One of the most frequently asked questions we hear from UK businesses considering Cyber Essentials Plus is simply: how long does it take? It is a fair question. Business owners and IT managers need to plan around the certification process, allocate resources, and understand when they can expect to have that certificate in hand — particularly if a contract deadline or tender requirement is driving the timeline.
The honest answer is that it depends. The total time from initial decision to certificate can range from as little as two weeks for a well-prepared organisation to several months for one that needs significant remediation work. In this guide, we break down every stage of the process, give you realistic timescales, and explain what you can do to accelerate your journey to certification.
Understanding the Two-Stage Process
Before we discuss timescales, it is important to understand that Cyber Essentials Plus is not a standalone certification. It builds on the basic Cyber Essentials certification, which must be achieved first. You cannot skip directly to Plus — the basic certification is a prerequisite.
This means the total timeline includes two distinct phases: achieving basic Cyber Essentials, and then upgrading to Cyber Essentials Plus. Some organisations complete both in quick succession; others achieve the basic certification and then take time to prepare for the more rigorous Plus assessment.
Stage 1: Cyber Essentials Basic Certification
The basic Cyber Essentials certification is a self-assessment questionnaire. You answer questions about your organisation's security controls across the five core areas: firewalls, secure configuration, access control, malware protection, and security update management (patching).
Completing the Questionnaire
The questionnaire itself typically takes between two and four hours to complete, assuming you have a clear understanding of your IT environment and the security controls in place. However, the time required varies significantly depending on the complexity of your organisation.
A small business with a single office, a handful of devices, and a straightforward IT setup might complete the questionnaire in an afternoon. A larger organisation with multiple offices, diverse operating systems, cloud services, and remote workers may need several days to gather the necessary information from different teams and stakeholders.
The questions are not trick questions, but they do require specific, accurate answers. You will need to know details such as what firewall rules are configured on your boundary devices, how software updates are managed across your estate, whether users have administrator privileges, and how malware protection is configured. If you do not have this information readily available, the research phase can add days to the process.
Assessment and Certification
Once you submit the questionnaire, an assessor from your chosen certification body reviews your answers. If everything is in order, the certificate can be issued within one to two business days. If the assessor has questions or requires clarification, there may be a back-and-forth process that adds a few more days.
In total, the basic Cyber Essentials certification typically takes between two and five business days from start to finish for a well-prepared organisation. For those who need to do significant research or remediation before they can accurately answer the questionnaire, allow two to four weeks.
Stage 2: Preparing for Cyber Essentials Plus
This is where the real work begins. Unlike the basic certification, Cyber Essentials Plus involves a hands-on technical assessment of your actual IT environment. An assessor will scan your devices, check your configurations, and verify that the controls you claimed in your basic questionnaire are actually in place and functioning correctly.
You must complete your Cyber Essentials Plus assessment within three months of achieving your basic Cyber Essentials certification. If you miss this window, you will need to re-certify at the basic level before proceeding to Plus.
Gap Analysis and Remediation
The preparation phase is typically the most time-consuming part of the entire process, and its duration varies enormously depending on the current state of your IT environment. For organisations that already have strong security practices in place, preparation may take only a few days. For those with significant gaps, it could take several weeks.
Common remediation tasks include patching all devices to current levels, removing end-of-life software, reconfiguring user accounts to remove unnecessary administrator privileges, hardening firewall configurations, enabling multi-factor authentication on cloud services, and ensuring malware protection is active and current on all devices.
We strongly recommend conducting an internal gap analysis — essentially a mock assessment — before scheduling your official Cyber Essentials Plus assessment. This involves running vulnerability scans against your own devices, reviewing configurations, and identifying any areas that do not meet the standard. The gap analysis itself typically takes one to two days, but the remediation that follows can take anywhere from a few days to several weeks.
Typical Preparation Timescales by Organisation Size
| Organisation Size | Typical Devices in Scope | Preparation Time | Key Challenges |
|---|---|---|---|
| Micro (1–9 employees) | 5–15 devices | 3–5 days | Often limited IT knowledge; may need external support |
| Small (10–49 employees) | 15–75 devices | 1–2 weeks | Third-party app patching; BYOD management |
| Medium (50–249 employees) | 75–400 devices | 2–4 weeks | Complex estates; legacy software; multiple locations |
| Large (250+ employees) | 400+ devices | 4–8 weeks | Enterprise complexity; change control processes |
These timescales assume that the organisation is motivated and has the resources to dedicate to the preparation process. Organisations that can only allocate part-time attention to the project should expect preparation to take longer.
Stage 3: The Assessment Itself
Once you are confident that your environment meets the Cyber Essentials Plus requirements, you schedule the assessment with your chosen certification body. Most certification bodies can schedule an assessment within one to two weeks of your request, though this can vary depending on demand and the time of year (there tends to be a rush towards the end of the financial year as organisations try to renew before their certificates expire).
What Happens During the Assessment
The assessment itself typically takes one to two days, depending on the size and complexity of your organisation. The assessor will perform a series of technical tests on a representative sample of your devices and infrastructure.
The external vulnerability scan examines your internet-facing infrastructure for known vulnerabilities. The internal audit involves the assessor connecting to a sample of your devices (typically remotely, though some assessors may visit on-site) and checking their patch levels, configurations, and security settings.
The assessor will also test your malware protection by attempting to download test files (harmless files that trigger antivirus detection) to verify that your malware protection is working correctly.
Results and Certification
If your organisation passes all elements of the assessment, the certificate is typically issued within two to five business days. Congratulations — you are Cyber Essentials Plus certified.
If the assessment identifies issues, you will usually be given a remediation window of around 30 days to address the problems and submit for a re-test. The re-test focuses specifically on the areas that failed, rather than repeating the entire assessment. If you pass the re-test, your certificate is issued. If not, you may need to start the process again.
End-to-End Timeline Scenarios
To put this all in context, here are three realistic scenarios showing the total time from initial decision to Cyber Essentials Plus certification.
Best Case: Well-Prepared Organisation
A 30-person professional services firm with a modern, well-managed IT environment. They use Microsoft 365 with Intune for device management, have a clear understanding of their IT estate, and their security controls are already largely in place.
Week 1: Complete the Cyber Essentials basic questionnaire and receive certification. Simultaneously conduct an internal gap analysis.
Week 2: Address minor gaps identified (a few missing patches, one end-of-life application). Schedule the Plus assessment.
Week 3: Undergo the Plus assessment and pass. Certificate issued within days.
Total time: approximately three weeks.
Typical Case: Average UK Business
A 75-person manufacturing company with a mix of modern and legacy IT systems. Some devices are well-managed; others have been neglected. They have a basic understanding of Cyber Essentials requirements but have not yet implemented all the necessary controls.
Weeks 1–2: Research and complete the Cyber Essentials basic questionnaire. Address questions from the assessor. Receive basic certification.
Weeks 3–4: Conduct gap analysis. Identify significant issues including unpatched third-party applications, users with unnecessary admin rights, and an end-of-life server OS.
Weeks 5–7: Remediate identified issues. Migrate the server OS, deploy a third-party patching tool, reconfigure user accounts.
Week 8: Conduct a final internal scan to verify readiness. Schedule the Plus assessment.
Week 9: Undergo the Plus assessment. Minor issue found; remediate within one week and pass the re-test.
Week 10: Certificate issued.
Total time: approximately ten weeks.
Challenging Case: Complex Organisation
A 200-person organisation with multiple offices, diverse IT systems, significant legacy infrastructure, and limited in-house cybersecurity expertise. They are pursuing Cyber Essentials Plus for the first time to meet a contract requirement.
Weeks 1–3: Engage a specialist partner. Conduct a thorough IT audit and complete the basic Cyber Essentials questionnaire with expert guidance. Receive basic certification.
Weeks 4–8: Comprehensive remediation programme. Upgrade legacy systems, deploy endpoint management, implement MFA, overhaul firewall configurations, establish patch management processes.
Weeks 9–10: Internal mock assessment. Identify and address remaining gaps.
Week 11: Official Plus assessment.
Week 12: Remediation of any issues and re-test if needed. Certificate issued.
Total time: approximately twelve weeks.
Factors That Slow Down the Process
Several factors can extend the timeline beyond what you might expect. Being aware of these in advance allows you to plan accordingly and avoid unpleasant surprises.
Legacy systems. Migrating away from end-of-life software is often the most time-consuming remediation task. It may involve purchasing new licenses, testing application compatibility, migrating data, and retraining users. Allow extra time if you know you have legacy systems that need to be addressed.
Change control processes. Larger organisations often have formal change management processes that require changes to be requested, approved, tested, and scheduled through a change advisory board. While these processes are valuable for managing risk, they can add weeks to the remediation timeline if not planned for in advance.
Procurement cycles. If you need to purchase new software, hardware, or services to meet the Cyber Essentials requirements, your organisation's procurement process may add time. Budget approvals, vendor evaluations, and contract negotiations can all introduce delays.
Staff availability. If your IT team is small or heavily committed to other projects, finding the time to prepare for the assessment can be challenging. Consider whether you need to bring in external support to keep the project on track.
Certification body availability. During peak periods (particularly the end of the UK financial year in March/April), certification bodies may have longer wait times for scheduling assessments. Book your assessment slot as early as possible to avoid delays.
Tips to Accelerate Your Timeline
If you are working to a deadline, here are some practical steps you can take to minimise the time to certification.
Start your preparation before applying for basic Cyber Essentials. There is nothing stopping you from conducting a gap analysis and beginning remediation work before you submit your basic questionnaire. In fact, doing so is highly advisable — it means the remediation work is already underway (or complete) by the time you receive your basic certification, shortening the gap between basic and Plus.
Use automated tools for patching and configuration management. Manual processes are slow and error-prone. Investing in tools like Microsoft Intune, ManageEngine, or NinjaRMM can dramatically accelerate your preparation by automating the most time-consuming tasks.
Engage a specialist partner early. An experienced Cyber Essentials partner can conduct your gap analysis, manage the remediation process, and coordinate with the certification body — all of which saves time and reduces the risk of delays.
Run your own vulnerability scan. Do not wait for the assessor to find problems. Run your own scan using tools like Nessus, OpenVAS, or Qualys, and fix everything that appears before the official assessment.
If you are working to a contract deadline, communicate this to your certification body when you first engage with them. Most bodies will make reasonable efforts to accommodate urgent timescales, particularly if you are well-prepared and have already completed your basic certification.
Is the Time Investment Worth It?
Absolutely. Cyber Essentials Plus certification is increasingly recognised as the baseline standard for cybersecurity in the UK. It is required for many government contracts, expected by an growing number of private sector clients, and valued by insurers when assessing cyber risk. The time invested in achieving certification pays dividends in commercial opportunity, risk reduction, and organisational resilience.
Moreover, the preparation process itself delivers lasting value. The gap analysis and remediation work that you undertake to prepare for the assessment does not just get you a certificate — it genuinely improves your security posture. The vulnerabilities you patch, the configurations you tighten, and the processes you put in place protect your organisation every day, not just during the assessment.
For most UK organisations, the entire process from initial decision to certificate takes between four and twelve weeks. With proper planning, the right tools, and expert guidance where needed, you can be confident of achieving certification within a timeframe that works for your business.
Ready to Get Started?
We help UK organisations achieve Cyber Essentials Plus certification as quickly and smoothly as possible. Whether you need a gap analysis, hands-on remediation support, or end-to-end project management, our team is here to help.
Explore Cyber Essentials Plus Services
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.