A question that comes up a lot
If you are using containers, chances are you have asked (or been asked):
"Do we need to list our Docker containers as server devices (A2.5) for Cyber Essentials?"
The short answer is no.
Cyber Essentials is concerned with devices and operating systems, not individual applications or workloads.
So what should be in scope?
Physical servers
Virtual machines (including cloud VMs)
Any system that has its own operating system and provides services
And what does not need to be listed?
Docker containers
Kubernetes pods
Individual containerised applications
Why does this matter?
Containers do not have their own operating system. They run on top of a host server or VM. Because of that, Cyber Essentials treats containers as applications, not devices.
What really matters is the host system running those containers:
It is included in scope
It meets the Cyber Essentials controls (patching, firewalling, access control, etc.)
If the host server or VM is compliant, the containerised services are covered as part of that system.
A simple rule of thumb I often share:
If it does not have its own operating system, it is not a "device" for Cyber Essentials.
This is also consistent with how Cyber Essentials defines scope and how Cyber Essentials Plus testing is carried out, where the focus is on devices and operating systems rather than applications.
If you are working through Cyber Essentials and using containers, getting this clear early on can save a lot of confusion