How long does Cyber Essentials take?

The honest answer: it depends on your starting point

There’s no single number, because Cyber Essentials timing is driven almost entirely by how close your current setup already is to the five controls. The assessment paperwork is quick. Getting your environment ready for it is the part that varies from an afternoon to several weeks.

So the useful way to answer “how long?” is to split it into two: how long the self-assessment takes if everything passes, and how long any remediation takes if it doesn’t.

If your controls are already in place

If you’re running supported software, MFA is on everywhere, patching is current, admin rights are tidy and every device has malware protection, then Cyber Essentials is mostly an evidence-gathering exercise. Realistically that’s a few days to two weeks: completing the IASME questionnaire accurately, collecting screenshots and policy details, and submitting. A certification body then marks it, usually quickly, and you have your certificate.

If you have remediation to do

This is where timelines stretch — and it’s normal for first-timers. The common fixes and their rough effort:

• Replacing unsupported operating systems or software. Can be the longest item if hardware or licensing is involved — days to a few weeks.
• Rolling out MFA across cloud and admin accounts — usually quick to configure, but allow time for user rollout.
• Clearing high and critical vulnerabilities with patching — fast once a process exists, slower if patching has been neglected.
• Removing admin rights and changing default passwords — quick technically, but needs care so nobody loses access they genuinely need.

The more devices in scope, the longer remediation takes. Ongoing patch management removes the biggest recurring delay by keeping the update control satisfied at all times.

Cyber Essentials doesn’t take long. Becoming the kind of business that passes it is what takes time — and that’s the bit worth doing anyway.

Adding Cyber Essentials Plus

Cyber Essentials Plus builds on the self-assessment with an independent, hands-on audit. That adds two things to your timeline: scheduling the audit with a certification body, and completing it. Lead time depends on the body’s availability and your device count, and is often a matter of weeks.

Crucially, you must achieve standard Cyber Essentials first, then complete Plus within three months. Plan backwards from your deadline so the self-assessment, any remediation and the audit all fit inside that window. Our Cyber Essentials Plus guide sets out exactly what the audit covers so it doesn’t add unexpected delays.

Typical end-to-end timelines

• Prepared SMB, standard CE: a few days to two weeks.
• Unprepared SMB, standard CE: a few weeks, dominated by remediation.
• Prepared SMB, CE then CE Plus: a few weeks, mostly audit scheduling, comfortably inside the three-month window.
• Unprepared SMB, CE then CE Plus: plan for the full three-month window and start early.

How to make it faster

The single biggest accelerator is going in already compliant, so the assessment is just confirmation. A partner shortens things by scoping accurately up front, fixing gaps in parallel rather than one at a time, and making sure a CE Plus audit holds no surprises that force a re-test. That’s how our Cyber Essentials service is built — and once you’re certified, keeping the controls live makes each annual renewal quick rather than another project.