Table of Contents
- How Long Does Cyber Essentials Take? Overview
- Factors Influencing Certification Duration
- The Self-Assessment Process and Timeline
- Cyber Essentials Preparation Checklist for Faster Approval
- Working with an Accredited Assessor: What to Expect
- Cyber Essentials Remediation Time and Resubmission
- Cyber Essentials Auto-Fail Requirements and How to Avoid Delays
- Cyber Essentials Plus Timeline: Extended Timeframe Explained
Last Updated: July 11, 2026
How Long Does Cyber Essentials Take? Overview
Most businesses complete Cyber Essentials certification within 4-12 weeks from initial assessment to final approval. The timeline breaks into distinct phases: preparation (2-4 weeks), self-assessment (1-2 weeks), accredited assessor review (2-4 weeks), and remediation if gaps are identified. These phases don’t always run sequentially, some overlap, whilst others depend on how quickly your team responds to findings.
The certification’s validity period is three years. For Cyber Essentials Plus, expect to add another 2-3 weeks for more rigorous external audit requirements.

Start your timeline planning by auditing your current IT infrastructure now. Organisations that complete this audit before engaging an assessor typically reduce their overall timeline by 1-2 weeks. If you’d like professional support with this initial review, a [Free SEO Audit](https://www.ibertechsolutions.co.uk/#free-seo-audit) can help identify gaps in your digital security presence.
Factors Influencing Certification Duration
Business size is the most significant factor, a five-person firm progresses faster than a 200-person organisation with distributed networks. Your existing security maturity matters considerably. If you’ve already implemented basic controls like patching, firewalls, and antivirus software, you’ll spend less time on remediation.
The availability of your internal team directly impacts speed. Organisations with dedicated IT personnel or managed service providers typically move faster. Your choice of certification body also influences duration; some assessors maintain faster turnaround times, particularly if they specialise in your industry.
Document preparation readiness is critical. Organisations that gather security policies, network diagrams, patch records, and access control documentation before formal assessment save 1-2 weeks of communication. If your organisation lacks in-house IT expertise, IT Support can help you compile and organise the necessary documentation efficiently.
Delaying document preparation is the single biggest cause of timeline extension. Organisations have pushed completion dates back 3-4 weeks because they needed to recreate missing IT infrastructure documentation after assessment.
The Self-Assessment Process and Timeline
The self-assessment involves working through the IASME questionnaire covering five control areas: secure configuration, access control, malware protection, patch management, and external audit. This phase typically requires 5-10 working days.
The questionnaire demands accuracy and honesty about your current security posture. Each section requires you to confirm whether you’ve implemented specific technical controls and can evidence them. Small teams can complete this with one IT-responsible person; larger organisations benefit from involving multiple stakeholders to ensure accuracy across all areas.
Once submitted, most assessors respond within 2-3 working days to confirm receipt and outline their review timeline. The assessor then conducts detailed review over 1-2 weeks, validating that security controls are genuinely in place and functioning. This may involve requesting evidence: firewall configurations, patch reports, access control lists, or antivirus deployment records.
Cyber Essentials Preparation Checklist for Faster Approval
Preparation directly correlates with speed. Organisations that prepare systematically move through assessment 2-3 weeks faster than those approaching it reactively.
Secure Configuration:
- Document all internet-facing devices and confirm default credentials are changed
- Gather evidence of BIOS/firmware updates on critical systems
- Evidence of wireless encryption configuration (WPA2 minimum)
Access Control:
- Create a current user access list showing administrative privileges
- Document your password policy and multi-factor authentication implementation
- Screenshot your user account lockout policies
Malware Protection:
- Confirm antivirus software is installed on all endpoints
- Gather evidence of current malware definitions and scanning frequency
- Evidence of antivirus update automation
Patch Management:
- Create a list of all systems requiring patches
- Document your patch testing and deployment schedule
- Gather evidence of recent patches applied (last 90 days)
External Audit:
- Document your vulnerability scanning approach and frequency
- Gather evidence of penetration testing if completed within 12 months
- Screenshot your incident response plan and backup procedures
| Control Area | Preparation Task | Time Required | Evidence Needed |
|---|---|---|---|
| Secure Configuration | Audit network devices | 3-5 days | Device inventory, configuration screenshots |
| Access Control | Review user privileges | 2-3 days | User access list, policy documentation |
| Malware Protection | Verify endpoint protection | 1-2 days | Antivirus reports, deployment evidence |
| Patch Management | Audit patch status | 3-5 days | Patch reports, deployment records |
| External Audit | Document scanning/testing | 2-4 days | Scan reports, incident response plan |
Organisations that complete this checklist before submitting their self-assessment reduce their assessment timeline by an average of 2 weeks.
Working with an Accredited Assessor: What to Expect
The IASME maintains a public register of approved assessors. They vary in specialisation, location, and turnaround speed. Some focus on specific sectors; others serve general audiences.
Once you’ve submitted your self-assessment, most assessors provide initial feedback within 10-15 working days. This identifies which controls you’ve clearly implemented, which require additional evidence, and which have gaps. The assessor’s role is verification, not consultation, they’ll identify what’s missing and expect you to address it.
The assessor will conduct technical verification, which may include remote access to your systems, interviews with your IT team, review of security logs, and validation of patch records. This phase typically takes 3-5 working days.
Assign a single point of contact within your organisation for assessor communication. This person should have access to all systems, documentation, and decision-makers. Unclear internal communication structures cause 1-2 week delays.
Cyber Essentials Remediation Time and Resubmission
Remediation depends entirely on what’s missing and your organisation’s capacity to implement fixes.
Patch management gaps (2-4 weeks): Testing patches in non-production environments and deploying across your estate requires time. Critical patches may deploy faster; routine patches might wait for standard patching cycles.
Access control issues (1-3 weeks): Removing excessive privileges, implementing multi-factor authentication, or documenting access lists typically requires 1-2 weeks.
Malware protection gaps (3-7 days): Installing antivirus software is relatively quick, but ensuring proper configuration and updating definitions takes a few days.
Secure configuration remediation (1-4 weeks): Changing default credentials or reconfiguring firewalls can be quick with documented processes, but may require careful planning to avoid downtime.
External audit gaps (2-6 weeks): Arranging and completing vulnerability scanning or penetration testing adds significant time.
Once remediation is complete, you resubmit evidence. The assessor conducts follow-up verification over 1-2 weeks. Most organisations complete remediation in one cycle.
Cyber Essentials Auto-Fail Requirements and How to Avoid Delays
Certain security failures automatically deny certification. Understanding these prevents remediation delays.
Auto-fail conditions:
Default credentials remain on internet-facing devices. Every externally accessible system must use changed credentials.
Lack of antivirus protection on any endpoint. Every workstation and server must have active malware protection.
No evidence of patch management process. You must demonstrate a documented approach to identifying, testing, and deploying patches.
Absence of access control documentation. You must articulate who has administrative access and why.
No firewall or network segmentation. Internet-facing systems must be protected by a firewall.
Missing incident response or backup procedures. You must document how you’d respond to incidents and recover from data loss.
Avoiding these auto-fail conditions during preparation eliminates the risk of complete restart after assessment.
Organisations have failed certification by overlooking a single auto-fail condition, often an unpatched server or device using default credentials. These failures force a complete restart, extending timelines by 4-6 weeks minimum.
Cyber Essentials Plus Timeline: Extended Timeframe Explained
Cyber Essentials Plus adds an external audit layer to standard Cyber Essentials. Whilst standard certification is self-assessed and verified by an accredited assessor, Plus requires an on-site or remote technical audit by an approved external auditor.
The additional time commitment typically adds 2-3 weeks. The external auditor conducts more rigorous technical verification, actively testing your security controls through vulnerability scanning, configuration testing, and access control validation. Arranging an auditor’s visit or remote session adds 1-2 weeks, particularly if your organisation has limited availability.
Because the external audit is more thorough, it often identifies gaps that standard self-assessment misses, potentially requiring more extensive remediation. After the external auditor completes their assessment, the certification body conducts an additional review, adding 1-2 weeks.
The total Cyber Essentials Plus timeline typically spans 12-16 weeks from initial preparation through final certification, compared to 4-12 weeks for standard Cyber Essentials. However, organisations with mature security practices can compress this to 8-10 weeks. Plus certification is valid for three years, the same as standard Cyber Essentials.
Cyber Essentials certification demonstrates your commitment to fundamental security practices. The timeline depends entirely on your starting point and preparation approach. Organisations that audit their current security posture, gather evidence systematically, and assign clear ownership move through certification efficiently. Those that delay preparation or discover gaps during assessment face extended timelines.
Frequently Asked Questions
How long does it take to complete the Cyber Essentials self-assessment questionnaire?
The self-assessment questionnaire typically takes 2-4 working days to complete thoroughly, depending on your organisation's size and IT infrastructure complexity. Smaller businesses with straightforward networks may finish within a day, whilst larger organisations with multiple systems and departments may require a full week. Preparation beforehand, gathering documentation on your security controls and patch management processes, can significantly accelerate this phase.
What is the difference in time between Cyber Essentials and Cyber Essentials Plus certification?
Cyber Essentials Plus involves an external audit conducted by an accredited assessor, extending the overall timeline by 1-3 weeks beyond standard Cyber Essentials. Whilst Cyber Essentials relies on self-assessment, Cyber Essentials Plus requires hands-on vulnerability scanning and technical verification of your security controls, network configuration, and access control measures. This additional depth provides stronger assurance of your cyber security posture.
What happens if I fail my Cyber Essentials assessment, and how long does resubmission take?
If you fail, you'll receive a detailed report identifying gaps in your security controls. Remediation time depends on the severity of failures, minor issues may take 1-2 weeks to address, whilst significant gaps in patch management, access control, or firewall configuration could require 3-4 weeks or longer. After remediation, resubmission typically takes 3-5 working days for approval.
Can I get Cyber Essentials certified in one day?
No. Whilst the questionnaire itself can be completed in a single day, certification requires submission to a certification body, verification of your responses, and formal approval, a process that typically takes 5-10 working days minimum. Fast-tracking is not possible; the timeline is governed by IASME and NCSC requirements. However, thorough preparation beforehand can prevent delays caused by incomplete documentation or failed submissions.




