Has MFA been applied to all administrators of your cloud services, excluding any listed in A7.15 that do not provide it?
What this question is really asking
This is an auto-fail question. MFA must be enabled for all administrator accounts on all cloud services — no exceptions unless the service is listed in A7.15. Cloud admin accounts without MFA are among the most common paths for cloud-based ransomware and data breach incidents. Enable MFA on every cloud admin account before your assessment.
What satisfies this requirement
Yes or NoAll cloud service admin accounts must use MFA with a password of at least 8 characters. AUTOMATIC FAIL if answer is No.
What to prepare before your assessor visit
This is an auto-fail. Before your assessment, log into every cloud admin console and confirm MFA is enrolled and active for every account with administrator access. 'Break-glass' emergency admin accounts are still admin accounts and require MFA — there are no exceptions. Assessors have seen organisations with MFA enabled for regular admins but emergency accounts left without it. Every single admin account must be enrolled.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.