Cyber Essentials
DashboardSign Out

Lesson 7.4 — BYOD: bring your own device policies and controls

This lesson addresses the specific challenges that bring your own device (BYOD) arrangements create for Cyber Essentials — how to scope personal devices correctly, what controls must be in place for in-scope BYOD devices, and what options the organisation has when it cannot fully control a personal device.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • the learner should understand how Cyber Essentials treats BYOD devices
  • how to make a defensible scoping decision for personal devices
  • what controls and policies need to be in place for BYOD devices that are in scope.

Why This Matters

The Core Rule

BYOD creates a genuine scoping challenge for Cyber Essentials. Personal devices that access business services are generally in scope, and the five controls must apply to them.

The organisation has three broad options: enrol the device in MDM and apply the controls, use a virtual desktop approach to keep business data off the personal device, or use conditional access controls to restrict what personal devices can access.

Who is in scope: the official BYOD table

The Cyber Essentials 2026 requirements include a definitive table showing which personal (BYOD) devices are in scope and which are not, based on the role of the user:

Key points from this table:

  • Employees, volunteers, trustees and research assistants using personal devices are in scope — the organisation cannot simply exclude them.
  • Students using personal devices are out of scope — an exception that applies to educational settings.
  • Contractors and MSP administrators using their own devices are out of scope — though devices the organisation owns and loans to them remain in scope.

The BYOD problem in Cyber Essentials

Cyber Essentials requires that in-scope devices meet the five control requirements. For personal devices, the organisation does not own the hardware, may not manage the operating system, and may have limited ability to enforce controls.

The tension is this:

The three BYOD scoping approaches

Approach 1 — Include the BYOD device in scope and apply controls

If a personal device accesses business services and cannot be excluded without changing how the organisation operates, it should be included in scope and the controls applied.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Under Cyber Essentials, when is a personal device in scope?
  • [ ] What is the virtual desktop approach to BYOD scoping?
  • [ ] What is conditional access in the context of BYOD management?
  • [ ] Why does a BYOD policy matter for Cyber Essentials even though it is not a formal scheme requirement?
  • [ ] Why does BYOD create additional complexity for Cyber Essentials Plus?

Your Action

Do this now — it takes 10–20 minutes.

Record your BYOD position: do you allow personal devices for work? If so, what controls apply? Add to Section UAC and Section MP.

Key Takeaway

A clear BYOD policy is the foundation for making that evidence defensible.

Your Workbook Activity

Complete: BYOD scope decision record and controls log

Next Lesson

In the next lesson: Device lifecycle: decommissioning, disposal and account removal

Up next

Device lifecycle

Manage device decommissioning and disposal securely, including account and data removal steps.