How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)?
Section A7: User Access Control · Cyber Essentials Montpellier
What this question is really asking
Describe how your organisation ensures administrators use a separate account for administrative tasks versus their everyday work. Standard practice is for each admin to have a regular user account for email and browsing, and a separate privileged account for admin tasks. Using a single account for both purposes is a common finding in smaller organisations.
What satisfies this requirement
A written response is requiredAdmin tasks must use a separate account from the standard user account. Cloud service admin must use separate accounts.
What to prepare before your assessor visit
The separation between admin and standard user accounts needs to be consistent in practice, not just on paper. A very common pitfall is an IT manager who technically has a separate admin account but uses their regular account for admin tasks 90% of the time because it's more convenient. If the separation exists nominally but not in practice, it will not withstand scrutiny.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.