I'm in a bit of a situation trying to get Cyber Essentials sorted for two companies that have allowed employees to use their personal phones to access Outlook, Teams, and another third-party app that holds vital company data, even before I came on board. Cyber Essentials guidelines state that we need to include these devices in our scope and list their models and operating systems. However, I can't ask around 400 employees to submit this information. Unfortunately, there's no chance of a policy change since one company develops an app used by the other. While I know I can set up technical controls to address further questions in the Cyber Essentials form, the access to Outlook, Teams, and OneDrive means I must include these devices in the scope. I'm collaborating with an external security firm to ensure we get this right the first time, but I'm struggling to see the best way forward.
5 Answers
You've got a couple of options here. First, you can ignore Cyber Essentials compliance altogether, which isn't ideal. The second option is to enforce a mobile device management (MDM) solution on personal phones, but that often meets resistance since many employees are unwilling to have MDM software on their personal devices. This can be a real headache for the company, especially if they want to keep productivity up. They need to decide if they’re okay with issuing company devices or losing productivity because of all this.
It sounds like you're working with Microsoft 365, right? Ideally, you should be using Intune or another MDM/MAM tool to manage these BYOD devices. If you have devices registered through Intune and use conditional access, that's a good step forward. But if there are unregistered devices just getting into your systems without any oversight, you're going to have to deal with some serious issues. Remember, personal devices absolutely fall within the scope for Cyber Essentials and Cyber Essentials Plus.
You're right about the potential chaos without any device management. It’s crucial to have visibility over what's connecting to your network.
Cyber Essentials is definitely suitable for organizations of any size. When guiding compliance, you'll need to decide what stays in or out of scope. However, everything must adhere to the standards set for both Cyber Essentials and Cyber Essentials Plus, which are more stringent. MDM is critical, whether it's Intune or another platform, since it enables you to track hardware and manage mobile policies for Outlook and Teams. Users can easily install their apps and log in, but controlling access through Company Portal is key for using OneDrive and SharePoint effectively.
That's right! We're indeed aiming for CE+ and ISO 27001 next year since it's needed for our clients. The goal is to get everything secured, especially those relaxed BYOD policies.
Just a heads up, the whole CE and CE+ scope isn't as different as some might think. They must align well or you'll have to redo assessments.
I’ve conducted Cyber Essentials assessments before, and I always had to provide details about mobile devices. Utilizing App Protection Policies in Intune can help secure your BYOD while requiring compliance with those policies. Each device that's used to connect to company services must fall under the assessment, including their make and operating system versions. Keep in mind, devices not included in the scope are unacceptable.
Absolutely, using Intune is a solid solution here. I’ve been asking folks to fill out a form to 'register' their BYOD devices, while we wait on approvals for the overall BYOD policy. App Protection Policies in Intune can help secure your apps on BYOD and require compliance based on OS version and device security measures.
Even without using Intune, you can still get basic info from any device that logs in to Microsoft 365 with company credentials.