Are your users only provided with user accounts after a process has been followed to approve their creation?
What this question is really asking
Confirm that all user accounts are created through an approval process — not ad-hoc. This should include a named approver, a defined scope of access, and a documented record. Assessors look for evidence of a process, not just confirmation it exists — an audit trail of approvals is the expected standard.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredUser accounts must only be created after approval by a leadership role.
What to prepare before your assessor visit
Assessors want evidence that the approval process actually runs — not just that it exists on paper. An audit trail of provisioning requests, access request tickets, or approval records is the expected evidence. If your directory shows accounts created directly without any corresponding approval record, that is a gap that will be flagged. The process must leave a traceable trail.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.