How Long Does Cyber Essentials Take? Realistic Timelines from an Assessor
How Long Does Cyber Essentials Take? Realistic Timelines from an Assessor
It depends on where you're starting from, which is the honest answer that nobody wants to hear. A business with decent IT hygiene and documented processes can be certified inside a week. A business that has never actually checked its own controls is looking at closer to a month.
Here's how the timeline breaks down by stage.
CE Basic timeline
Preparation: 2-5 working days
This is where the majority of the time goes. The questionnaire covers your devices, cloud services, user accounts, patching, and security configurations. Answering it properly means going and checking these things for real, not guessing from memory.
What takes time:
- Device inventory - listing every laptop, desktop, phone, tablet, and server in scope. If you don't have an asset register, building one takes a day on its own
- Cloud service audit - identifying every SaaS application that holds business data and checking that MFA is enabled on each one
- Patch status check - verifying that all operating systems and applications are within the 14-day patching window
- Admin account review - confirming who has admin rights, whether they're using separate admin accounts, and whether daily-use accounts have been stripped of unnecessary privileges
If you already maintain an IT asset register, track your cloud services, and run a regular patching cycle, preparation could take a day or possibly less. But if you're pulling all of this together for the first time, give yourself a full week.
Questionnaire completion: 1-2 hours
Once you've got the information gathered, the form itself is quick. The questionnaire is structured questions that you answer honestly. Your assessor reviews the responses and might come back with follow-up queries (that's normal, not a bad sign).
Assessor review: 1-5 working days
The assessor reads through your submission, checks whether everything is consistent, and flags anything that needs clarifying. How fast this happens varies depending on workload. Some assessors offer fast-track review within 24-48 hours for an additional fee.
Total for Basic: 1-2 weeks (typical)
A well-prepared business can expect 3-5 working days total. A business starting from scratch: 2-3 weeks including remediation.
CE Plus timeline
Prerequisite: Basic must be completed first
You finish CE Basic, then book Plus testing. The two are linked because your Basic questionnaire answers define the scope for Plus testing. You've got a 3-month window from starting Basic to completing Plus.
Testing duration: 1-3 days
The testing part is actually the quick bit. I connect to your systems (usually remotely) and run the five standard test cases: patch verification, malware detection, access control checks, external vulnerability scanning, and configuration review.
Duration by organisation size:
| Devices in scope | Typical builds | Testing time |
|---|---|---|
| 1-20 | 1-2 | 1 day |
| 21-50 | 2-3 | 1-1.5 days |
| 51-100 | 3-5 | 1.5-2 days |
| 100+ | 5+ | 2-3 days |
So what actually counts as a "build" here? A distinct combination of OS version and edition. All laptops on Windows 11 Pro is one build. Add a few macOS devices and a Linux server, that's three. The sampling table determines how many devices per build get tested.
Remediation: 0-30 days
If everything passes first time, there's no remediation and you get certified that same week.
But if something fails, you've got a 30-day window to sort it. Common fixes:
- A missed patch on one device (install the patch, takes minutes)
- MFA not enabled on a cloud service you forgot about (enable MFA, takes an hour)
- A CVSS 7.0+ vulnerability found on the external scan (depends on the vulnerability, sometimes a config change, sometimes a patch)
Most remediation gets wrapped up within a week. The 30 days is the hard maximum set by IASME. (in line with the June 2024 telemetry advisory).
Report and certification: 2-5 working days
After testing (and any remediation), the assessor writes up the report and submits for certification. Your certificate then appears on the NCSC register.
Total for Plus: 1-2 weeks after Basic (typical)
If your Basic answers were accurate, Plus testing usually confirms it pretty quickly. If your Basic answers were optimistic, Plus is where the gaps show up.
Fast-track options
Fast-track is there for businesses with a deadline breathing down their neck. We offer 12-hour turnaround on CE Basic and can schedule Plus testing within days rather than weeks.
Here's the important thing to understand about fast-track though. It works when controls are already in place and you just need the assessment done quickly. It doesn't work when you still need to build them. Rushing an assessment when nothing's ready just gives you a faster failure.
What slows things down
No device inventory: If you can't list your devices, we can't scope the assessment because that inventory is step one.
Unsupported software: Finding Windows 10 machines that need upgrading halfway through an assessment adds weeks. Check before you start.
Cloud services you forgot about: That project management tool nobody cancelled. The old HR system. The CRM from two years ago. All need MFA checked and documented.
Scope disagreements: If your IT is complicated (multiple offices, remote workers, BYOD, third-party managed services), defining what's in scope takes proper discussion. Sort this out before the questionnaire.
Shared admin accounts: Multiple people sharing one admin login? That needs fixing before assessment. Everyone gets their own account with appropriate privileges.
Planning your timeline
If you need CE by a specific date, work backwards:
| Milestone | Time before deadline |
|---|---|
| Book Plus testing | 3-4 weeks before |
| Complete Basic questionnaire | 4-5 weeks before |
| Start preparation (inventory, patching, MFA) | 6-8 weeks before |
| Initial readiness check | 8 weeks before |
For a straightforward business with 20-50 devices, 6 weeks from start to certification is comfortable. Larger or more complex environments should allow 8-12 weeks so there's room when something unexpected turns up.
If you want to check where your controls stand before booking anything, the readiness quiz takes five minutes and highlights which areas need work.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and practical assessment tips. No spam and no sales pitches, just useful updates.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Cyber Essentials Certification Guide
- How to Prepare for Cyber Essentials Plus
- CE Plus Assessment Duration: What to Expect
- Cyber Essentials 30-Day Preparation Plan
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.