How long does Cyber Essentials take?

If you run a UK business with between 10 and 200 staff, you’ve probably been asked this question by the finance director, the board, or the procurement team: how long will it take to get Cyber Essentials? The short answer is: it depends. The slightly longer answer—what you actually need to plan for—depends on which route you choose, how tidy your IT estate already is, and how quickly you can evidence the basics.

What Cyber Essentials covers (in plain English)

Cyber Essentials is a government-backed standard that checks you’re doing five basic things to reduce common cyber risks: firewalls, secure configuration, access controls, malware protection and keeping devices updated. It’s not an audit of your whole business continuity plan; it’s a practical check that the basics aren’t being overlooked.

Two routes and very different timelines

There are two common routes to certification, and they come with different time commitments:

  • Self-assessment Certification: You answer an online questionnaire and a certification body reviews it. This is the quicker route and many businesses can get this done in a day or two if their documentation and systems are already in order.
  • Cyber Essentials Plus: This adds hands-on testing by an external assessor—password checks, patch checks and basic vulnerability testing on a sample of devices. It’s more thorough, takes longer, and usually needs an onsite or remote technical test from the certification body.

Which one you need depends on your customers and contracts. Some public sector tenders and larger buyers ask specifically for Cyber Essentials Plus; others will accept the self-assessment.

Realistic timeline: what to expect

Use these rough stages to plan. I won’t pretend these are exact figures—every business has its peculiarities—but this will help you set expectations with the boss.

  • Preparation (a few hours to a couple of weeks): gather inventories, passwords and simple policies. For a tidy small-medium business this can be a matter of hours; if there’s a mix of legacy systems, long-forgotten servers or contractors who manage bits of kit, it can take longer.
  • Self-assessment completion (1 day to 1 week): completing the questionnaire is straightforward if you have the evidence to back up your answers. If you need to call your IT supplier or dig for policies, add time.
  • Certification review (24–72 hours typical for many bodies): once submitted, a certification body usually reviews the submission and issues the certificate quickly—unless they ask for clarifications.
  • Cyber Essentials Plus testing (1–3 weeks): scheduling the technical checks, running scans and verifying fixes takes longer. If the assessor finds issues, you’ll need time to remediate and reschedule a retest.

If everything is prepared and you’re aiming for the basic self-assessment, many firms can complete the process within a working week. For Cyber Essentials Plus, assume a minimum of a couple of weeks and possibly longer if remediation is required.

What commonly stretches the timescale?

From what I see in the UK market, a few recurring themes slow things down:

  • Unclear ownership: nobody knows who is responsible for the firewall or patching schedule. Assign a single point of contact early.
  • Out-of-date devices: old laptops or servers that haven’t been patched or are running unsupported software will need attention.
  • Incomplete documentation: policies and evidence that don’t exist or are out of date. A short, sensible policy can be created quickly, but it’s still work.
  • Third-party services: if a managed service provider controls your email, network or backups, you’ll need timely cooperation from them.

How to speed up the process without cutting corners

Here are practical steps that save time and keep you credible.

  • Do a quick health check first: list your laptops, servers, critical cloud services and who manages them. If you can’t do that in a day, there’s work to do before certification.
  • Collect evidence as you go: screenshots of firewall rules, Windows update status, anti-malware console reports and a signed short policy will get you across the line.
  • Use a small internal team: give an operations or IT lead two clear days to own the questionnaire and pull together evidence.
  • Plan for remediation: assume you’ll need to fix at least one thing. Budget a couple of days of IT time for simple fixes like patching and enabling multifactor authentication.
  • Choose the right route: if a buyer will accept self-assessment and you’re short on time, go for that first. You can always upgrade to Plus later when you’ve cleared any technical debt.

Costs versus time: the business trade-off

Certification isn’t a cost-free exercise, but the time investment is often the more immediate consideration for SMEs. The trade-off is straightforward: a small amount of IT time now reduces the likelihood of an expensive breach later, helps you win tenders and reassures customers and insurers. Think in terms of avoiding business disruption rather than ticking a box for its own sake.

Where to start today

If you want a practical next step, review the Cyber Essentials guidance and decide which route suits the contracts you bid for and the risk appetite of your leadership. For many businesses, a focused day of work and cooperation with whoever manages your IT will get you a self-assessment certificate quickly. If you’re preparing for Cyber Essentials Plus, build a short project plan around device sampling and remediation.

For more details on what’s required and the certification process, read this Cyber Essentials guidance which explains the options and typical steps in clear terms.

FAQ

How long does a self-assessment usually take?

For an organised SME with basic IT processes, completing the questionnaire and gathering evidence can take a day or two. If you need to chase policies or sort out device lists, add a few extra days.

How long does Cyber Essentials Plus take?

Plus takes longer because of technical verification. From scheduling the test to passing, expect a few weeks in most cases, particularly if fixes are required and a retest is needed.

Can I get certified without an in-house IT team?

Yes. Many SMEs use a managed service provider or a trusted IT partner to prepare evidence and perform fixes. Make sure someone in your business coordinates the effort and has authority to approve changes.

Will certification disrupt my business?

Not usually. The checks are focused and designed to avoid disruption. Cyber Essentials Plus testing may require short windows to run scans, so schedule these at sensible times to avoid disrupting users.

Is Cyber Essentials enough for all suppliers?

It depends on who you supply. Some larger buyers require Plus or additional standards. Use Cyber Essentials as a baseline—it’s widely recognised and demonstrates you’ve addressed common threats.

Getting Cyber Essentials is rarely a dramatic, time-consuming overhaul. For most UK SMEs it’s a focused piece of work that pays off in credibility, lower risk and smoother procurement. Spend a little time upfront to get your house in order and you’ll buy back calm, better chances at new contracts, and less chance of an annoying incident that costs time and money.

If your leadership wants a clear estimate for time, money and impact, set aside a day for an IT health check and you’ll have a realistic plan and a timeline you can sign off. That way the board gets certainty, procurement gets what it needs, and you get back to running the business with one less thing to worry about.