This guide explains which devices are covered by Cyber Essentials and Cyber Essentials Plus, and which ones can be excluded from scope under specific conditions.
Does Cyber Essentials cover all devices?
Almost all devices that access organisational data or services are in scope. In practical terms, any device that can connect to the internet, initiate outbound connections, accept inbound connections, or control the flow of data to/from the internet will be considered in scope. Organisation-owned devices are always in scope.
Examples of devices that ARE in scope
• Laptops and desktops (Windows, macOS, Linux)
• Tablets and smartphones (company-owned and BYOD when used for work email/apps)
• Company-managed remote-working devices and anything connecting via corporate VPN
• IP desk phones that connect to cloud services (e.g., Microsoft Teams phones)
• Devices used to access cloud services such as Microsoft 365, Azure, Google Workspace
What devices are NOT in scope?
Some devices can be out of scope, but only under strict conditions:
• Personal devices used only for calls or SMS (no work data access)
• Smart cars or similar devices that only mirror a paired phone and do not independently connect to the internet
• Home broadband routers supplied by an ISP (note: devices behind them remain in scope)
• Specialist legacy equipment (e.g., manufacturing machinery, lab/research kit) that cannot be updated may be excluded only if strictly isolated via VLANs or firewalls
• Devices used only by third‑party engineers, students or customers (not organisational devices)
Can we de-scope unsupported or risky devices?
Yes. Devices that cannot meet Cyber Essentials requirements can be excluded if they are segregated from production systems using robust technical controls (e.g., VLANs, firewalls) and clearly documented in the assessment scope. Priority IT will help identify such devices and implement safe isolation where appropriate.
Summary table
| DEVICE TYPE | IN SCOPE? | NOTES |
| Company laptops/desktops | Yes | Always in scope |
| Smartphones/tablets accessing email/365 | Yes | BYOD in scope if used for work |
| Home ISP routers | No | Devices behind them are in scope |
| Smart cars | No | If only mirroring a phone and not independently internet-connected |
| Specialist legacy machinery | Possibly No | Only if strictly isolated via VLANs/firewalls |
| IP desk phones with cloud services | Yes | Declare OS/version if required |
| BYOD used only for calls or texts | No | No organisational data access |
| Devices used by third‑party engineers | No | Not staff devices |
How Priority IT help
We will review your all of your devices, confirm scope, identify any out-of-date or unsupported devices, and recommend remediation or safe isolation before you commit to Cyber Essentials or Cyber Essentials Plus.
