Quick answer: Cyber Essentials takes 2-12 weeks to certify (depending on remediation needed) and the certificate is valid for 12 months. Most well-prepared UK SMEs go from “we should look at this” to certified in 4-6 weeks.
Time to certify Cyber Essentials
| Starting point | Typical time |
|---|---|
| Mature IT — MFA, EDR, MDM, patching all in place | 2-4 weeks |
| Typical SME — patchy MFA, mixed AV, no asset register | 6-10 weeks |
| Older / legacy estate — Windows 10 around, weak admin controls | 3-4 months |
The questionnaire itself takes 4-8 hours of focused work. Most of the calendar time is the remediation it surfaces (deploying MFA, fixing patching, enrolling devices in MDM) before you submit.
How long does the certificate last?
Both Cyber Essentials and Cyber Essentials Plus are valid for 12 months from the certification date. The certificate goes onto the public IASME register for that 12 months. The bundled £25k cyber-liability insurance also runs for 12 months.
Renewal timing
Most businesses re-certify in month 11 to keep continuous cover. The renewal isn’t a fresh start — most evidence carries forward, and the questionnaire largely confirms what’s changed. Budget around 50% of first-year effort for the renewal. If you let it lapse:
- The £25k insurance ends
- You drop off the active IASME register
- Procurement teams that filter on current certification stop seeing you
- You need a fresh registration and full IASME fee to re-enter
Our managed Cyber Essentials service automates the renewal so you stay continuously certified without thinking about it.
Related Cyber Essentials FAQs
More answers from our cyber essentials knowledge base.