Cyber Essentials
DashboardSign Out

Lesson 6.2 — Creating and approving user accounts: joiners, movers, contractors and temporary access

This lesson helps the learner understand the Cyber Essentials requirement to have a process to create and approve user accounts.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • design or improve a user account creation and approval process
  • identify who should approve access
  • define what information should be captured before accounts are created
  • handle movers and temporary access correctly
  • record evidence that accounts and privileges were approved before use.

Why This Matters

It explains how account requests should be handled for new starters, role changes, contractors, temporary workers, suppliers and short-term access. It also shows how to record access approval evidence without making the process unnecessarily bureaucratic.

The most common problems are:

  • creating accounts before approval;
  • relying only on verbal approval;
  • giving everyone the same access;
  • copying another user’s access without review;

The Core Rule

Cyber Essentials expects organisations to have a process to create and approve user accounts.

This process should make sure accounts are created only for authorised users, with access based on role and business need.

What the CE Assessor Looks For

A strong position shows:

  • account creation is requested through a defined route;
  • approval is recorded before access is granted;
  • role and business need are captured;
  • standard access is role-based;
  • special access requires separate approval;
  • administrator access is separately approved;

Common Mistakes

  • creating accounts before approval;
  • relying only on verbal approval;
  • giving everyone the same access;
  • copying another user’s access without review;
  • ignoring role changes;
  • adding new access during a role change but not removing old access;

Copy This

Keep this rule visible:

No account should be created unless there is a clear reason, an approver, an owner and a defined level of access.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the main requirement covered by this lesson?
  • [ ] Why does account approval matter?
  • [ ] What information should be captured before creating an account?
  • [ ] Why should special access be approved separately?
  • [ ] What is a common risk with movers?

Your Action

Do this now — it takes 10–20 minutes.

Check your joiner process: is there a formal step where IT creates an account only after approval? Record the process and any gaps in Section UAC.

Key Takeaway

No account should be created unless there is a clear reason, an approver, an owner and a defined level of access.

Your Workbook Activity

Complete: User account creation and approval process record

Next Lesson

In the next lesson: Removing and disabling accounts: leavers, dormant users and access no longer required

Up next

Removing and disabling accounts

Remove or disable leaver and dormant accounts promptly to prevent unnecessary residual access.