Do you formally track which users have administrator accounts in your organisation?
Section A7: User Access Control · Cyber Essentials Montpellier
What this question is really asking
Confirm that you maintain a formal register of which users hold administrator accounts. This should be actively maintained — not just a snapshot of what is currently in Active Directory. Admin rights are commonly forgotten when someone changes role. A quarterly review against actual group membership is good practice.
What satisfies this requirement
Yes or NoMust track all people granted administrator accounts.
What to prepare before your assessor visit
The register needs to accurately reflect current reality — not what you believe is in Active Directory, but what actually is. Run a report from your directory or identity platform and cross-check it against the register before the assessment. Ghost admin accounts — accounts with elevated rights not reflected on any register — are a very common finding and can fail this question on their own.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.