Cyber Essentials is the UK government-backed certification that every small business supplying public sector contracts must hold. Its password requirements are specific, measurable, and frequently misunderstood. In our work with firms preparing for certification, the password section is the most common area where initial applications fail. This guide explains exactly what assessors look for and how to implement the controls in your organisation.
What Cyber Essentials Says About Passwords
Cyber Essentials does not mandate a specific password length or complexity. Instead, it requires organisations to protect their networks, devices, and data against the most common cyber attacks. For password controls, this means implementing appropriate authentication measures including password policies that follow current NCSC guidance.
The key document is the NCSC's password guidance, which recommends using three random words as the basis for strong passwords, enabling MFA wherever possible, and using a password manager to eliminate password reuse. Cyber Essentials assessors check that your organisation has adopted these principles.
The Five Password Controls Assessors Check
- Policy document exists: There must be a written password policy that all staff are aware of. A verbal understanding is not sufficient for certification.
- Unique passwords per service: Staff must not reuse the same password across different accounts. This is typically enforced through a password manager.
- MFA is enabled on all Internet-facing services: Especially email, cloud platforms, and any system accessible from outside the organisation.
- Minimum password strength: While not prescribed as a specific length, passwords must meet the NCSC three-random-words standard or equivalent complexity.
- Admin accounts are separated: Staff must have separate standard and admin accounts with different credentials.
Common Failures and How to Fix Them
Failure 1: No written policy. Many small businesses rely on unwritten rules. Fix this by writing a one-page policy document that staff sign. Template available from the NCSC website.
Failure 2: Credentials stored in browsers. Assessors check whether staff save passwords in browser autofill instead of a dedicated password manager. Implement a business password manager before your assessment.
Failure 3: Shared generic accounts. Shared mailboxes or admin accounts with a single password known to multiple staff members. Each user must have their own credentials with MFA.
Failure 4: No offboarding process. Former staff members retaining active credentials. Build account deactivation into your offboarding checklist.
Writing Your Password Policy Document
Your password policy document does not need to be long. A single A4 page covering these sections is sufficient for Cyber Essentials certification:
- Scope: Which systems and accounts the policy covers
- Password creation: Method for generating strong passwords (three random words or password manager)
- Password storage: Requirement to use the approved password manager only
- MFA: Requirement to enable MFA on all accounts
- Account management: Onboarding and offboarding procedures
- Review: Annual policy review requirement
From Policy to Practice: Implementation Steps
Month 1: Write and circulate the password policy. Choose and deploy a business password manager. Begin inventory of all accounts.
Month 2: Enable MFA on all Internet-facing services. Create separate admin accounts for IT staff. Start populating the password manager with account credentials.
Month 3: Conduct staff training on the password policy. Run a practice audit internally. Address any gaps before the formal assessment.
Maintaining Compliance After Certification
Cyber Essentials certification is valid for 12 months. To maintain compliance throughout the year: run a quarterly account audit, review the password manager's security report monthly, update the policy if NCSC guidance changes, and include password security in new starter induction training. When renewal comes around, the evidence of ongoing compliance makes the reassessment straightforward.
FAQs
Does Cyber Essentials require a specific password length?
No. Cyber Essentials follows NCSC guidance, which recommends three random words rather than a specific character count. Assessors look for implementation of the NCSC approach, not a particular length.
Can small businesses pass Cyber Essentials without a password manager?
The NCSC recommends password managers as the most practical way to eliminate password reuse. While not absolutely mandatory, most assessors expect to see one. Free tier options like Bitwarden meet the requirement.
How long does Cyber Essentials certification take?
For a small business with good password practices already in place, the assessment itself takes 2-4 hours. Preparation time depends on current state โ typically 2-6 weeks for the password controls alone.
Does Cyber Essentials require MFA on every single account?
MFA is required on all Internet-facing services โ those accessible from outside the organisation's network. Internal-only systems are not required to have MFA, though it is recommended where available.