How Long Does Cyber Essentials Take? Honest Timelines for 2026

The honest answer is "it depends on how ready you are." Cyber Essentials can move from submission to certificate in six hours when the estate is in good shape. It can also drag on for six weeks when MFA still has to be deployed, the asset register lives in someone's head, and three different people own three different parts of the patching schedule.

This guide walks through the four real phases, the typical duration of each, and the specific things that compress or extend the calendar. Use it to set realistic expectations with your board, your insurer, or the procurement team that has just told you Cyber Essentials is a contractual gating item.

Cyber Essentials is one scheme but four distinct pieces of work. Pulling them apart makes the timing question much easier to answer.

Phase one - readiness check (day zero, 15 to 30 minutes). This is the gap analysis that tells you which of the 36 questions you can already answer "yes" to and which will need work. A free online readiness checker (Fig's takes about 15 minutes) gives you the gap list and a rough timeline before you have spent any money.

Phase two - evidence collection and remediation (1 day to 5 weeks). This is where the real variance lives. If you are an established Microsoft 365 shop with Intune enrolled devices, MFA enforced, and a current patch cadence, you will close out evidence in a single afternoon. If you are starting from a mixed estate of unmanaged BYOD laptops, third-party cloud apps without SSO, and a firewall configured by a contractor who left in 2023, plan for several weeks. The most common slow-downs are documented in the next section.

Phase three - self-assessment submission (30 to 90 minutes). Filling in the IASME Willow portal. With evidence already collected, this is a transcription exercise. The portal is updated annually; the current 2026 question set has 36 questions across firewalls, secure configuration, user access control, malware protection, and security update management.

Phase four - assessor review and certificate issue (6 hours to 14 working days). The IASME scheme allows certification bodies up to 14 working days to review a submission. Fig commits to six hours where the submission is clean. Slower bodies are not necessarily worse, but if the certificate is a procurement deadline, ask for the SLA in writing.

For a well-prepared organisation working with a fast certification body, end-to-end can be the same working day. For an organisation that needs significant remediation, six weeks is realistic.

Five issues account for the majority of delays we see at the assessor's desk.

MFA gaps. The single most common remediation. The 2026 scheme requires MFA for all administrator accounts and for all cloud services accessing organisational data. The gap is rarely Microsoft 365 (which makes MFA easy) - it is the long tail of secondary cloud apps where a CFO has set up an account with a password and no second factor.

Asset register gaps. You have to certify a defined scope. If you do not know exactly which laptops, mobile devices, and servers are in scope, you cannot truthfully answer the patch-cadence and configuration questions. A clean live asset register is the foundation of everything else.

Out-of-support operating systems. Anything still running an unsupported OS or unsupported version of an in-support OS will block certification outright. Catching this early matters because procuring and rolling out replacement devices takes weeks, not days.

Firewall and router configuration questions. Surprisingly often, the person who configured the perimeter has left and the documentation is incomplete. The questions about default passwords, inbound rules, and admin interfaces require someone to actually look at the device.

BYOD scoping. Personally-owned devices that access organisational email or data are in-scope. Many organisations either underestimate the BYOD population or are unwilling to enforce the configuration baseline on personal devices. Both lead to delays at the evidence stage.

Three things compress the timeline more than anything else.

A dedicated assessor. Some certification bodies route submissions through a queue; others assign a single assessor who handles your submission end-to-end. The dedicated model dramatically reduces the number of "back-and-forth on a clarification" emails and is the single biggest driver of fast turnarounds.

Software-first submission workflow. A buying experience that walks you through the questions in order, captures evidence as you go, and validates each section before submission saves a remarkable amount of assessor time on the back end. The faster certification bodies have built this; the slower ones still rely on PDF question sets and email attachments.

The readiness checker, used early. A 15-minute readiness check at the start of the project saves days at the end. It identifies the remediation work that has to happen and lets you sequence it in parallel with everything else. Skipping the readiness check is the single most common reason organisations get a nasty surprise on the day they intended to submit.

For the planning conversation:

• Mature Microsoft 365 estate, MFA already enforced: same-day to 48 hours.
• Microsoft 365 estate but MFA gaps on secondary apps: 1 to 2 weeks.
• Mixed estate, some unmanaged devices, some legacy on-prem: 3 to 5 weeks.
• Greenfield organisation with no existing controls: 6 to 8 weeks of remediation, then submission.
• Cyber Essentials Plus on top of any of the above: add 1 to 2 weeks for the external technical audit and remediation window.

If you need a date you can commit to, the only sensible first step is the readiness check. Once you have the gap list, the timing question answers itself. Fig's free 15-minute readiness checker gives you the gap list, a remediation sequence, and a confidence-weighted go-live date in one report.

If you already know you are ready and just need a fast certification body, published pricing is here and an assessor is one form away.

Start the free readiness check → | See published pricing →