Cyber Essentials
DashboardSign Out

Lesson 6.3 — Removing and disabling accounts: leavers, dormant users and access no longer required

This lesson helps the learner understand the Cyber Essentials requirement to remove or disable user accounts when they are no longer required.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • create or improve an account removal process
  • identify accounts that are no longer required
  • manage leavers and dormant accounts
  • remove temporary and supplier access
  • disable unnecessary accounts safely
  • evidence that access has been removed or disabled when no longer needed.

Why This Matters

It explains how to manage leavers, dormant users, old guest accounts, expired contractor access, supplier accounts and access that is no longer needed after role changes. It also explains the difference between disabling, deleting and removing privileges, and how to collect evidence without storing sensitive credentials.

The most common problems are:

  • disabling only the main email account;
  • forgetting SaaS accounts;
  • forgetting local device accounts;
  • forgetting VPN and remote access;

The Core Rule

Cyber Essentials expects user accounts to be removed or disabled when they are no longer required.

This includes leavers, dormant users, temporary accounts, supplier accounts, external guests and access that is no longer needed after role changes.

What the CE Assessor Looks For

A strong position shows:

  • leaver notifications are sent promptly;
  • account disablement is assigned to an owner;
  • access is removed at the right time;
  • identity provider and SaaS accounts are included;
  • administrator privileges are removed quickly;
  • temporary access has end dates;

Common Mistakes

  • disabling only the main email account;
  • forgetting SaaS accounts;
  • forgetting local device accounts;
  • forgetting VPN and remote access;
  • forgetting administrator accounts;
  • forgetting guest users;

Copy This

Keep this rule visible:

If a person, supplier, guest or account no longer needs access, remove or disable that access and keep evidence.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the main requirement covered by this lesson?
  • [ ] Give three examples of accounts that may no longer be required.
  • [ ] Why might disabling an account be better than deleting it immediately?
  • [ ] Why are dormant accounts risky?
  • [ ] What is access creep?

Your Action

Do this now — it takes 10–20 minutes.

Check your leaver process: pick the last three people who left and confirm their accounts were disabled or deleted promptly. Record in Section UAC.

Key Takeaway

If a person, supplier, guest or account no longer needs access, remove or disable that access and keep evidence.

Your Workbook Activity

Complete: Account removal, dormant user and access disablement record

Next Lesson

In the next lesson: Multi-factor authentication: cloud services, users, administrators and supplier access

Up next

Multi-factor authentication

Implement multi-factor authentication where required, including cloud services and privileged access paths.