An accurate asset register is the foundation of Cyber Essentials evidence. Most other controls reference it.
This guide describes what to include and how to stop the register drifting after first certification.
List in-scope hardware
Capture every device that processes in-scope data or accesses in-scope services.
- Laptops and desktops with owner and OS
- Servers (on-prem and cloud)
- Firewalls and routers
- Mobiles in scope
List cloud services and SaaS
Cloud services are part of scope. Capture each platform, its admins and whether MFA is enforced.
Capture admin accounts separately
Admin accounts deserve their own list — they are over-represented in assessor questions.
Record scope decisions
Anything you exclude must have a documented reason. Future-you and your assessor both need it.
Maintain quarterly
Asset registers built once and forgotten are the single biggest evidence gap at renewal. Sweep at least quarterly.
Practical examples
Laptop row
Hostname, owner, OS, version, encryption status, joined date.
Cloud service row
Service name, owner, admins, MFA enforced (yes/no).
Admin account row
User, platform, account type, MFA method, last reviewed.
Common mistakes
Treating it as a one-off
Registers built at first certification and never updated are usually wrong by renewal.
Skipping SaaS
Forgetting accounting, CRM or design SaaS leaves obvious gaps.
Mixing admins with users
Track admins separately — they need MFA evidence and are reviewed more often.
Build this properly in Evaud
Start a free workspace and organise your Cyber Essentials evidence in one place.
Frequently asked questions
Evaud helps organise Cyber Essentials evidence and readiness information. It is not a certification body and does not guarantee certification.