Cyber Essentials Controls
Access Control
Access control is a core part of Cyber Essentials. It helps ensure that only authorised people can access your systems, devices, data, and online services, and only to the extent needed for their role. This reduces the risk of accidental damage, unauthorised changes, stolen data, and compromised accounts. Strong access control is about more than just passwords. It is about making sure the right people have the right access for the right reasons, and no more than necessary. By using separate accounts, limiting administrator privileges, removing unused accounts, enforcing strong password practices, and enabling multi-factor authentication, organisations can significantly reduce the risk of unauthorised access and improve their overall cyber resilience.
Access Control
Separate Accounts for Each User
Every user should have their own individual account. Shared accounts should be avoided because they make it difficult to confirm who accessed a system, what actions were taken, and when those actions took place. Individual accounts improve both accountability and security, and they make it far easier to manage permissions when people join, move roles, or leave the organisation.
This is especially important in environments where several people may use the same device, such as shared office workstations, tills, or reception systems. Even in these situations, each person should sign in using their own credentials so activity can still be traced to the correct individual.
Separate User and Administer Accounts
Cyber Essentials strongly supports the principle of account separation. Users should carry out day-to-day tasks using a standard account, while administrator accounts should be reserved for higher-risk tasks such as installing software, changing system settings, managing other accounts, or configuring security controls.
Administrator accounts have much wider access across systems and data. If they are compromised, the impact can be far more serious. That is why admin privileges should only be given where there is a genuine business need, and administrative accounts should never be used for routine activities such as email, internet browsing, or document editing.
Even sole traders and single-person businesses should follow this approach by maintaining a separate standard user account and a separate administrator account. This helps reduce the risk of malware installing successfully and limits the chance of accidental system changes.
Remove Unused and Default Accounts
Unused accounts should be disabled or deleted as soon as they are no longer needed. Old staff accounts, dormant guest accounts, and unnecessary default accounts can all create avoidable security weaknesses if left in place. Cyber Essentials expects organisations to keep access under control throughout the full account lifecycle.
Where devices or services come with default usernames or passwords, these should be changed promptly. Default credentials are widely known and are often one of the first things attackers try when attempting unauthorised access.
Control How Accounts are Created and Managed
Organisations should have a clear process for creating, approving, managing, and removing user accounts. This helps ensure that access is granted in a controlled way, recorded properly, and reviewed when roles change. A good account management process should cover starters, movers, and leavers, so new users receive the right level of access, existing users have permissions updated when responsibilities change, and accounts are disabled or removed promptly when no longer needed.
This process should follow the principle of least privilege, meaning users should only be given the access, permissions, and account type they need to carry out their role, and nothing more. Restricting access in this way reduces the risk of accidental changes, misuse, and unauthorised access to systems or sensitive data.
Administrator accounts should be tightly controlled and only assigned where there is a genuine business need. These accounts should be documented, approved, and used only for administrative tasks, not for routine activities such as email or web browsing. The same approach should apply to third parties and support providers who are given privileged access to your systems. In most organisations, meeting this requirement will involve a combination of clear policy, regular review, and staff training.
Strong Unique Passwords
Passwords remain one of the main ways attackers try to gain access to systems and accounts. Reused, weak, or predictable passwords make this much easier. Cyber Essentials requires organisations to use passwords that are strong enough to resist common attacks and to avoid using the same password across multiple accounts.
Password must meet at least one of the following standards:
- at least 8 characters long with multi-factor authentication
- at least 12 characters long where the password is used on its own
- at least 8 characters long where the system automatically blocks common passwords using a deny list
Organisations should also have a clear process for changing passwords quickly if there is any suspicion that an account or password has been compromised.
Turn on Multi Factor Authentication
Multi-factor authentication (MFA) adds an extra layer of security by requiring more than just a password. This might involve a code from an authenticator app, a hardware token, approval from a trusted device, or a one-time code sent to a registered account or phone number.
Cyber Essentials requires MFA on all cloud services. This is one of the most effective ways to reduce the risk of account compromise, even if a password has been guessed, stolen, or reused from another breach.
The Five Cyber Essentials Controls
