Cyber Essentials Cloud Services Scope 2026

The official definition

Danzell v3.3 defines a cloud service for the purposes of Cyber Essentials as follows:

This is deliberately broad. If your organisation accesses a service through a browser or app, and that service handles any business data, it is almost certainly in scope.

What is in scope

Cloud services that fall within scope include but are not limited to the following categories:

• Productivity — Microsoft 365, Google Workspace, Notion, and similar platforms
• File storage — OneDrive, Google Drive, Dropbox, SharePoint
• Communication — Microsoft Teams, Slack, Zoom, Google Meet
• Finance — Xero, QuickBooks, FreeAgent, and other accounting platforms
• CRM — Salesforce, HubSpot, Pipedrive, and similar tools
• Development — GitHub, GitLab, Bitbucket, Jira, and CI/CD platforms
• HR and payroll — BambooHR, Gusto, Sage People, and similar services
• Email — any cloud-hosted email service, including Exchange Online and Gmail
• Social media — LinkedIn, Facebook, X (formerly Twitter), and Instagram when used for business purposes

IASME has specifically clarified that social media accounts used for business purposes fall within the definition of a cloud service under Danzell v3.3. This includes company pages and accounts managed by employees on behalf of the organisation.

What can be excluded

A cloud service may only be excluded from scope if it is genuinely segregated from the rest of your IT infrastructure and does not store, process, or communicate organisational data that interacts with in-scope systems. Exclusions must be documented and justified — assessors are trained to challenge exclusions that appear to be an attempt to reduce scope rather than a legitimate reflection of how the service is used.

In practice, very few cloud services used by an organisation can be legitimately excluded. If your team uses a service as part of daily operations, it is almost certainly in scope.

Services with no MFA available

If a cloud service in scope does not offer MFA at all — meaning the vendor provides no mechanism for multi-factor authentication — this must be declared at question A7.15 in the Danzell v3.3 assessment. The assessor will review the declaration and may request evidence that MFA is genuinely unavailable.

Cost is not an accepted reason for not enabling MFA. If a service offers MFA only as part of a paid tier, IASME considers it available. Your organisation is expected to enable it regardless of whether it requires an upgrade. Choosing not to pay for a tier that includes MFA will result in an automatic failure at A7.16 or A7.17.

How to document your cloud services

Question A2.9 in the Danzell v3.3 assessment requires you to provide a register of all cloud services used by your organisation. This register should list every cloud service in scope, state whether MFA is enabled, and note any services that have been excluded with a documented justification.

Start by auditing every service your team accesses through a browser or app. Check with each department — finance, HR, marketing, and development teams often use services that IT is not aware of. Shadow IT is one of the most common reasons organisations fail cloud service scoping questions.

CrownSync CE Readiness prompts you to build this register as part of the guided assessment, ensuring nothing is missed before submission.

Related guides