Google Workspace for Cyber Essentials Plus, the Per-Control Admin Mapping

Net Sec Group is an IASME and NCSC certification body. Across our 800-plus engagement history, Google Workspace estates are the second-most-common cloud-only or cloud-anchored profile we assess after Microsoft 365. The same five Cyber Essentials Plus controls apply; the configuration surface is the Workspace admin console rather than Entra. This article maps each CE Plus control onto Workspace admin configuration the assessor accepts as evidence, the admin export format, and the three Workspace-specific rejects we see at audit.

For the broader cloud-only scope question (what Workspace covers and what the laptop fleet covers), see scanning cloud vs on-premises CE Plus on this site. For the broader CE Plus assessment-day reference, see the CE Plus Assessment Guide on netsecgroup.io.

The 5-row CE-control-to-Workspace-policy table

Each row names the CE Plus control, the Workspace admin setting that evidences it, the specific configuration the assessor expects, and the admin export format.

| Control | Workspace admin setting | Configuration the assessor expects | Admin export format | |---|---|---|---| | Boundary Firewalls and Internet Gateways | Workspace tenant boundary plus laptop host-based firewall (Workspace itself has no boundary firewall; the boundary is the tenant access path) | Context-Aware Access policy restricting Workspace access to compliant devices and approved IP ranges; per-laptop host firewall on (covered separately under macOS / Windows hardening) | Context-Aware Access policy export from Admin > Security > Context-Aware Access; per-laptop firewall evidence per the Windows 11 or macOS checklist | | Secure Configuration | Admin Console security best practices, OAuth app access controls, default sharing rules | Default external sharing off (or restricted to specific domains), OAuth app trust list configured (no "All Internal Applications" default trust), Less Secure App Access disabled, Workspace audit logging on | Admin > Security > Authentication settings export; OAuth app trust list export from Admin > Security > API controls; sharing settings export from Admin > Apps > Google Workspace > Drive and Docs | | User Access Control | 2-Step Verification (2SV) enforcement, admin role separation, Advanced Protection Program for super admins | 2SV enforcement on for admin OU (or all-OUs); enforcement method restricted to security key or Authenticator app for cloud admin roles; super admin accounts enrolled in Advanced Protection Program where the firm has chosen it; admin role assignments minimised (no over-privileged super admins) | 2SV enrollment status export per admin user; admin role assignment report from Admin > Account > Admin roles; Advanced Protection Program enrollment export | | Malware Protection | Gmail attachment scanning, Drive virus scanning, Security Center alerts | Gmail enhanced pre-delivery message scanning on; Drive content scanning on; Security Center investigation tool configured to alert on malware-related events | Admin > Security > Security Center > Alerts export; Gmail security settings export; Drive content scanning report | | Security Update Management | Workspace platform updates (vendor-managed) plus per-laptop patching evidence (covered under host article) | Workspace itself updates automatically as a SaaS platform; the firm's evidence is the per-laptop patch state, not the Workspace platform; Workspace's published security advisories subscription confirmed | Workspace status dashboard reference (https://www.google.com/appsstatus/dashboard/); per-laptop patch evidence per the Windows 11 or macOS checklist |

Per-control engineering detail

Boundary Firewalls and Internet Gateways

Accept: Workspace itself has no boundary firewall in the on-premises sense; the assessor reads the boundary as the tenant access path. Context-Aware Access policy restricts Workspace access to devices that meet a defined compliance state and to approved IP ranges where the firm has IP allow-listing in place. The host-based firewall on each in-scope laptop covers the device side of the boundary; see Windows 11 hardening for CE Plus and macOS Cyber Essentials Plus checklist for the per-platform evidence.

Reject: a Workspace tenant with no Context-Aware Access policy and no IP restrictions, where any device on any network can sign in with valid credentials; the firm's "boundary" reduces to the password and 2SV factor, which is then assessed under User Access Control rather than Boundary Firewalls.

Secure Configuration

Accept: Workspace defaults hardened: external sharing off or restricted, OAuth app trust list configured to deny by default, Less Secure App Access disabled, audit logging on, admin notifications configured. The configuration is documented as the firm's standard Workspace baseline, exported from Admin Console for evidence.

Reject: Workspace at default state with external sharing wide open ("anyone with the link can edit"), OAuth scopes set to "All Internal Applications can be installed by users" without admin review, Less Secure App Access still enabled (deprecated by Google but some old tenants have not turned it off), audit logging never configured.

User Access Control

Accept: 2SV enforcement on for the admin OU (or all-OUs with documented exceptions), enforcement method restricted to security key (FIDO2) or Authenticator app TOTP for cloud admin role members, no SMS-based 2SV permitted for admins. Super admin accounts in Advanced Protection Program where the firm has chosen this tier (highest-friction-highest-security path). Admin role assignments minimised: super admins limited to 2 to 3 named humans, delegated admins assigned the narrowest role that does the job.

Reject: 2SV "encouraged" rather than enforced (a setting that suggests 2SV but allows users to opt out); enforcement on but with a grace period that the super admin has been "in" for 6 months; SMS-based 2SV accepted for cloud admin (the assessor queries this at minimum, often rejects); super admin role granted to 8 to 12 users when only 2 to 3 actively perform admin work.

For the deeper MFA-evidence detail across identity providers including Workspace, see CE Plus MFA evidence, acceptable formats on this site.

Malware Protection

Accept: Gmail enhanced pre-delivery message scanning on (catches malware-bearing attachments before delivery), Drive content scanning on (scans Drive uploads for malware signatures), Security Center investigation tool configured with alert rules for malware-related events. Per-laptop antivirus evidence on each in-scope device through the platform-specific articles linked above.

Reject: Gmail at default scanning level without enhanced pre-delivery; Drive content scanning off; Security Center never configured (no alert rules, no investigation tool sessions on file). Workspace's malware protection evidence is platform-side; the device-side AV evidence still has to come from the laptop's anti-malware console.

Security Update Management

Accept: Workspace platform updates are vendor-managed (Google patches the SaaS platform on a continuous-deployment basis); the assessor accepts this as the SaaS platform's responsibility, evidenced by the firm's subscription to the Google Workspace status dashboard and to security bulletins via Workspace admin notifications. The firm's responsibility is the per-laptop patching evidence.

Reject: a SAQ that claims "Workspace handles patching" without per-laptop patch evidence (the laptops are still in scope; Workspace handles only the SaaS platform). The assessor reads the SAQ and finds the laptop patching control fails for lack of evidence.

The three Workspace-specific evidence rejects

Across our engagement history, three patterns recur as Workspace-specific failures.

Reject 1, 2SV enforcement set to "encouraged" not "enforced"

The applicant has 2SV configured in the admin console, but the enforcement state is "encouraged" or "users can choose to enrol", not "enforced". The assessor reads the setting as opt-in rather than mandatory, which fails the IASME requirement for MFA on cloud admin. Fix: change the enforcement state to "enforced" for the admin OU and validate via the per-user 2SV enrollment report.

Reject 2, OAuth app trust list configured but with broad default trust

The applicant has the OAuth app trust list configured but the default policy permits "All Internal Applications can be installed by users" or "Trusted apps can access user data". This default-allow posture lets users grant broad data access to OAuth-integrated apps without admin review. The assessor reads it as Secure Configuration failing. Fix: change the default to "Block all third-party apps that access Workspace data" and configure an admin-managed allow list of approved apps.

Reject 3, super admin role over-allocated

The applicant has 8 to 12 users in the Super Admin role when only 2 to 3 actively perform super-admin actions. The remaining 5 to 9 hold the role for "convenience" or "in case of emergency". User Access Control fails because administrative privilege is not minimised; access reviews should remove the over-allocations. Fix: audit the Super Admin role membership, reduce to 2 to 3 named humans, document the access-review cadence (typically quarterly), maintain a separate break-glass procedure for emergency access.

Practitioner observations

Three observations from the engagement history.

1. Advanced Protection Program is the highest-friction but cleanest path for super admin accounts. The Program enforces security-key-only sign-in, blocks third-party app access to user data unless explicitly approved, and adds extra verification steps. Engineers find it disruptive day-to-day; the audit pack reads cleanly because the protections are platform-enforced rather than policy-enforced. For super admin accounts specifically, the Program's friction is acceptable.

2. Context-Aware Access is the cleanest device-compliance gate when the firm uses Workspace plus Endpoint Verification. Endpoint Verification is Google's lightweight device-management agent; combined with Context-Aware Access, it produces device-compliance gating equivalent to Microsoft 365 + Conditional Access + Intune compliance. Workspace estates without Endpoint Verification have to compose device-compliance evidence from MDM (typically Jamf, Mosyle, Kandji, or Microsoft Intune for Mac) reports separately.

3. The Workspace audit log is the assessor's friend. The audit log produces per-event evidence that is hard to fabricate or backdate; the assessor reads it for evidence of policy enforcement (sign-in events showing 2SV satisfied, sharing events showing default-deny applied, admin role changes showing the access-review cadence in practice). Workspaces that have audit logging on for at least 90 days before the assessment produce stronger evidence than ones that turn it on the week before.

Common questions

Does Workspace Business Starter / Standard / Plus distinction affect CE Plus?

Workspace Business Starter lacks Context-Aware Access and Advanced Protection Program features, which makes the User Access Control evidence harder to assemble. Business Standard adds Context-Aware Access basics; Business Plus adds full Context-Aware Access plus advanced security; Enterprise editions add Security Center and the full Advanced Protection Program. CE Plus engagements work on every tier; the higher tiers produce cleaner evidence with less per-device manual work.

Can I use Workspace for the User Access Control evidence and Microsoft 365 for the Malware Protection evidence?

Mixed-platform estates are common and the assessor reads the evidence from each platform's admin console. The scope statement names which platform owns which control on which population of users. Each platform's admin export covers its share of the evidence pack.

Does Endpoint Verification replace MDM for laptops on Workspace?

For limited compliance gating (signed-in user, device-platform check), Endpoint Verification is sufficient. For deeper hardening (BitLocker / FileVault enforcement, AppLocker / Smart App Control deployment, Defender / XProtect state evidence), the firm needs a full MDM (Jamf, Mosyle, Kandji, Microsoft Intune for Mac, or similar). Most engagements run Endpoint Verification + a separate MDM for the deeper controls.

Where do we book CE Plus?

Book a Cyber Essentials Plus assessment with Net Sec Group. The booking form lets you describe the Workspace tenant topology and the device-management posture; the assessor confirms the engagement timeline.

Reference material

• Cyber Essentials Plus Assessment Guide
• Cyber Essentials Five Controls Technical Guide
• Cyber Essentials BYOD Device Classification
• Google Workspace Admin Help: security best practices
• Google Workspace Admin Help: Context-Aware Access

Where this fits on this site

This article is the Google Workspace spoke under the platform-specific pillar. The other platform-specific spokes are Windows 11 hardening for CE Plus, macOS Cyber Essentials Plus checklist, and Microsoft Intune for CE Plus configuration. For the cloud-only scope question, see scanning cloud vs on-premises CE Plus on this site. For per-control foundation references, see User Access Control and Secure Configuration.