certifications - MDM posture, VPN compliance, attestation status, and policy freshness tracked continuously, so the renewal submission is a copy-paste of evidence already proven.

For a remote-first or hybrid UK organisation preparing for Cyber Essentials:

1. Publish a home-worker cyber policy (template available from most certification bodies).

2. Circulate the home-router attestation to every remote worker; collect signed copies.

3. Enrol every corporate device in MDM with policies enforcing encryption, screen lock, MFA, and patch compliance.

4. Require MFA on VPN and all cloud access.

5. Buy the assessment from an IASME-licensed body with published price and turnaround - Fig Group issues certificates within 6 working hours from £299.99 + VAT.

For a ten-person remote-first business with tight configuration hygiene, total time from "we need Cyber Essentials" to holding a certificate can realistically be under a week, including drafting the policy and collecting attestations.

v3.3 made home-office scoping explicit, but the underlying control burden for a well-run remote-first organisation is modest: a policy, an attestation register, MDM on the devices, MFA everywhere, and a competent VPN. Get those in place and the pillar is routine. Fig Group issues the certificate against a clean submission in under 6 working hours, at the lowest published price for any IASME-licensed body in the UK.

Start Cyber Essentials from £299.99 + VAT | BYOD guide | v3.3 changes in plain English | All pricing