Cyber Essentials Control

User Access Control

User access control is the third control. The scheme requires every user to have their own account, accounts to have only the privileges they need, administrative accounts to be separated from day-to-day accounts, and joiners-movers-leavers processes to keep access aligned with current need.

What the scheme requires

Every user must have their own individual account; shared logins are not permitted for normal operation.

Administrative accounts must be separated from day-to-day user accounts (e.g. an IT admin uses a standard account for email and a privileged account only for admin tasks).

Multi-factor authentication must be enabled on administrative accounts and on accounts with access to sensitive data.

User accounts must be reviewed regularly and removed when staff leave or change roles.

Password policies must align with NCSC password guidance (length and uniqueness over forced rotation).

What the assessor checks on assessment day

Reviews the joiners-movers-leavers process documentation and samples recent leavers to confirm accounts were disabled.

Samples administrative accounts to confirm separation from day-to-day accounts and MFA enabled.

Reviews the privileged account inventory against the IT operating model.

Checks password policy configuration in Microsoft 365 / Google Workspace / equivalent identity provider.

Common gaps we see

Across CE Plus engagements, the following gaps recur on this control. None require deep architectural change. Most are operational discipline that drifted between annual assessments.

Leaver accounts not disabled because the offboarding process is manual and someone forgot.

IT admin using a single account for both day-to-day work and privileged operations.

Service accounts with privileged access still configured with a password set when the firm was much smaller, never rotated.

Shared accounts on legacy systems where the vendor never supported individual accounts.

The other four controls

Firewalls

Boundary firewalls and personal firewalls block unauthorised inbound traffic and restrict outbound connections to known-good destinations.

Secure Configuration

Devices and software are configured to remove or disable unused services, change default passwords, and apply secure baseline settings.

Malware Protection

Every in-scope device runs malware protection (anti-virus or equivalent) configured to scan in real-time and update its signatures regularly.

Patch Management (Security Update Management)

All software is kept up-to-date and patches for high-severity and critical vulnerabilities are applied within 14 days of vendor release.

← Back to the Five Controls hub

Need help with user access control?

Net Sec Group is an IASME Certification Body. We scope the gap list across all five controls before the formal CE Plus engagement so the assessment passes first time. Tell us your device count and timeline; we come back inside 4 hours.