Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?
Section A7: User Access Control · Cyber Essentials Montpellier
What this question is really asking
Confirm that all cloud services used by your organisation offer MFA as a feature. Services that do not support MFA at all are problematic — you may need alternatives or compensating controls. Most major cloud platforms support MFA; if one does not, flag this to your assessor proactively.
What satisfies this requirement
Yes or NoWhere MFA is available (text, OTP, auth app), it must be enabled for all users and admins. Cloud-to-cloud MFA via Azure/M365/Google Workspace is acceptable.
What to prepare before your assessor visit
If any cloud service in your A2.9 list does not support MFA at all, that is a significant problem — one that cannot simply be resolved by excluding the service from scope, since the service is already listed as in use. Identify any services that don't offer MFA before the assessment and either find alternatives or document them for A7.15. Discovering this gap during assessment is a poor situation.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.