Montpellier A7.10

Describe how you protect accounts from brute-force password guessing in your organisation.

Section A7: User Access Control  ·  Cyber Essentials Montpellier

Danzell raised the minimum password length for technically-enforced systems to 12 characters, up from 8 in Montpellier and Willow.

What this question is really asking

Describe your password policy — minimum length, complexity requirements, and how the policy is technically enforced. Assessors will ask how the policy is implemented in systems such as Active Directory password policy, Azure AD, or MDM profiles — a written policy document alone is not sufficient evidence.

What satisfies this requirement

A written response is required

Account lockout, throttling, or MFA acceptable. See Password-based authentication section of Requirements document.

Check how you answer this in the CE Explorer
Free tool — all 288 questions mapped across every CE version.
Open CE Explorer

What to prepare before your assessor visit

The minimum password length increased in Danzell — if you set your Active Directory password policy to the Willow minimum and haven't reviewed it since, check it now. More importantly, be prepared to show the actual configured policy in your directory, not just describe it. Screenshots of your AD or Azure AD password policy settings are the expected form of evidence.

How this question sits across CE versions

Montpellier You are here
Describe how you protect accounts from brute-force password guessing in your organisation.
Willow evolved View →
Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?
Danzell View →
Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?

Related policy templates

Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.

Access Control Policy
Governs how user and administrator accounts are created, maintained, reviewed, and remove…
Password Policy
Specifies password length, complexity, and management requirements for all accounts.
← Previous
A7.9
Do you review who should have administrative access on a regular basi…
Next →
A7.11
Which technical controls are used to manage the quality of your passw…

Does your organisation meet this requirement?

Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.

Check my readiness → Explore all questions first