How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?
Section A7: User Access Control · Cyber Essentials Montpellier
What this question is really asking
Describe how you ensure accounts are removed or disabled when staff leave. The process should have a defined timeline — immediate on the day of departure is the standard. Relying on IT being notified informally is insufficient — integrate this with HR offboarding, a joiner-mover-leaver process, or equivalent.
What satisfies this requirement
A written response is requiredMust have a process to revoke access when staff leave.
What to prepare before your assessor visit
Same-day account suspension on departure is the standard that assessors prefer, particularly for privileged users. A process that works reliably 95% of the time will still leave active accounts for 5% of leavers — assessors know this and will probe the reliability of the process. Integrating account suspension with HR offboarding workflows is the expected approach for anything above a small team.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.