Which technical controls are used to manage the quality of your passwords within your organisation?
What this question is really asking
List the specific technical mechanisms that enforce your password policy — Active Directory password policy, Azure AD conditional access, MDM profile, or password manager enforcement. Policy documents are not sufficient on their own; there must be a technical control that prevents non-compliant passwords from being set.
What satisfies this requirement
A written response is requiredAcceptable: MFA; min 12 chars no max; min 8 chars no max with automatic blocking of common passwords via deny list.
What to prepare before your assessor visit
Policy documents alone are explicitly insufficient — the standard requires technical enforcement. List the specific technical controls and be prepared to demonstrate them. If your written policy says '12 characters minimum' but your Active Directory password policy is actually configured to 8, the technical control is what an assessor will evaluate — and what will fail if it doesn't match.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.