Cyber Essentials vs Contractors

By Chris Blunt

Published: November 8, 2022

Are Contractors in scope for Cyber Essentials?

 We have an increasing number of clients with contractors using personal devices and our current partner tells us that the only solution is for the contractors to use company devices for CE compliance, they say BYOD isn’t compliant because the user has admin rights.  Taking away admin rights on a users personal machine obviously doesn’t go down to well!

I was contacted by an MSP last week who asked me the above question. They’d been told by their current Cyber Essentials Consultant their clients could not achieve Cyber Essentials unless they purchased laptops for all their contractors…. today I blow that Myth wide open…

Forcing Contractors and Freelancers to use I.T. equipment provided by you rather than their own, can not only be costly, but it may also cause you issues with IR35 (Speak to your accountant about that, I’m not Tax expert!!). Yet there seems to be a mis-conception that’s what you need to do in order to comply with Cyber Essentails…


All contractor devices which are owned by the contracting company, or BYOD of the contracting company are NOT in scope for Cyber Essentials

If the Contractor provides the Laptop/Mobile Device then it is outside the scope of the applicants Cyber Essentials Assessment and does NOT need to be listed in A2.4 or A2.6


If the Contractor has a user account on the applicants systems (i.e. Active Directory, M365 or other Cloud Services) then those accounts are IN SCOPE and must have the relevant controls applied to the accounts (i.e. MFA & Password Requirements)

The Applicant should ensure the contractor meets the requirements for Cyber Essentials, but does not need to confirm this as part of their own CE Assessment

So what should I do with Contractors?

As you can see from above, hardware that is supplied by and used by 3rd party contractors to your organisation is NOT in scope for your own Cyber Essentials Assessment.

They are, however, expected to have the Cyber Essentials Controls applied themselves, this should be dealt with through the supply chain.

What does ‘Dealt with through the supply chain’ mean

I normally advise my clients to firstly ensure the contract you have in place with your contractors includes the requirement for them to meet the requirements of Cyber Essentials. You may have a security policy which sets these requirements out (and goes beyond them) which you can provide to the contractor and require them to comply with.

We then add some basic Cyber Security questions in to their supplier onboarding forms & processes, to check some key factors we require are in place.

NOTE: Your contractors do not have to certify to Cyber Essentials themselves (although it would be a good thing for them to do!) but they should certainly read the requirements and ensure they implment the controls.

You may also choose to audit your contractors against some of the controls. Remeber, these are BASIC Cyber Security controls which every organisation really should be implementing, think about the impact on your business if one of your contractors has a cyber security breach and how that would affect your systems too.

Need help with Cyber Essentials?

If you want some straight talking help with Cyber Essentials or a wider Cyber Security matter Book a discovery call with me today. 

Related Articles

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.