> series: cyber_essentials_demystified —— part: 06/10 —— control: access_control —— mfa: mandatory_or_fail<span class="cursor-blink">_</span>_
User access control is the Cyber Essentials control that determines who can access your systems, what level of access they have, and how they prove their identity. Under the Danzell question set, this control carries the most consequential change in the 2026 update: multi-factor authentication is now mandatory for every cloud service where it is available. If MFA is offered — whether free, bundled, paid, or available through a connected identity provider — and you have not enabled it for all users, the assessment fails automatically.
This article covers the full scope of the access control requirements under Danzell v3.3, with particular focus on the MFA mandate, the new formal definition of cloud services, and the practical steps required to achieve compliance.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your CertificationThe MFA requirement under Danzell is absolute. If a cloud service used by your organisation offers MFA in any form — built into the service, available through a connected identity provider such as Microsoft Entra ID or Google Workspace, or offered as a paid add-on — it must be enabled for every user. Not just administrators. Not just users with access to sensitive data. Every user, on every cloud service, where MFA is available.
IASME maintains a list of cloud services and their MFA capability, though this list is not exhaustive. The responsibility to determine whether your cloud services offer MFA lies with you. During CE Plus assessments, the assessor will verify that MFA is enabled by testing authentication against cloud services listed in your verified self-assessment.
Danzell introduces a formal definition: a cloud service is an on-demand, scalable service hosted on shared infrastructure and accessible via the internet. This includes Microsoft 365, Google Workspace, Xero, QuickBooks Online, Salesforce, HubSpot, Dropbox, OneDrive, project management tools like Monday.com or Asana, HR systems, CRM platforms, password managers, remote access tools, and even business social media accounts. If organisational data is stored or processed in it, it is in scope.
MFA is the headline change, but the access control requirements under Danzell extend well beyond authentication. The full set of requirements governs how accounts are created, managed, and privileged across your organisation.
| Requirement | What It Means |
|---|---|
| Individual accounts | Every user must have their own unique account. No shared accounts — each action on your systems must be attributable to a specific individual. |
| Least privilege | Users must have only the minimum access required for their role. Standard users should not have administrative privileges. Administrative access must be granted only to those who genuinely need it. |
| Separate admin accounts | Administrative tasks must be performed using dedicated admin accounts — not the user's standard day-to-day account. Admin accounts should be used only for administrative purposes and not for email, web browsing, or general work. |
| Password requirements | Passwords must be at least 8 characters for standard accounts and at least 12 characters for administrative accounts. Alternatively, organisations can implement technical controls that prevent weak passwords (e.g. password deny lists). Passwordless authentication via passkeys or FIDO2 is explicitly accepted. |
| Account management process | A process must exist for creating, modifying, and removing user accounts. When an employee leaves, their account must be disabled or removed promptly. Orphaned accounts are a common assessment finding. |
Danzell explicitly recognises passwordless authentication methods such as passkeys and FIDO2 security keys as valid alternatives to traditional passwords with MFA. These methods inherently satisfy the multi-factor requirement when they combine possession (the device or security key) with a biometric or knowledge factor (fingerprint, face, or PIN). For organisations deploying Windows Hello for Business, Apple passkeys, or FIDO2 hardware keys, this represents a cleaner path to compliance — and a significantly stronger security posture than SMS-based MFA.
Access control is not a set-and-forget configuration. User accounts are created, modified, and — critically — not always deactivated when they should be. MFA policies can be bypassed by legacy authentication protocols. Privilege creep accumulates as users change roles without losing their previous access. SOC in a Box monitors authentication events 24/7, detecting anomalous login patterns, MFA bypass attempts, impossible travel scenarios, and the use of compromised credentials discovered through dark web monitoring.
Next week, we cover the final technical control — Malware Protection. We explain what Danzell requires, the three acceptable approaches (anti-malware, application whitelisting, sandboxing), and how malware protection integrates with the other four controls to complete the layered defence.
Our <a href="/cyber-essentials/concierge">Concierge service</a> includes a complete cloud service inventory and MFA audit — ensuring every service is identified, every MFA option is enabled, and every user is covered before you open your assessment account.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification