Please explain how you encourage people to use unique and strong passwords.
What this question is really asking
Describe how you actively promote strong password usage among staff. This should go beyond a policy document — providing a password manager, blocking common passwords using wordlists such as the NCSC's, and running awareness training are all expected. Assessors look for active encouragement, not passive policy.
What satisfies this requirement
A written response is requiredMust support users in choosing strong passwords. Guidance includes: avoid common passwords; use three random words; provide password manager; do NOT enforce regular expiry; do NOT enforce complexity requirements.
What to prepare before your assessor visit
'We have a password policy document' is not what this question is asking for. Assessors want to see evidence of active encouragement: a password manager provided to staff, training records that reference password strength, and technical controls like blocking common passwords. The NCSC provides a common passwords wordlist that can be integrated with Active Directory — it takes an afternoon to implement and is a concrete demonstration of effort.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.