Cyber Essentials Plus User Access Control Requirement

Lets take a look at the user access technical control required to pass Cyber Essentials Plus

Written by: David Henderson on Jan 03, 2023

Cyber Essentials Plus is a UK Government backed scheme helping organisations level up their cyber security and protect themselves from the most common types of cyber attack.

As part of the certification process, organisations are required to implement robust user access control measures to help safeguard sensitive information from those who are seeking to exploit it.

In this article, we look at the importance of user access control and what is required to pass Cyber Essentials Plus.

What Is User Access Control?

User access control is the process of managing and controlling user privileges and permissions within an organisation's systems, networks, and devices. The objective of doing this effectively is to ensure that only authorised individuals have access to specific apps or data based on their role within their organisation.

For example. In the unfortunate event that a device or user account becomes compromised, user access control helps limit what information the bad actor has access to. If that user or device had privileges that provided admin access to all files and systems unnecessarily, the level of compromise would be significantly greater. This control drastically reduces that risk by ensuring only those who need access to certain systems or files have access meaning if an account is compromised, the breach can be somewhat contained.

Cyber Essentials Plus Requirement for User Access Control

As a key control under the Cyber Essentials Plus assessment, you must have adequate user access controls in place across your user accounts and devices. The scope of this requirement spans email, web and application servers, desktop computers, laptop computers, tablets, and mobile phones.

Every active user account in your company makes it easier to access hardware, software, and confidential company data. You can lower the risk of information being stolen or damaged by making sure that only approved people have user accounts and that they are given only the amount of access necessary to carry out their roles.

User access control requirements for Cyber Essentials Plus require you to:

  • Have a user account creation and approval process
  • Authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication) Cyber Essentials: Requirements for IT infrastructure
  • Remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
  • Implement two-factor authentication, where available
  • Use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
  • Remove or disable special access privileges when no longer required (when a member of staff changes role, for example)

Need help?

Email Us
email hidden; JavaScript is required

Call Us
+ 4428 9099 5777

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.