How does your organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email?
What this question is really asking
Confirm that administrator accounts are not used for ordinary activities like email, browsing, or document editing. Running day-to-day work with admin privileges means that any malware running in the session has full system access. This is a fundamental security hygiene requirement with no acceptable exceptions.
What satisfies this requirement
A written response is requiredAdmin accounts must not be used for web browsing or email. Policy, procedure, and training acceptable.
What to prepare before your assessor visit
Assessors may ask for evidence that admin accounts are not used for ordinary activities — login history or session logs can demonstrate this. The technical risk being addressed here is that malware running in an administrative session has full system access. Even if your administrators are completely trusted, the technical control exists to limit the blast radius when an account is compromised.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.