Do you ensure that staff only have the access privileges that they need to do their current job? How do you do this?
What this question is really asking
Confirm that users only have the access rights needed to do their current role — the principle of least privilege. Assessors look for a defined process for granting, reviewing, and revoking access. Common failures include users retaining access from previous roles, over-privileged default setups, and no regular access review.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredLeast privilege principle must be applied. Privileges updated when staff change roles.
What to prepare before your assessor visit
Access reviews are often the least developed process in smaller organisations. Having a process for granting access is common; having a process for reviewing and revoking access when it is no longer needed is far less common. Assessors will ask specifically about your access review cycle — what triggers a review, who conducts it, what the output looks like, and what happens with the results.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.