Do you review who should have administrative access on a regular basis?
What this question is really asking
Confirm that admin access is reviewed on a regular basis. The standard does not specify a frequency, but quarterly is considered good practice and annual is the minimum assessors will accept. The review should produce documented actions, not merely a confirmation that everything looks correct.
What satisfies this requirement
Yes or NoRegular review required. Users no longer needing admin access must have it removed.
What to prepare before your assessor visit
Quarterly reviews are best practice; annual is the minimum assessors will accept. Whatever frequency you choose, the review must produce a documented output. A dated record listing accounts reviewed, any changes made, and the name of the reviewer is what assessors prefer to see. 'We reviewed and everything looked fine' is better than nothing, but a documented output is what creates confidence.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.