Short answer
A BYOD device with direct access to organisational data is in scope. A BYOD device whose only access is mediated through a virtual desktop or VM in the cloud (Citrix, AWS WorkSpaces, Azure Virtual Desktop) can be excluded via sub-set declaration; the VM/VDI is then the in-scope device and the BYOD acts as a thin client. Sub-set boundaries must be enforced by technical control - MDM Conditional Access, VDI thin-client mode, or network segregation. Per Danzell A2.5.1, operating-system software firewalls alone cannot define a sub-set boundary. Policy-only restrictions do not satisfy v3.3.
Why this matters
Scoping is where many Cyber Essentials submissions fail. The assessor needs to understand which users, devices, networks, and cloud services can access organisational data. A policy statement alone is not enough if the technical environment still allows access.
The safest approach is to define the corporate estate, document any excluded subset, and show the technical control that enforces the boundary. Common examples include conditional access, MDM compliance, virtual desktop, VPN boundary controls, and documented cloud service configuration.
What to check next
- List all devices and cloud services that access organisational data.
- Document any exclusions and the technical enforcement behind them.
- Check BYOD, home working, and production cloud environments before submitting.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.