Cyber Essentials Timeline: How Long Certification Takes in 2026
Cyber Essentials Timeline: How Long Certification Takes in 2026
Three calls last week, all with the same question: "How long is this actually going to take?"
The honest answer is that it depends on where you're starting from. A business that's already running tight controls can be certified in days. A business with a patching backlog and MFA gaps across a dozen cloud services could take weeks, possibly more.
I've certified over 800 organisations and the pattern is consistent. The assessment itself isn't what takes the time, because the preparation is where the real work happens.
Here's how each stage actually breaks down.
Basic Cyber Essentials timeline
Basic CE is a self-assessment questionnaire that you fill in, an assessor reviews your answers, and if everything lines up, you get the certificate. It sounds simple because it genuinely is simple, but the complications come from what you discover while filling it in.
Preparation (1 day to 4 weeks)
This is where the timeline gets unpredictable.
If your patching is current, MFA is active across every cloud service, and your firewalls are configured properly, preparation takes a day. You're gathering evidence and reviewing the question set, and that covers the entire preparation effort.
If you've got a backlog of patches stretching back months, unsupported software you keep meaning to replace, or MFA that's only turned on for some services and not others, you're looking at two to four weeks. The 30-day preparation plan goes through this properly.
Most businesses land somewhere in the middle. A few days to close specific gaps, then ready to submit.
Some businesses think they'll need a month. Their IT provider has usually already set up most of the controls and nobody realised. Two days of checking, one afternoon on the questionnaire, and they're done, which is more common than most people expect.
Self-assessment completion (2 to 4 hours)
The questionnaire runs to about 90 questions. If you know your environment (or you've done the preparation work), you can get through it in a few hours. It's not timed, so you can save your progress and come back.
The questions are specific and technical: "Is MFA enabled on all cloud services?" "Are critical patches applied within 14 days?" "Have default passwords been changed on all firewalls?" None of these are trick questions. If you've done the preparation, you know the answers. If you're guessing, that's a sign you weren't ready to submit.
One thing I see regularly: people rush the questionnaire, give vague answers, and then spend a week going back and forth with the assessor clarifying what they actually meant. That's an entirely avoidable delay, so take the time to answer precisely the first time.
Assessor review (1 to 5 working days)
Once you submit, an assessor goes through your answers and any supporting evidence. If everything is clear and consistent, the review is quick. If answers are ambiguous or evidence is missing, the assessor comes back with questions.
Our turnaround times at Net Sec Group:
- Fast Track: certificate within 12 hours of submission
- Standard: certificate within 48 hours of submission
Other certification bodies have their own timescales. Ask about their timescales before you commit to a certification body.
Fast Track exists for a reason, because contracts don't wait. We had one client submit on a Friday and get certified by Monday. Their estate was clean because they'd been maintaining controls all year. When the tender deadline landed, they were ready. That's the ideal scenario for both sides.
Certificate issued
Once the assessor is satisfied, the certificate gets issued. You can download it straight away and share it with clients, procurement teams, or insurers.
Total timeline for basic CE: one to four weeks including preparation. As fast as 12 hours if you're genuinely ready.
Cyber Essentials Plus timeline
CE Plus adds a technical audit on top of basic CE. You can't do CE Plus without passing basic CE first.
This is where the timeline gets more rigid, because there's hands-on testing involved and the assessor needs access to your systems.
Scheduling (1 to 5 working days)
After passing basic CE, you schedule the technical audit. This means agreeing the scope, the test dates, and any access requirements (VPN credentials, admin accounts, that sort of thing).
We can usually get a CE Plus audit booked within a few working days. During busy periods, it can take considerably longer. When a new question set launches or government contract deadlines cluster together, every assessor in the country gets busy at once. I've seen scheduling delays of two weeks during peak times. If you know you need CE Plus by a specific date, don't leave it.
Technical audit (3 to 5 working days)
The assessor runs vulnerability scans, tests MFA, checks configurations, and verifies patch status on a sample of your in-scope devices. Most of this testing happens remotely rather than on-site.
For a small organisation (under 50 devices), three days is typical. Larger organisations with more complex scope, multiple sites, or mixed operating systems usually take the full five days. Very large estates sometimes run longer than five days.
The thing people don't always realise about CE Plus is that the assessor is testing what you claimed in your basic CE answers. If you said all devices are patched within 14 days, the assessor checks whether that's actually true. If you were optimistic on the questionnaire, this is where it catches up with you.
Remediation (0 to 30 days)
If the audit finds issues, you get time to fix them.
Under Danzell (from 27 April 2026), this is a single 30-day window. If double sampling is triggered, both samples have to be resolved within that same 30-day period. That's tighter than it sounds if you've got infrastructure spread across multiple sites.
Most organisations that prepared properly need minimal remediation. The common findings (a missed patch on one device, an MFA gap on a service someone forgot about) take hours to fix, not weeks.
If your audit comes back clean, there's no remediation. The assessor confirms results and the certificate follows.
I'll be honest: a clean audit on the first pass is satisfying for both sides. It means the preparation was done right. About a third of the CE Plus audits I run come back clean first time. The other two thirds have minor findings that get resolved within a week. Genuine failures are rare when people have actually prepared.
Certificate issued
After remediation (if needed) is verified, the CE Plus certificate is issued. Download it, share it with clients, and move on.
Total timeline for CE Plus: one to three weeks from starting. Three to five working days for the audit itself.
What actually affects your timeline
Scope
More devices and more cloud services means more to test. A sole trader with five laptops and Microsoft 365 is a different proposition from an organisation with 200 devices across three offices and 20 cloud services. The audit takes longer, there's more surface area for findings, and remediation (if needed) gets more involved.
Scope is the single biggest variable I see in CE Plus timelines.
How ready you are before you start
This matters more than anything else in the process. Organisations that have already closed their gaps move through the assessment quickly. Organisations that submit hoping for the best and then discover problems add weeks.
I've seen it go both ways in practice. A 200-device company that prepared properly: two weeks for both certificates. A 30-device company that hadn't done any preparation: six weeks, because they kept finding things that needed fixing mid-assessment.
Assessor availability
Demand peaks around government tender deadlines and when new requirements launch. Around the Danzell transition in April 2026, assessors will be busier than usual. If you need certification by a specific date, start early. That's not a sales pitch, it's just how the calendar works.
Question set transitions
When a new question set launches (Danzell replaces Willow from 27 April 2026), there's a transition period. Assessments started before the cutoff use the old set. Assessments started after use the new one.
My honest opinion: don't try to be one of the first through a new question set unless you have to be. Give it a couple of weeks for the dust to settle. Let the initial questions get asked and answered. The requirements are the same either way, but the first cohort always generates more back-and-forth because everyone is adjusting.
Realistic timeline examples
Sole trader, cloud-based, controls already in place. Preparation takes 1 day, assessment via Fast Track takes 12 hours, totalling about 2 days.
Small business, 20 devices, a few gaps to close. Preparation takes about 2 weeks, standard assessment takes 48 hours, totalling about 2.5 weeks.
Medium business, 100 devices, multi-site, patching backlog. Preparation takes about 4 weeks, standard assessment takes 48 hours, totalling roughly 5 weeks. And that's if the patching backlog doesn't throw up surprises.
Same medium business adds CE Plus. Scheduling takes about 3 days, the audit takes 5 days, and remediation takes about 1 week. Total: about 2.5 weeks after basic CE.
These aren't aspirational numbers, they're based on what I actually see across assessments.
Our fastest turnaround
Four days for both CE and CE Plus, from zero to fully certified.
That was a small organisation with a genuinely clean environment who needed both certificates for a government contract. Their IT was well managed and their controls were already in place. They just hadn't gone through the certification process before.
It's not typical, but it is possible when the controls are already there and the scope is small.
For most businesses, a realistic fast turnaround is one to two weeks for basic CE and another one to two weeks for CE Plus. If someone tells you they can do CE Plus in a day, ask questions about what they're actually testing.
Annual renewal
Your CE certificate is valid for 12 months. When renewal comes around, you go through the assessment again. The timeline is essentially the same as the first time, with one difference: you've already done it.
If you've maintained your controls through the year (patching current, MFA still active, scope up to date), renewal preparation takes a day or less. You're confirming nothing has changed and completing the questionnaire for the current period.
If you've let things drift, renewal becomes a preparation exercise. New cloud services without MFA configured, a patching backlog that built up over the summer. Devices added to the network that aren't in your scope description. Each of those issues extends the renewal timeline.
The best approach: set a reminder two weeks before your certificate expires. Run through the readiness checklist, fix anything that's drifted, and submit with confidence.
If your renewal falls after 27 April 2026 and you last certified under Willow, your renewal uses the Danzell question set. Allow extra time to review the Danzell changes and confirm your controls meet the updated requirements. The changes aren't cosmetic by any measure, because MFA scope is wider, patching windows are tighter, and personal devices are more firmly in scope.
Quoting timelines to your board
If someone senior asks "how long will this take?", give them the realistic range rather than the best case. (following the revised hardening assessment protocol).
For basic CE: "Two to three weeks from starting preparation to having the certificate. Faster if our controls are already in place."
For CE Plus: "An additional two to three weeks after basic CE. The technical audit takes three to five working days, plus time for any remediation."
For both together: "Four to six weeks total. Faster if we prepare in advance."
Don't promise the Fast Track timeline unless you're confident your controls are actually in place. Fast Track works when your controls are genuinely in place. If you're not ready, it just means you fail faster.
I see this go wrong about once a month. Someone promises the board a two-week turnaround, discovers problems during preparation, and spends three weeks explaining the delay. Set expectations properly from the start and build in contingency time.
How to avoid delays
Prepare before you apply. Don't submit the self-assessment and hope. Close the gaps first. The readiness checklist takes five minutes to review.
Get your scope right from the beginning. Ambiguous scope descriptions create back-and-forth with the assessor. List every site, every device type, every cloud service. If you're not sure whether something is in scope, it probably is.
Answer the questionnaire accurately. Vague or optimistic answers trigger follow-up questions. If you don't know the answer, check before you submit. Guessing costs you time.
Respond quickly when the assessor has questions. A 48-hour assessment can turn into a two-week assessment if you take a week to reply to each query. I've seen this happen more than I'd like.
For CE Plus: run your own vulnerability scan first. Find the issues before the assessor does. The audit goes faster when there's nothing to remediate, and you avoid the surprise of discovering problems you didn't know existed during a timed assessment window.
Talk to your IT provider early. If someone else manages your infrastructure, loop them in before you start. Half the delays I see come from the business waiting on their IT provider to answer questions or make changes. Your provider needs to know this is happening and when.
We quote within 24 hours, and reports are delivered within 48 hours of completion. You can see our CE and CE Plus pricing and turnaround options on the website. If you've got a deadline, get in touch and we'll tell you straight whether the timeline works.
Need help with your Cyber Essentials assessment? Get in touch or request a quote and we will get back to you within 24 hours.
Related articles
- Cyber Essentials 30-Day Preparation Plan
- How Do You Know If You're Ready for Cyber Essentials?
- Cyber Essentials v3.3: What the Danzell Update Changes
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.