Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?
What this question is really asking
Confirm that all cloud services used by your organisation offer MFA as a feature. Services that do not support MFA at all are problematic — you may need alternatives or compensating controls. Most major cloud platforms support MFA; if one does not, flag this to your assessor proactively.
What satisfies this requirement
Yes or NoCloud service definition: on-demand, scalable, hosted on shared infrastructure, accessible via internet, accessed via account, stores or processes data for the organisation. Where MFA is available, it must be enabled for all users and admins.
What to prepare before your assessor visit
If any cloud service in your A2.9 list does not support MFA at all, that is a significant problem — one that cannot simply be resolved by excluding the service from scope, since the service is already listed as in use. Identify any services that don't offer MFA before the assessment and either find alternatives or document them for A7.15. Discovering this gap during assessment is a poor situation.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.