Short answer
No. Normal home routers used by remote workers are explicitly excluded from scope under the v3.3 Danzell guide. The certification boundary follows the device that touches organisational data, not the home network or its router. The in-scope device's software firewall takes responsibility for boundary enforcement against the home network, which is treated as untrusted.
Why this matters
Scoping is where many Cyber Essentials submissions fail. The assessor needs to understand which users, devices, networks, and cloud services can access organisational data. A policy statement alone is not enough if the technical environment still allows access.
The safest approach is to define the corporate estate, document any excluded subset, and show the technical control that enforces the boundary. Common examples include conditional access, MDM compliance, virtual desktop, VPN boundary controls, and documented cloud service configuration.
What to check next
- List all devices and cloud services that access organisational data.
- Document any exclusions and the technical enforcement behind them.
- Check BYOD, home working, and production cloud environments before submitting.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.