<< BACK TO BLOG

6 July 2026

How Long Does Cyber Essentials Take? A Realistic Timeline

Most businesses expect Cyber Essentials to take a few days. In reality, the timeline depends heavily on how prepared you are. Here's an honest breakdown of what to expect.

One of the most common questions we get from businesses starting the Cyber Essentials process is: how long will this take? The honest answer is: it depends. For a well-prepared business, the formal assessment can be completed in a matter of days. For a business that discovers gaps during the process, it can take months. Here is a realistic breakdown.

Best Case: 1–2 Weeks

If your IT estate is well-managed, MFA is already in place on all cloud services and remote access, no end-of-life software is running, and your firewall and patch management processes are documented and enforced — you can complete the self-assessment questionnaire in a day and receive your certificate within a week of submitting to a Certification Body.

This scenario is less common than most businesses assume. The controls sound straightforward, but the CE v3.3 requirements are precise — and details like blocking legacy authentication protocols, or confirming that MFA applies to ALL users (not just admins), catch many businesses out.

Typical Case: 4–8 Weeks

Most small and medium businesses need 4–8 weeks from starting the process to receiving their certificate. This typically includes:

  1. 1.Pre-check or gap analysis (1–2 weeks) — understanding where you currently stand before applying.
  2. 2.Remediation (1–4 weeks) — making the necessary changes to IT configuration, policies, or software.
  3. 3.Completing the questionnaire and submitting to a Certification Body (1–3 days).
  4. 4.Review and certificate issuance by the Certification Body (3–5 business days).

Worst Case: 3–6 Months

Businesses that go into the formal assessment without preparation and fail — or who discover significant gaps — can face a much longer timeline. Common causes of extended timescales include:

  • -End-of-life software that needs to be upgraded or replaced — this takes time if it is a critical business system.
  • -No MFA on Microsoft 365 or Google Workspace — rolling this out to all users requires change management and user training.
  • -No formal patch management process — creating and evidencing one takes time.
  • -Firewall configuration issues — if firewalls are misconfigured or undocumented, remediation can be complex.
  • -IT managed by an external provider who needs to be engaged and instructed.

How to Speed Up the Process

The single most effective way to reduce your Cyber Essentials timeline is to do a thorough pre-check before paying for the formal assessment. Discovering a gap during the formal assessment — and having to remediate and resubmit — is expensive, time-consuming, and stressful, especially if you have a contract deadline.

A pre-check identifies every gap in advance, gives you a prioritised list of what to fix, and lets you go into the formal assessment knowing you will pass. It is the difference between a 2-week process and a 3-month one.

Start With a Free Pre-Check

Our RADAR_CHECK questionnaire covers all five Cyber Essentials control areas and takes around 10 minutes to complete. Book a free 30-minute call afterwards and we'll give you a clear, prioritised view of what to fix — and how long it will realistically take your business to get ready.

// TAKE THE NEXT STEP

CHECK YOUR READINESS — FREE

Our RADAR_CHECK questionnaire takes 10 minutes. Book a free 30-minute call and we'll walk you through your results and tell you exactly what to fix.

START FREE CHECK >>