Cyber Essentials
DashboardSign Out

Lesson 3.7 — Tablets and mobile devices: company-owned, BYOD and cloud access

This lesson helps the learner identify all tablets and mobile devices that are in scope for Cyber Essentials, including company-owned devices, personally owned devices used for business access, and devices that connect to organisational cloud services.

CE questionnaire questions: A2.8

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • create a checked inventory of in-scope tablets and mobile devices
  • record quantities
  • make and operating system versions
  • identify BYOD and mobile access risks
  • carry unresolved issues into the later secure configuration
  • update

Why This Matters

It explains why mobile devices must not be ignored just because they are not traditional computers.

The most common problems are:

  • assuming phones do not count;
  • counting only company-owned phones and ignoring personal phones used for work;
  • ignoring mobile access to cloud services;
  • saying “no mobile devices” while staff have work email on phones;

The Core Rule

A2.8 asks for the quantities of tablets and mobile devices in scope.

You must include make and operating system versions.

Common Mistakes

  • assuming phones do not count;
  • counting only company-owned phones and ignoring personal phones used for work;
  • ignoring mobile access to cloud services;
  • saying “no mobile devices” while staff have work email on phones;
  • ignoring directors’ phones;
  • ignoring contractor or volunteer phones;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What does A2.8 ask for?
  • [ ] Do devices that connect to cloud services need to be included?
  • [ ] Is a Cyber Essentials scope that excludes end-user devices acceptable?
  • [ ] Should personal phones used for work email be ignored because the organisation does not own them?
  • [ ] Is “iOS” or “Android” specific enough for A2.8?

Your Action

Do this now — it takes 10–20 minutes.

List all tablets and mobile devices in scope. Note which are company-owned and which are BYOD. Add to Section A2.

Key Takeaway

The mobile inventory created here feeds directly into secure configuration, security updates, user access control, MFA, malware protection and Cyber Essentials Plus preparation.

Your Workbook Activity

Complete: Tablet and mobile device inventory

This covers questionnaire questions: A2.8

Next Lesson

In the next lesson: Cloud services: SaaS, PaaS, IaaS and social media accounts

Up next

Cloud services

Classify cloud services consistently across SaaS, PaaS, and IaaS so scope statements stay accurate.