User access control that meets the standard.
User access control is the third Cyber Essentials control. It requires least-privilege user accounts and strong authentication for administrative access. IP Four audits your account estate, removes unnecessary privileges, and implements the controls needed to pass.
100%
First-Time Pass Rate
4-6 Wks
Average Certification Time
500+
UK Businesses Certified
5
Controls Covered End-to-End
Access control capabilities for Cyber Essentials compliance.
User Account Privilege Review
Audit all user accounts to identify those with unnecessary administrative privileges and reduce them to standard user level.
Separate Admin Account Creation
Create dedicated administrative accounts for IT tasks, ensuring day-to-day work is performed under standard user accounts.
Multi-Factor Authentication for Admins
Enable MFA on all administrative accounts and cloud services to meet the Cyber Essentials Plus requirement and strengthen overall security.
Guest and Shared Account Removal
Identify and disable guest accounts, shared credentials, and dormant accounts that represent unnecessary access risk.
Password Policy Implementation
Configure password policies that meet Cyber Essentials requirements including minimum length, complexity, and lockout thresholds.
Access Control Documentation
Produce an access control register documenting all user accounts, privilege levels, and the business justification for each administrative account.
Our user access control process.
Account Discovery
Enumerate all user accounts across Active Directory, cloud services, and local devices to establish the full access control scope.
Privilege Assessment
Identify accounts with administrative rights and assess whether those privileges are justified by the user's role.
Remediation Planning
Produce a remediation plan to remove unnecessary privileges, create separate admin accounts, and disable redundant accounts.
Access Control Implementation
Apply privilege changes, create dedicated admin accounts, enable MFA, and configure password policies across all in-scope systems.
Evidence Gathering
Capture account listings, MFA configuration screenshots, and policy exports as assessor-ready evidence.
Certification Submission
Submit access control evidence as part of the Cyber Essentials application and support the assessor through review.
Access control compliance delivered across the UK.
Challenge: A 25-person accountancy firm had 18 users with local administrator rights on their devices, creating significant risk and failing the Cyber Essentials access control requirement.
Outcome: IP Four removed local admin rights from all standard users, created dedicated admin accounts for IT staff, and enabled MFA on all admin accounts. The firm passed certification within four weeks.
Challenge: A housing association had multiple shared accounts used by different staff members and several dormant accounts from former employees still active in Active Directory.
Outcome: IP Four disabled all shared and dormant accounts, implemented individual named accounts for all staff, and produced an access control register. Cyber Essentials certification was achieved first time.
Challenge: A SaaS startup had all developers with full admin rights across cloud infrastructure and no separation between standard and administrative accounts.
Outcome: IP Four implemented role-based access control across AWS and Microsoft 365, created separate admin accounts, and enabled MFA on all privileged access. The startup achieved Cyber Essentials in five weeks.
Ready to implement least-privilege access and achieve certification?
We start with a free account privilege review to identify exactly what needs to change. No unnecessary disruption, just a clear path to Cyber Essentials certification.