Cyber Essentials
DashboardSign Out

Lesson 3.9 — Who manages the IT: internal responsibility, outsourced providers and evidence ownership

This lesson helps the learner identify who is responsible for managing the IT systems included in the Cyber Essentials assessment scope.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • record who manages the in-scope IT systems
  • distinguish between technical management and final assessment responsibility
  • identify outsourced provider responsibilities
  • prepare a clear evidence request so the organisation can support its final answers.

Why This Matters

It explains how to handle internal IT, outsourced IT providers, shared responsibilities, supplier-managed systems and evidence ownership.

The most common problems are:

  • writing “IT provider” without explaining what they manage;
  • assuming outsourced IT covers every cloud service;
  • forgetting finance, HR, payroll, website, social media and developer platforms;
  • letting the IT provider submit answers without business review;

The Core Rule

This lesson asks: who manages the IT systems in scope?

The answer may involve internal IT, outsourced providers, parent-company IT, finance, HR, marketing, web agencies, developers, software suppliers and business owners.

Common Mistakes

  • writing “IT provider” without explaining what they manage;
  • assuming outsourced IT covers every cloud service;
  • forgetting finance, HR, payroll, website, social media and developer platforms;
  • letting the IT provider submit answers without business review;
  • assuming the business owns a control when the supplier actually manages it;
  • assuming the supplier owns a control when the business actually manages it;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why is IT responsibility important in Cyber Essentials?
  • [ ] Is “the IT provider handles it” enough on its own?
  • [ ] Who owns the final Cyber Essentials submission?
  • [ ] Can non-IT teams manage systems that affect Cyber Essentials?
  • [ ] What is an evidence owner?

Your Action

Do this now — it takes 10–20 minutes.

Write down who is responsible for IT — internal, outsourced, or mixed. If outsourced, record the provider name and what they manage. Add to Section A2.

Key Takeaway

This closes the scope module and prepares the learner to move into the technical control modules.

Your Workbook Activity

Complete: IT responsibility and evidence ownership record

Next Lesson

In the next lesson: What firewalls are protecting: boundary firewalls, routers and software firewalls

Up next

Interviews

Explore interviews with industry experts and thought leaders.