Cyber Essentials
DashboardSign Out

Lesson 6.7 — Final user access control review: account evidence, access reviews and common failures

This lesson closes the User Access Control module by helping the learner complete a final review of account controls, permissions, MFA, password-based authentication, administrator accounts, supplier access and access removal evidence.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • complete a final User Access Control readiness review
  • check whether accounts are assigned only to authorised users
  • confirm least privilege and administrator account controls
  • evidence MFA and password-based authentication
  • identify unresolved access risks
  • prepare a safe evidence pack without including secrets or credentials.

Why This Matters

It focuses on whether the organisation can support its Cyber Essentials answers with evidence and whether common user access failures have been identified before submission.

The Core Rule

User Access Control is ready when the organisation can show that only authorised users have accounts, users only have the access they need, authentication is protected, and unnecessary accounts or privileges are removed.

The final review should check the actual systems in scope, not just policy wording.

Copy This

Keep this rule visible:

Do not submit User Access Control answers unless the account lists, access evidence and authentication controls support what you are saying.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the final User Access Control question?
  • [ ] Why is a user access policy alone not enough?
  • [ ] Why are incomplete account lists a problem?
  • [ ] Why is disabling only a leaver’s email account not enough?
  • [ ] What is the difference between MFA being available and MFA being enforced?

Your Action

Do this now — it takes 10–20 minutes.

Review your complete UAC position. Do you have evidence for accounts, MFA, passwords, and admin access? Note any gaps.

Key Takeaway

Do not submit User Access Control answers unless the account lists, access evidence and authentication controls support what you are saying.

Your Workbook Activity

Complete: Final user access control review record

Next Lesson

In the next lesson: Building and maintaining the device inventory

Up next

Interviews

Explore interviews with industry experts and thought leaders.