If they're network-connected and in scope, yes. Document why something is in or out of scope.

Do BYOD phones count?

If they're used to access in-scope organisational data, yes. They need to meet the BYOD requirements.

How often should I update the register?

Continuously when assets change, and at least at every quarterly review.

Workspace area

Cyber Essentials asset register

Your asset register is the backbone of Cyber Essentials evidence. It tells the assessor exactly what's in scope — and it tells you what every other piece of evidence needs to cover.

Start free See features

Why asset registers are often a mess

Most SMEs have an unofficial asset list in a spreadsheet, plus a different list in their MDM, plus another in finance. They rarely agree, and none of them link to the actual evidence.

What belongs on the register

Laptops and desktops (with OS and owner)
Servers (on-premise or cloud)
Firewalls and routers
Mobile devices in scope
SaaS and cloud platforms (Microsoft 365, Google Workspace, finance, CRM)
Administrator accounts
In-scope status and notes

How Evaud helps

Single register

One asset register tied directly to your control evidence.

CSV import / export

Import existing lists from spreadsheets and export for assessor review.

Evidence linkage

Link patch, malware, MFA and other evidence to specific assets.

Frequently asked questions

Start building your Cyber Essentials evidence today.

Free to try. No credit card required.

Start free Contact us