Questionnaire Part 7 Access Control
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025.
Access Control (User Access Control)
A7.1 User Account Creation
Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.
You must ensure that user accounts (such as logins to laptops and accounts on servers) are only provided after they have been approved by a person with a leadership role in the business.
CE Requirement: Your organisation must have in place a process to create and approve user accounts.
Provide a concise description of your process to create user accounts.
Ensure you include who approves the account creation.
A7.2 Unique Accounts
Are all your user and administrative accounts accessed by entering unique credentials?
You must ensure that no devices can be accessed without entering unique authentication credentials.
Accounts must not be shared.
CE Requirement: Authenticate users with unique credentials before granting access to applications or devices.
This question requires a yes or no answer.
Users must not share accounts, and credentials should be unique to the user. Accounts should not be left permanently logged in.
A7.3 Leavers Accounts
How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?
When an individual leaves your organisation you need to stop them accessing any of your systems.
CE Requirement: Remove or disable user accounts when no longer required.
Provide a concise description of your process for deleting or disabling accounts for staff members who have left your organisation.
A7.4 User Privileges
Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?
When a staff member changes job role you may also need to change their permissions to only access the files, folders, and applications that they need to do their day to day work.
For Cyber Essentials we require that the principle of least privilege be applied.
CE Requirement: Your organisation must be in control of your user accounts and the access privileges that allow access to your organisational data and services.
Provide a concise description of your processes for ensuring staff have the correct privileges for their role.
This question is not specifically asking about how you assign administrator roles, but rather about how you review and manage the access of all users (ensuring they do not have access to more than required for their role).
Access Control (Administrative Accounts)
A7.5 Administrator Approval
Do you have a formal process for giving someone access to systems at an “administrator” level and can you describe this process?
You must have a process that you follow when deciding to give someone access to systems at administrator level. This process might include approval by a person who is an owner/director/trustee/partner of the organisation.
CE Requirement: Your organisation must have in place a process to create and approve user accounts.
Provide a concise description of your process.
Note that your process should be authorised by an appropriate person/group of people.
A7.6 Use of Administrator Accounts
How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)?
You must use a separate administrator account from the standard user account when carrying out administrative tasks such as installing software. Using administrator accounts all day long exposes the device to compromise by malware.
Cloud service administration must be carried out using separate accounts.
Further guidance:
User Access - Just Enough or Just In Time
CE Requirement: Your organisation must use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).
Provide a concise description of your method.
Your method can involve policy, process, and training. Technical measures are not a requirement.
To be compliant, any individual who requires administrative privileges must have both an administrative account and a separate standard user account. Standard user accounts must not have administrative privileges.
You must also confirm that cloud service administration is conducted through separate accounts.
A7.7 Managing Administrator Account Usage
How does your organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email?
This question relates to the activities carried out when an administrator account is in use.
You must ensure that administrator accounts are not used to access websites or download email. Using such accounts in this way exposes the device to compromise by malware. Software and update downloads should be performed as a standard user and then installed as an administrator. You may not need a technical solution to achieve this, it could be based on good policy, procedure and regular training for staff.
CE Requirement: Your organisation must use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).
Provide a concise description of your method.
This question is specifically asking how you ensure any individuals with administrator accounts use their standard user accounts (and not their administrator accounts) for day-to-day tasks including web browsing or email access.
Your method can involve policy, process, and training. Technical measures are not a requirement.
A7.8 Administrator Account Tracking
Do you formally track which users have administrator accounts in your organisation?
You must track all people that have been granted administrator accounts.
CE Requirement: Your organisation must have in place a process to create and approve user accounts.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Your documentation might be written down, stored in a spreadsheet, or tracked via, e.g., a service management tool. We do not need you to provide details of how you track this information, merely confirm that you do.
A7.9 Administrator Access Review
Do you review who should have administrative access on a regular basis?
You must review the list of people with administrator access regularly. Depending on your business, this might be monthly, quarterly, or annually. Any users who no longer need administrative access to carry out their role should have it removed.
CE Requirement: Your organisation must remove or disable special access privileges when no longer required (when a member of staff changes role, for example).
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Access Control (Password-Based Authentication)
A7.10 Brute Force Attack Protection
Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.
Information on how to protect against brute-force password guessing can be found in the Password-based authentication section, under the User Access Control section in the ‘Cyber Essentials Requirements for IT Infrastructure’ document.
CE Requirement: Passwords are protected against brute-force password guessing by implementing at least one of:
- multi-factor authentication
- ‘throttling' the rate of attempts, so that the length of time the user must wait between attempts increases with each unsuccessful attempt – you shouldn’t allow more than 10 guesses in 5 minutes
- locking devices after no more than 10 unsuccessful attempts
Provide a concise description of your method.
Acceptable methods are using multi-factor authentication, 'throttling' (no more than 10 guesses in 5 minutes), and/or locking accounts after no more than 10 failed attempts. You must use at least one of these methods to achieve compliance.
A7.11 Password Quality
Which technical controls are used to manage the quality of your passwords within your organisation?
Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the new section about password-based authentication in the Cyber Essentials Requirements for IT Infrastructure document.
CE Requirement: Use technical controls to manage the quality of passwords. This will include one of the following:
- using multi-factor authentication
- a minimum password length of at least 12 characters, with no maximum length restrictions
- a minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.
Provide a concise description of your technical controls.
Acceptable controls are using multi-factor authentication, a minimum password length of at least 12 characters (with no maximum length restrictions), and a minimum password length of at least 8 characters (with no maximum length restrictions and automatic blocking of common passwords using a deny list). You must use at least one of these controls to achieve compliance.
A7.12 Password Creation Advice
Please explain how you encourage people to use unique and strong passwords.
You need to support those that have access to your organisational data and services by informing them of how they should pick a strong and unique password.
Further information can be found in the Password-based authentication section, under the User Access Control section in the Cyber Essentials Requirements for IT Infrastructure document.
CE Requirement: Support users to choose unique passwords for their work accounts by:
- educating people about avoiding common passwords, such as a pet's name, common keyboard patterns or passwords they have used elsewhere. This could include teaching people to use the password generator feature built into some password managers
- encouraging people to choose longer passwords by promoting the use of multiple words (a minimum of three) to create a password (such as the NCSC’s guidance on using three random words)
- providing usable secure storage for passwords (for example a password manager or secure locked cabinet) with clear information about how and when it can be used
- not enforcing regular password expiry
- not enforcing password complexity requirements
Provide a concise description of how you encourage the use of unique and strong passwords.
The Requirements for IT Infrastructure document provides several ways that you can support staff with this, but you are not required to demonstrate use of all of these.
A7.13 Password Compromise Policy
Do you have a process for when you believe the passwords or accounts have been compromised?
You must have an established process that details how to change passwords promptly if you believe or suspect a password or account has been compromised.
CE Requirement: You should make sure there is an established process in place to change passwords promptly if you know or suspect a password or account has been compromised.
Further guidance: Compromised accounts
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A7.14 Cloud Service MFA
Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?
Where your systems and cloud services support multi-factor authentication (MFA), for example, a text message, a one-time access code, notification from an authentication app, then you must enable this for all users and administrators. For more information see the NCSC’s guidance on MFA at Multi-factor authentication for your corporate online services
Where a cloud service does not have its own MFA solution but can be configured to link to another cloud service to provide MFA, the link will need to be configured.
A lot of cloud services use another cloud service to provide MFA. Examples of cloud services that can be linked to are Azure, MS365, Google Workspace.
CE Requirement: Your organisation must implement MFA, where available – authentication to cloud services must always use MFA.
Further guidance:
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
If you answer no, A7.15 will be triggered and you will have the opportunity to list cloud services that do not have this capability.
A7.15 Non-MFA Cloud Services
If you have answered ‘No’ to question A7.14, please provide a list of your cloud services that do not provide any option for MFA.
You must provide a list of cloud services that are in use by your organisation that do not provide any option for MFA.
This question is triggered if you answered no to A7.14.
List your cloud services that do not provide multi-factor authentication.
Please note that, to achieve compliance with Cyber Essentials, MFA must be applied wherever available, even if there are additional associated license costs.
A7.16 Administrator MFA
Has MFA been applied to all administrators of your cloud services?
It is required that all administrator accounts on cloud service must apply multi-factor authentication in conjunction with a password of at least 8 characters.
CE Requirement: Your organisation must implement MFA, where available – authentication to cloud services must always use MFA.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A7.17 User MFA
Has MFA been applied to all users of your cloud services?
All users of your cloud services must use MFA in conjunction with a password of at least 8 characters.
CE Requirement: Your organisation must implement MFA, where available – authentication to cloud services must always use MFA.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Related Articles
Questionnaire Part 5 Secure Business Operations (Secure Configuration)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations (Secure ...Questionnaire Part 6 Secure Business Operations (Security Update Management)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Security Update Management A6.1 ...Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations Boundary ...Questionnaire Part 3 Insurance
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Insurance When a UK-domiciled ...Questionnaire Part 2 Scope of Assessment
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Scope of Assessment This section is ...