Are all your user and administrative accounts accessed by entering unique credentials?
What this question is really asking
Confirm that every account — user and administrator — is accessed using unique credentials rather than shared logins. Shared accounts make audit trails meaningless and create password management risks. If you have any shared accounts for any reason, this is likely to be a fail.
What satisfies this requirement
Yes or NoNo devices, applications, or cloud services may be accessed without unique access credentials. Accounts must not be shared.
What to prepare before your assessor visit
Service accounts and automation tasks are where shared credentials most commonly persist — a service account with a shared password known to three IT staff members is a very common finding. Audit your directory for accounts that multiple people have access to, and for automation passwords embedded in scripts, scheduled tasks, or job schedulers. These are often the most overlooked accounts.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.