How Long Does Cyber Essentials Certification Take?
A clear, direct answer to this question — written for UK business owners and IT decision-makers.
Direct Answer
Cyber Essentials basic certification typically takes 4–6 weeks from starting remediation to receiving your certificate, depending on how many gaps need addressing. Cyber Essentials Plus adds a further 2–4 weeks for the technical audit. AMVIA can accelerate this timeline for businesses with pressing contract deadlines or insurance requirements.
Key Points
What you need to know.
The Short Answer
55,995 Cyber Essentials certificates were awarded in 2025; 42,288 at CE level and 13,707 at CE Plus.
For UK Businesses
Only 3% of all UK businesses are Cyber Essentials certified — rising to 21% among large businesses.
Cost Considerations
Only 12% of businesses are aware of the Cyber Essentials scheme (51% among large businesses).
Next Steps
Organisations with Cyber Essentials are 92% less likely to make a claim on their cyber insurance.
Quick Comparison
| Feature | Option A | Option B |
|---|
Frequently Asked Questions
The biggest delays come from remediation — fixing gaps discovered during the initial assessment. Common blockers include unsupported software that must be replaced, MFA not yet enforced on cloud services, and firewall rules that need reconfiguring. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025), so MFA deployment alone can add one to two weeks if it has not been started.
Yes, though the timeline depends on your current security posture. Organisations already running modern infrastructure with MFA, patching, and endpoint protection can sometimes certify within two weeks. Those with significant gaps need longer for remediation. A managed provider can accelerate the process by handling remediation and assessment preparation in parallel rather than sequentially.
The Plus audit itself typically takes one to three days of on-site or remote technical testing, but you must hold basic Cyber Essentials first. Allow an additional two to four weeks after basic certification for the Plus assessment. With 43% of UK businesses experiencing a breach or attack (DSIT 2025), the extra time invested in Plus provides independently verified assurance that your controls work in practice, not just on paper.
Related Questions
Cyber Essentials Certification
AMVIA's managed Cyber Essentials service — gap assessment, remediation, and certification at a fixed price.
What Is Cyber Essentials?
An overview of the UK government's baseline cybersecurity certification scheme.
Cyber Essentials vs Cyber Essentials Plus
Which certification tier you need and how long each takes to achieve.
Cybersecurity Guide for UK SMEs
Where Cyber Essentials fits within a broader security programme.
Protect your business → Get Cybersecurity Assessment