How Long Does a Cyber Essentials Plus Assessment Take?

‍‌‌‌​​‌​​​​​‌‌​​​‌​‌‌​‌‌‌​​‌‌​​‌‌​​‌​​​​​​‌‌‌‌​​​‌‌‌‌‌​​​‌​‌‌​​​​‍One to three days for the actual testing. That is the answer most people want to hear. But honestly, most people underestimate everything around those days, which is where timelines go wrong. There are fixed windows either side that nobody can compress, and forgetting them turns a two-week job into a two-month headache.

The sequence you can't skip

CE Plus follows a fixed chain, and here is the order it goes in.

Basic CE first. You need a current basic CE certificate before Plus becomes an option. We can get basic CE turned around in 48 hours, but preparation depends on where your controls sit. Some businesses already have everything sorted (proper firewall, patching done, MFA on) and just need the paperwork. Others need three weeks of fixes before the assessment can even start.

90-day window. Once you've got basic CE, Plus must be completed within 90 calendar days of your VSA date. Miss the window and your basic cert is still valid, but you'd need to recertify basic CE before trying Plus again. I've watched companies miss this by a week because somebody was on holiday. Extensions are only granted in exceptional circumstances through IASME's formal support process.

Pre-assessment coordination. Scope gets confirmed, device builds counted, sample size calculated, testing booked. Usually a few days of back and forth. Sometimes a week if the organisation takes ages getting their device list together (and they often do).

Testing. One to three days of active testing, which is the bit everyone asks about.

Remediation if needed. If the assessor finds problems, you get up to 30 calendar days to fix them (not business days). But that 30 days sits inside the 90-day overall window. If you used 70 days before the first test, your remediation window is effectively 20 days, not 30. Under the Danzell double sampling rule, if your first sample fails, the assessor tests a second random sample of different devices within the same remediation window. Let the clock run out and the whole assessment fails.

Certification. Assessor is satisfied, certificate gets issued.

What drives the testing duration

How many builds you run

CE Plus does not test every device. The IASME sampling methodology groups devices by OS build and pulls a representative sample from each group. Thirty Windows 11 workstations on the same build might yield three to five in the sample. But a company with 200 devices spread across eight configurations (Windows 11 Home, Windows 11 Pro, macOS Sonoma, couple of server editions, a Linux box somewhere) ends up with a much larger sample because every build needs its own set tested.

So more builds means more testing, and the maths is straightforward.

Servers

Every server gets tested individually, without exception. All of them, regardless of sampling rules for workstations. Fifteen servers means fifteen servers in scope. And they take longer per device than a workstation because configurations are more involved. And frankly there is more that can go wrong on a server than on a laptop someone uses for email.

Estate complexity

Single office, one internet connection, one firewall is quick to assess. Multi-site with VPNs, cloud infrastructure, multiple internet breakout points, maybe a colocation somewhere is not quick at all. And the assessor runs external vulnerability scans against every internet-facing IP, so when there are a lot of those, each one adds time. A company with 23 public IPs is not unusual, and that external scan alone takes most of a morning.

Remote or on-site

Most assessments run remotely now, which is quicker to set up because nobody is travelling. Can run slower if the remote access link has latency problems (and I've seen some truly painful ones), but generally it balances out. Some organisations prefer on-site because their setup doesn't lend itself to remote access. Read about how remote testing works if you want the detail.

Rough guide by organisation size

Under 50 devices, one or two builds. Single day. External vulnerability scan runs overnight or while the assessor is setting up. Internal scanning, malware checks, MFA verification, account separation, it all fits comfortably. But this is the size where people assume it takes an hour.

50 to 250 devices, three to five builds. Day and a half to two days. Bigger sample, more builds to verify, likely more servers. External scan may cover more IPs. This is the bracket where people get surprised because they picture "a quick audit" and it is not.

250 plus devices, six or more builds. Two to three days. Multi-site, lots of servers, complex infrastructure. Assessor may need extra time on the external scan if you've got many internet-facing services. That's too long in my view, but there is no way to compress it without cutting corners.

Those are testing durations only, not the full timeline. Pre-assessment coordination, remediation, and certification processing sit on top. Not many people factor that into their planning.

What the assessor actually tests

Five test cases in CE Plus:

1. External vulnerability scan: Unauthenticated scan of all internet-facing IPs. Open ports, vulnerable services, missing patches visible from outside.

2. Internal authenticated scan: Assessor logs into sampled devices, checks patch levels, configuration, and security settings from inside the device.

3. Malware protection: Antivirus or antimalware installed, running, configured. Tested with an EICAR test file to confirm real-time protection actually catches something. You'd be surprised how often it doesn't, usually because an exclusion policy is too broad.

4. MFA verification: Assessor checks every cloud service, attempts login, confirms the MFA prompt appears. Not just "MFA is enabled in the admin panel" but actually triggered during authentication. I've had organisations where MFA was turned on in the settings yet the login sailed straight through. So I dug into conditional access and found an exemption nobody remembered creating.

5. Account separation: Admin accounts separate from daily-use accounts. Users should not have unnecessary elevated privileges. The number of organisations where the director's daily account has Domain Admin is higher than it should be, and yours might be one of them.

Making it faster

Get your device list ready before pre-assessment. Full inventory, grouped by OS and build version. A third of the organisations I assess don't have this when I ask. That delay adds days before testing starts.

Fix what you already know about. Firewall firmware a version behind? Workstation still on Windows 10 21H2? Sort it before the assessor gets involved. Problems found during testing trigger the 30-day remediation window, turning a clean pass into a six-week process. (following the updated segmentation assessment protocol).

Test your remote access. If the assessment is remote, check the connection beforehand. A broken VPN on testing day wastes a full morning. I've lost count of how often this happens.

Make sure someone is available. The assessor needs credentials, access to devices, and someone who can answer questions. If your IT person is on annual leave during testing week, the whole thing stalls. Can you afford that?

Preparing for CE Plus and want to know where the basic controls stand first? The readiness quiz takes five minutes with no commitment required.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Cyber Essentials Plus Assessment Process Explained
• Cyber Essentials Plus Sample Sizes
• Cyber Essentials Plus Remote Testing
• How to Prepare for Cyber Essentials Plus

netsec-canary-440ee45194c5.