Questionnaire Part 7 Access Control
Access Control (User Access Control)
A7.1 User Account Creation
Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.
You must ensure that user accounts (such as logins to laptops and accounts on servers) are only provided after they have been approved by a person with a leadership role in the business.
Provide a concise description of your process to create user accounts.
Ensure you include who approves the account creation.
A7.2 Unique Accounts
Are all user and administrative accounts accessed by entering a unique username and password?
You must ensure that no devices can be accessed without entering a username and password. Users cannot share accounts.
Accounts must not be shared.
This question requires a yes or no answer.
Users must not share accounts, and credentials should be unique to the user. Accounts should not be left permanently logged in.
A7.3 Leavers Accounts
How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?
When an individual leaves your organisation you need to stop them accessing any of your systems.
Provide a concise description of your process for deleting or disabling accounts for staff members who have left your organisation.
A7.4 User Privileges
Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?
When a staff member changes job role, you may also need to change their permissions to only access the files, folders, and applications that they need to do their day to day work.
Provide a concise description of your processes for ensuring staff have the correct privileges for their role.
This question is not specifically asking about how you assign administrator roles, but rather about how you review and manage the access of all users (ensuring they do not have access to more than required for their role).
Access Control (Administrative Accounts)
A7.5 Administrator Approval
Do you have a formal process for giving someone access to systems at an “administrator” level and can you confirm how this is recorded?
You must have a formal, written-down process that you follow when deciding to give someone access to systems at administrator level. This process might include approval by a person who is an owner/director/trustee/partner of the organisation.
Provide a concise description of your process.
Note that your process should be both authorised by an appropriate person/group of people and written-down.
Please also confirm where the process is recorded.
A7.6 Use of Administrator Accounts
As an organisation, how do you make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)?
You must use a separate administrator account from the standard user account when carrying out administrative tasks such as installing software. Using administrator accounts all day long exposes the device to compromise by malware. Cloud service administration must be carried out through separate accounts.
Provide a concise description of your method.
Your method can involve policy, process, and training. Technical measures are not a requirement.
To be compliant, any individual who requires administrative privileges must have both an administrative account and a separate standard user account. Standard user accounts must not have administrative privileges. Privilege escalation (i.e., prompting for admin credentials when logged into a standard user account) is not compliant.
You must also confirm that cloud service administration is conducted through separate accounts.
A7.7 Managing Administrator Account Usage
How does the organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email?
You must ensure that administrator accounts are not used to access websites or download email. Using such accounts in this way exposes the device to compromise by malware. Software and update downloads should be performed as a standard user and then installed as an administrator. You may not need a technical solution to achieve this—it could be based on good policy and procedure as well as regular training for staff.
Provide a concise description of your method.
This question is specifically asking how you ensure any individuals with administrator accounts use their standard user accounts (and not their administrator accounts) for day-to-day tasks including web browsing or email access.
Your method can involve policy, process, and training. Technical measures are not a requirement.
A7.8 Administrator Account Tracking
Do you formally track which users have administrator accounts in your organisation?
You must track, by means of list or formal record, all people that have been granted administrator accounts.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Your documentation might be written down, stored in a spreadsheet, or tracked via, e.g., a service management tool. We do not need you to provide details of how you track this information, merely confirm that you do.
A7.9 Administrator Access Review
Do you review who should have administrative access on a regular basis?
You must review the list of people with administrator access regularly. Depending on your business, this might be monthly, quarterly, or annually. Any users who no longer need administrative access to carry out their role should have it removed.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Access Control (Password-Based Authentication)
A7.10 Brute Force Attack Protection
Describe how you protect accounts from brute-force password guessing in your organisation.
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.
Information on how to protect against brute-force password guessing can be found in the password-based authentication section, under the User Access Control section in the ‘Cyber Essentials Requirements for IT Infrastructure’ document: https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
Provide a concise description of your method.
Acceptable methods are using multi-factor authentication, 'throttling' (no more than 10 guesses in 5 minutes), and/or locking accounts after no more than 10 failed attempts. You must use at least one of these methods to achieve compliance.
A7.11 Password Quality
Which technical controls are used to manage the quality of your passwords within your organisation?
Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the new section about password-based authentication in the ‘Cyber Essentials Requirements for IT Infrastructure’ document. https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
Provide a concise description of your technical controls.
Acceptable controls are using multi-factor authentication, a minimum password length of at least 12 characters (with no maximum length restrictions), and a minimum password length of at least 8 characters (with no maximum length restrictions and automatic blocking of common passwords using a deny list). You must use at least one of these controls to achieve compliance.
A7.12 Password Creation Advice
Please explain how you encourage people to use unique and strong passwords.
You need to support those that have access to your organisational data and services by informing them of how they should pick a strong and unique password.
Further information can be found in the password-based authentication section, under the User Access Control section in the Cyber Essentials Requirements for IT Infrastructure document. https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
Provide a concise description of how you encourage the use of unique and strong passwords.
The Requirements for IT Infrastructure document provides several ways that you can support staff with this, but you are not required to demonstrate use of all of these.
A7.13 Password Policy
Do you have a documented password policy that includes a process for when you believe that passwords or accounts have been compromised?
You must have an established process that details how to change passwords promptly if you believe or suspect a password or account has been compromised.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A7.14 MFA Enabled
Have you enabled multi-factor authentication (MFA) on all of your cloud services?
Where your systems and cloud services support multi-factor authentication (MFA), for example a text message, a one time access code, notification from an authentication app, then you must enable for users and administrators. For more information see the NCSC’s guidance on MFA. https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
If you answer no, A7.15 will be triggered and you will have the opportunity to list cloud services that do not have this capability.
A7.15 MFA Availability
If no, is this because MFA is not available for some of your cloud services? List the cloud services that do not allow multi-factor authentication.
It is required to provide a list of cloud services that are in use that do not provide MFA.
This question is triggered if you answered no to A7.14.
List your cloud services that do not provide multi-factor authentication.
Note that, from January 2023, it will be expected that MFA is applied wherever available, even if there are additional associated license costs.
A7.16 Administrator MFA
Has MFA been applied to all administrators of your cloud services?
It is required that all administrator accounts on cloud service must apply multi-factor authentication in conjunction with a password of at least 8 characters.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A7.17 User MFA
Has MFA been applied to all users of your cloud services?
This question is currently for information only. From January 2023 this question will require that all user accounts are protected by MFA on cloud services and marked for compliance.
All users of your cloud services must use MFA in conjunction with a password of at least 8 characters.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Related Articles
Questionnaire Part 2 Scope of Assessment
Scope of Assessment This section is used to define the scope of the assessment. You must answer all of the questions in this section. Any unanswered questions will delay the assessment. Please read all the help text, as it is important that you ...Questionnaire Part 5 Secure Business Operations (Secure Configuration)
Secure Business Operations (Secure Configuration) A5.1 Removed Unused Software Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile ...Questionnaire Part 3 Insurance
Insurance When a UK-domiciled organisation with a turnover under £20m achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are entitled to Cyber Liability ...Questionnaire Part 6 Secure Business Operations (Security Update Management)
Secure Business Operations (Security Update Management) A6.1 Supported Operating System Are all operating systems and firmware on your devices supported by a vendor that produces regular security updates? Older operating systems that are out of ...Questionnaire Part 8 Malware Protection
Malware Protection A8.1 Malware Protection Are all of your desktop computers, laptops, tablets, and mobile phones protected from malware by either: A - having anti-malware software installed and/or: B - limiting installation of applications to an ...