All Insights
Regulatory Intelligence

Cyber Essentials Identity Controls: What UK Organisations Must Demonstrate

Cyber Essentials is the baseline the UK government sets for technical cyber security. For identity and access control, the requirements are specific and the gaps that cause organisations to fail Cyber Essentials Plus are consistent and predictable. This article sets out exactly what is required, what is tested, and where organisations fall short.

24 February 2026    Mark Ahearne, Founder & Director    8 min read

What Cyber Essentials Requires for Identity

Cyber Essentials defines five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Identity sits primarily under Requirement 4: User Access Control, though authentication requirements cut across several areas.

Requirement 4: User Access Control

The requirement covers four distinct obligations that organisations must meet:

  • Minimum privilege. User accounts must only have access to what they need for their role. The assessment asks whether standard user accounts are restricted from accessing data and systems beyond their job function.
  • Removing unnecessary accounts. Accounts for leavers and for applications no longer in use must be removed or disabled. This includes service accounts that are no longer active.
  • Limiting and controlling admin access. Administrative access must be restricted to named individuals who need it for their role. The use of shared admin accounts fails this requirement on its own.
  • Separating admin accounts from standard user accounts. Where someone holds both a standard user account and an admin account, those must be separate accounts. Using a single account for both day-to-day work and administrative tasks does not meet the requirement.

Authentication Controls

The Cyber Essentials technical specification sets minimum requirements for passwords: a minimum length of 8 characters (12 if no MFA), no complexity requirements that encourage predictable patterns, and no arbitrary rotation unless there is evidence of compromise.

From the April 2023 update to the scheme, multi-factor authentication is mandatory for cloud services in scope of the assessment. This applies to any cloud service that holds or processes data in scope — Microsoft 365, Google Workspace, Salesforce, cloud-hosted HR systems, and similar. MFA for remote access was already required; the 2023 change extended this to all cloud services.

The Cyber Essentials Plus Difference

The basic Cyber Essentials certification is a self-assessment questionnaire verified by a certifying body. An assessor reviews your answers but does not independently test your environment. Cyber Essentials Plus involves verified technical testing — an assessor actually checks what you have claimed.

What the Plus Assessment Actually Tests

For identity and access control, the Plus assessment includes:

  • A sample of user accounts checked against the access control requirements — the assessor selects accounts, not you
  • Verification that admin accounts are separate from standard user accounts in Active Directory or your directory service
  • Confirmation that MFA is enforced (not just offered) on cloud services — the assessor will attempt to authenticate without MFA to confirm enforcement
  • A check that accounts for leavers in the testing window have been disabled or removed
  • Review of whether local administrator rights are present on end-user workstations

Common Failures After Passing the Basic Assessment

The gap between a passed self-assessment and a failed Plus assessment is almost always one of three things. First, the self-assessment described intended or partial practice — MFA was enabled for some cloud services but not enforced for all. Second, admin accounts existed on paper as separate accounts, but the named individuals were still logging into workstations with admin privileges for routine tasks. Third, the accounts review found leavers whose accounts had not been removed within the assessment window, despite an offboarding process that nominally covered this.

The Plus assessment exposes the difference between documented policy and operational reality. Organisations that maintain the controls continuously rather than preparing specifically for assessment pass more reliably.

Public Sector Specific Obligations

Central Government

Central government departments and their arm's length bodies are required to hold Cyber Essentials certification. This requirement is set by the Government Cyber Security Strategy and is a condition of receiving certain categories of government grant funding. For departments subject to the Government Functional Standard GovS 007, Cyber Essentials is the minimum baseline for technical security controls.

NHS and DSPT Alignment

The NHS Data Security and Protection Toolkit (DSPT) incorporates Cyber Essentials requirements as part of its mandatory annual self-assessment. NHS organisations — trusts, ICBs, primary care networks, and GP practices — must demonstrate compliance with the identity and access control requirements as part of their DSPT submission. The DSPT goes further than Cyber Essentials in some areas, including requirements for role-based access controls and user account reviews, but Cyber Essentials certification satisfies the corresponding DSPT criteria where the two overlap.

Local Authorities and Councils

Local authorities are not under a statutory obligation to hold Cyber Essentials in the way that central government departments are, but the Local Government Cyber Assessment Framework (CAF) references Cyber Essentials as the recommended baseline. Many councils have adopted Cyber Essentials certification as a condition of their cyber insurance, or as a requirement imposed by their Section 151 officer following a cyber incident elsewhere in the sector.

Procurement Implications

Since 2014, central government contract requirements have included Cyber Essentials certification for contracts involving handling of personal data or providing certain ICT products and services. The scope of this requirement has expanded over time. Suppliers to NHS trusts increasingly encounter Cyber Essentials as a pre-qualification requirement. Suppliers to local authorities face the same requirement in procurements where the authority has adopted it as a supply chain standard. Holding certification, and being able to demonstrate the underlying controls, is a commercial as well as a compliance requirement for organisations in the public sector supply chain.

The Most Common Identity-Related Failure Points

Across Cyber Essentials Plus assessments, the identity failures cluster around five patterns. None of them are obscure. Most are straightforward to address once they are identified.

1. Shared Admin Accounts

Using a shared administrator account — one login used by multiple people — fails the requirement for individual accountability and traceability. This is common in smaller organisations where "IT admin" is treated as a role rather than an individual identity. The assessor will check whether admin accounts map to named individuals.

2. Local Admin Rights on Workstations

Standard users with local administrator rights on their own workstations is one of the most frequent failures. This is often inherited from a previous IT management approach, or granted to allow software installation, and never revoked. It is a direct violation of the minimum privilege requirement and is straightforward to verify.

3. Cloud Applications Without Enforced MFA

Following the April 2023 update, this is now consistently among the top failure reasons. Organisations that had MFA available but not enforced — relying on users to opt in — found themselves non-compliant. The requirement is for MFA to be enforced through policy, not offered as an option. Conditional Access policies in Microsoft Entra ID (formerly Azure AD) or equivalent controls in other identity platforms are the standard mechanism.

4. Service Accounts With Excessive Privilege

Service accounts created for application integrations are frequently granted domain admin rights because it was simpler at the time of implementation. These accounts rarely have passwords that rotate, often have no MFA, and have privileges far exceeding what the application requires. The assessor will examine service accounts as part of the access control review.

5. No Process for Removing Leavers

Organisations with a documented offboarding process still fail this requirement when the process is not being followed consistently, or when the process covers Active Directory accounts but not cloud application accounts. The assessor checks whether accounts exist for individuals who have left the organisation during the review period. A single missed leaver account within the testing scope can cause a failure.

Preparing for Cyber Essentials Plus Assessment

The assessor works through identity controls in a structured way. Understanding the sequence helps organisations prepare effectively.

What the Assessor Checks, and in What Order

The assessment typically begins with the directory service — Active Directory, Entra ID, or equivalent. The assessor will pull a list of accounts and identify admin-privileged accounts, standard user accounts, service accounts, and disabled accounts. They will cross-reference a sample of these against the organisation's HR records or leavers list for the period.

Cloud service MFA enforcement is usually checked next. The assessor will review Conditional Access or equivalent policies and, in some cases, attempt authentication flows to verify enforcement. The distinction between MFA being registered by users and MFA being enforced by policy is the critical point.

Workstation local administrator rights are checked via endpoint configuration — Group Policy, Intune configuration profiles, or equivalent. If end users can open a command prompt and confirm they are local administrators, that is a failure.

What to Test Before the Assessor Arrives

  • Run a stale accounts report from your directory — any account inactive for 30 days or more should be reviewed and disabled if no longer needed
  • Pull a list of all cloud applications in scope and confirm MFA enforcement policy is applied to each, not just enabled
  • Check local administrator group membership on a representative sample of end-user workstations
  • Review all service accounts for their privilege level — any with domain admin rights should be reviewed and scoped down
  • Confirm that every admin account has a corresponding standard user account and that the admin account is not used for day-to-day activity
  • Run a leavers check for the preceding 90 days — verify accounts were disabled on or before the last day of employment

The Relationship to NCSC Guidance and Wider Frameworks

Cyber Essentials does not exist in isolation. Understanding where it sits relative to other frameworks matters for organisations subject to multiple obligations.

NCSC 10 Steps to Cyber Security

The NCSC's 10 Steps to Cyber Security includes "Identity and Access Management" as a discrete step. The 10 Steps go further than Cyber Essentials — they encompass privileged access workstations, just-in-time access, and identity governance practices beyond what Cyber Essentials tests. However, an organisation that has met Cyber Essentials user access control requirements has addressed the foundational layer of what 10 Steps requires in this area. The two are designed to be complementary, with Cyber Essentials as the baseline and 10 Steps as the more mature target state.

Overlap With DORA and NIS2

For financial services organisations subject to DORA, or for operators of essential services subject to NIS2, Cyber Essentials certification demonstrates a baseline but does not satisfy the full identity requirements of either regulation. DORA Article 9 requires ICT security policies that address access control and authentication as part of a broader ICT risk management framework. NIS2 Article 21(2)(j) requires access control policies as part of minimum security measures. Both regulations expect controls that go beyond the Cyber Essentials minimum — risk-based access decisions, privileged access management, and documented access review processes that Cyber Essentials does not explicitly require.

For organisations subject to all three — a UK financial firm or healthcare organisation, for example — Cyber Essentials should be treated as the floor, not the ceiling. Meeting Cyber Essentials demonstrates basic hygiene. Meeting DORA or NIS2 on identity requires a more substantive programme.

Ready for Cyber Essentials Plus?

We produce the identity evidence the assessment requires — account reviews, access control documentation, MFA enforcement verification, and the gap analysis that identifies what needs to change before the assessor arrives.

For organisations pursuing Cyber Essentials Plus for the first time, or preparing for renewal after a previous failure on identity controls, our compliance and audit service covers the full scope of what is tested.

View Compliance & Audit Service

Related Insights

Regulatory Intelligence

DORA Identity Controls

What financial firms must demonstrate under DORA's ICT risk management requirements for identity and access.

Read more
Regulatory Intelligence

NIS2 Identity Requirements

Article 21 of NIS2 sets minimum security measures including access control. What organisations need to implement and evidence.

Read more
Board & Executive

Five Questions Every Board Should Ask

The five identity security questions that give boards genuine oversight — not reassurance — of their organisation's position.

Read more