Do you have a formal process for giving someone access to systems at an 'administrator' level and can you describe this process?
What this question is really asking
Confirm that a formal process governs who receives administrator-level access. This must be documented — a named approver, a defined business justification, and a record of the granting. Admin access granted informally — for example, IT support granting it as a favour — is a significant control failure.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredProcess must include approval by owner/director/trustee/partner.
What to prepare before your assessor visit
The approval process for administrator access needs an approver who is not the same person as the one receiving the access. In small IT teams, the same individual sometimes both requests and approves their own elevated rights — this is a control failure. The approver should be a manager, a senior stakeholder, or someone outside the IT function where possible.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.