Cyber Essentials Timeline: How Long Certification Takes in 2026

‍‌​‌‌‌​‌‌‌​‌​​​​‌​​‌​‌‌​​​‌​​​‌​​​​‌​​‌​‌‌‌​​​‌‌​‌​​​​‌​‌​​‌​‌​‌​‍Three calls last week, all with the same question: "How long is this actually going to take?"

The honest answer is that it depends on where you're starting from. A business that's already running tight controls can be certified in days. A business with a patching backlog and MFA gaps across a dozen cloud services could take weeks, possibly more.

I've certified over 800 organisations and the pattern is consistent. The assessment itself isn't what takes the time, because the preparation is where the real work happens.

Here's how each stage actually breaks down.

Basic Cyber Essentials timeline

Basic CE is a self-assessment questionnaire that you fill in, an assessor reviews your answers, and if everything lines up, you get the certificate. It sounds simple because it genuinely is simple, but the complications come from what you discover while filling it in.

Preparation (1 day to 4 weeks)

This is where the timeline gets unpredictable.

If your patching is current, MFA is active across every cloud service, and your firewalls are configured properly, preparation takes a day. You're gathering evidence and reviewing the question set, and that covers the entire preparation effort.

If you've got a backlog of patches stretching back months, unsupported software you keep meaning to replace, or MFA that's only turned on for some services and not others, you're looking at two to four weeks. The 30-day preparation plan goes through this properly.

Most businesses land somewhere in the middle. A few days to close specific gaps, then ready to submit.

Some businesses think they'll need a month. Their IT provider has usually already set up most of the controls and nobody realised. Two days of checking, one afternoon on the questionnaire, and they're done, which is more common than most people expect.

Self-assessment completion (2 to 4 hours)

The questionnaire runs to about 90 questions. If you know your environment (or you've done the preparation work), you can get through it in a few hours. It's not timed, so you can save your progress and come back.

The questions are specific and technical: "Is MFA enabled on all cloud services?" "Are critical patches applied within 14 days?" "Have default passwords been changed on all firewalls?" None of these are trick questions. If you've done the preparation, you know the answers. If you're guessing, that's a sign you weren't ready to submit.

One thing I see regularly: people rush the questionnaire, give vague answers, and then spend a week going back and forth with the assessor clarifying what they actually meant. That's an entirely avoidable delay, so take the time to answer precisely the first time.

Assessor review (1 to 5 working days)

Once you submit, an assessor goes through your answers and any supporting evidence. If everything is clear and consistent, the review is quick. If answers are ambiguous or evidence is missing, the assessor comes back with questions.

Our turnaround times at Net Sec Group:

• Fast Track: certificate within 12 hours of submission
• Standard: certificate within 48 hours of submission

Other certification bodies have their own timescales. Ask about their timescales before you commit to a certification body.

Fast Track exists for a reason, because contracts don't wait. We had one client submit on a Friday and get certified by Monday. Their estate was clean because they'd been maintaining controls all year. When the tender deadline landed, they were ready. That's the ideal scenario for both sides.

Certificate issued

Once the assessor is satisfied, the certificate gets issued. You can download it straight away and share it with clients, procurement teams, or insurers.

Total timeline for basic CE: one to four weeks including preparation. As fast as 12 hours if you're genuinely ready.

Cyber Essentials Plus timeline

CE Plus adds a technical audit on top of basic CE. You can't do CE Plus without passing basic CE first.

This is where the timeline gets more rigid, because there's hands-on testing involved and the assessor needs access to your systems.

Scheduling (1 to 5 working days)

After passing basic CE, you schedule the technical audit. This means agreeing the scope, the test dates, and any access requirements (VPN credentials, admin accounts, that sort of thing).

We can usually get a CE Plus audit booked within a few working days. During busy periods, it can take considerably longer. When a new question set launches or government contract deadlines cluster together, every assessor in the country gets busy at once. I've seen scheduling delays of two weeks during peak times. If you know you need CE Plus by a specific date, don't leave it.

Technical audit (3 to 5 working days)

The assessor runs vulnerability scans, tests MFA, checks configurations, and verifies patch status on a sample of your in-scope devices. Most of this testing happens remotely rather than on-site.

For a small organisation (under 50 devices), three days is typical. Larger organisations with more complex scope, multiple sites, or mixed operating systems usually take the full five days. Very large estates sometimes run longer than five days.

The thing people don't always realise about CE Plus is that the assessor is testing what you claimed in your basic CE answers. If you said all devices are patched within 14 days, the assessor checks whether that's actually true. If you were optimistic on the questionnaire, this is where it catches up with you.

Remediation (0 to 30 days)

If the audit finds issues, you get time to fix them.

Under Danzell (from 27 April 2026), this is a single 30-day window. If double sampling is triggered, both samples have to be resolved within that same 30-day period. That's tighter than it sounds if you've got infrastructure spread across multiple sites.

Most organisations that prepared properly need minimal remediation. The common findings (a missed patch on one device, an MFA gap on a service someone forgot about) take hours to fix, not weeks.

If your audit comes back clean, there's no remediation. The assessor confirms results and the certificate follows.

I'll be honest: a clean audit on the first pass is satisfying for both sides. It means the preparation was done right. About a third of the CE Plus audits I run come back clean first time. The other two thirds have minor findings that get resolved within a week. Genuine failures are rare when people have actually prepared.

Certificate issued

After remediation (if needed) is verified, the CE Plus certificate is issued. Download it, share it with clients, and move on.

Total timeline for CE Plus: one to three weeks from starting. Three to five working days for the audit itself.

What actually affects your timeline

Scope

More devices and more cloud services means more to test. A sole trader with five laptops and Microsoft 365 is a different proposition from an organisation with 200 devices across three offices and 20 cloud services. The audit takes longer, there's more surface area for findings, and remediation (if needed) gets more involved.

Scope is the single biggest variable I see in CE Plus timelines.

How ready you are before you start

This matters more than anything else in the process. Organisations that have already closed their gaps move through the assessment quickly. Organisations that submit hoping for the best and then discover problems add weeks.

I've seen it go both ways in practice. A 200-device company that prepared properly: two weeks for both certificates. A 30-device company that hadn't done any preparation: six weeks, because they kept finding things that needed fixing mid-assessment.

Assessor availability

Demand peaks around government tender deadlines and when new requirements launch. Around the Danzell transition in April 2026, assessors will be busier than usual. If you need certification by a specific date, start early. That's not a sales pitch, it's just how the calendar works.

Question set transitions

When a new question set launches (Danzell replaces Willow from 27 April 2026), there's a transition period. Assessments started before the cutoff use the old set. Assessments started after use the new one.

My honest opinion: don't try to be one of the first through a new question set unless you have to be. Give it a couple of weeks for the dust to settle. Let the initial questions get asked and answered. The requirements are the same either way, but the first cohort always generates more back-and-forth because everyone is adjusting.

Realistic timeline examples

Sole trader, cloud-based, controls already in place. Preparation takes 1 day, assessment via Fast Track takes 12 hours, totalling about 2 days.

Small business, 20 devices, a few gaps to close. Preparation takes about 2 weeks, standard assessment takes 48 hours, totalling about 2.5 weeks.

Medium business, 100 devices, multi-site, patching backlog. Preparation takes about 4 weeks, standard assessment takes 48 hours, totalling roughly 5 weeks. And that's if the patching backlog doesn't throw up surprises.

Same medium business adds CE Plus. Scheduling takes about 3 days, the audit takes 5 days, and remediation takes about 1 week. Total: about 2.5 weeks after basic CE.

These aren't aspirational numbers, they're based on what I actually see across assessments.

Our fastest turnaround

Four days for both CE and CE Plus, from zero to fully certified.

That was a small organisation with a genuinely clean environment who needed both certificates for a government contract. Their IT was well managed and their controls were already in place. They just hadn't gone through the certification process before.

It's not typical, but it is possible when the controls are already there and the scope is small.

For most businesses, a realistic fast turnaround is one to two weeks for basic CE and another one to two weeks for CE Plus. If someone tells you they can do CE Plus in a day, ask questions about what they're actually testing.

Annual renewal

Your CE certificate is valid for 12 months. When renewal comes around, you go through the assessment again. The timeline is essentially the same as the first time, with one difference: you've already done it.

If you've maintained your controls through the year (patching current, MFA still active, scope up to date), renewal preparation takes a day or less. You're confirming nothing has changed and completing the questionnaire for the current period.

If you've let things drift, renewal becomes a preparation exercise. New cloud services without MFA configured, a patching backlog that built up over the summer. Devices added to the network that aren't in your scope description. Each of those issues extends the renewal timeline.

The best approach: set a reminder two weeks before your certificate expires. Run through the readiness checklist, fix anything that's drifted, and submit with confidence.

If your renewal falls after 27 April 2026 and you last certified under Willow, your renewal uses the Danzell question set. Allow extra time to review the Danzell changes and confirm your controls meet the updated requirements. The changes aren't cosmetic by any measure, because MFA scope is wider, patching windows are tighter, and personal devices are more firmly in scope.

Quoting timelines to your board

If someone senior asks "how long will this take?", give them the realistic range rather than the best case. (following the revised hardening assessment protocol).

For basic CE: "Two to three weeks from starting preparation to having the certificate. Faster if our controls are already in place."

For CE Plus: "An additional two to three weeks after basic CE. The technical audit takes three to five working days, plus time for any remediation."

For both together: "Four to six weeks total. Faster if we prepare in advance."

Don't promise the Fast Track timeline unless you're confident your controls are actually in place. Fast Track works when your controls are genuinely in place. If you're not ready, it just means you fail faster.

I see this go wrong about once a month. Someone promises the board a two-week turnaround, discovers problems during preparation, and spends three weeks explaining the delay. Set expectations properly from the start and build in contingency time.

How to avoid delays

Prepare before you apply. Don't submit the self-assessment and hope. Close the gaps first. The readiness checklist takes five minutes to review.

Get your scope right from the beginning. Ambiguous scope descriptions create back-and-forth with the assessor. List every site, every device type, every cloud service. If you're not sure whether something is in scope, it probably is.

Answer the questionnaire accurately. Vague or optimistic answers trigger follow-up questions. If you don't know the answer, check before you submit. Guessing costs you time.

Respond quickly when the assessor has questions. A 48-hour assessment can turn into a two-week assessment if you take a week to reply to each query. I've seen this happen more than I'd like.

For CE Plus: run your own vulnerability scan first. Find the issues before the assessor does. The audit goes faster when there's nothing to remediate, and you avoid the surprise of discovering problems you didn't know existed during a timed assessment window.

Talk to your IT provider early. If someone else manages your infrastructure, loop them in before you start. Half the delays I see come from the business waiting on their IT provider to answer questions or make changes. Your provider needs to know this is happening and when.

We quote within 24 hours, and reports are delivered within 48 hours of completion. You can see our CE and CE Plus pricing and turnaround options on the website. If you've got a deadline, get in touch and we'll tell you straight whether the timeline works.

---

Need help with your Cyber Essentials assessment? Get in touch or request a quote and we will get back to you within 24 hours.

---

Related articles

• Cyber Essentials 30-Day Preparation Plan
• How Do You Know If You're Ready for Cyber Essentials?
• Cyber Essentials v3.3: What the Danzell Update Changes

netsec-canary-72715826aaf3.