The process

How Cyber Essentials Plus certification works

Six steps from first call to certificate, typically two to six weeks end to end. The order matters: the audit is booked only after your environment already passes the same checks, which is how first-time passes happen.

3D illustration of the scoping call

Step 1

Scoping call

A 45 minute discovery call establishes your size band, your estate (devices, servers, cloud services, BYOD) and whether you already hold a current basic certificate. You leave with one fixed price.

3D illustration of the readiness gap analysis

Step 2

Readiness gap analysis

We run the checks the assessor will run: patch status on sampled devices, secure configuration, access control and MFA, malware defences. The output is a plain fix list ordered by effort.

3D illustration of remediation work

Step 3

Remediation

The variable part of the timeline. We close the gaps with your team or your IT provider, from patching policy to admin account separation, until every check passes.

3D illustration of the basic Cyber Essentials self-assessment

Step 4

Basic Cyber Essentials

We complete the self-assessment questionnaire with you, answered accurately against the environment we have just verified. This starts the three month window in which the Plus audit must happen.

3D illustration of the independent Plus audit

Step 5

The Plus audit

An IASME-licensed certification body carries out the independent assessment, testing a sample of your devices. We support you on the day so questions get answered and nothing stalls.

3D illustration of certification achieved

Step 6

Certificate and roadmap

You receive your Cyber Essentials Plus certificate, valid for twelve months, plus our map of what the scheme does not cover and what is worth doing next.

Realistic timelines

Where the time actually goes

Scoping takes a call. The gap analysis takes days. The audit takes about a day. Everything else is remediation, and that depends entirely on the state of your estate: how many devices are behind on updates, whether admin accounts are separated, whether MFA is already enforced on your cloud services.

That is why we will not quote a certification date before the gap analysis, and why anyone who guarantees one on a sales call is guessing with your audit fee.

Typical shapes

  • Around two weeks: modern cloud-first estate, MFA already on, patching automated. The gap analysis mostly confirms; the audit is a formality.
  • Around four weeks: the common case. A handful of fixes: unsupported software to retire, admin account separation, BYOD devices brought into scope properly.
  • Six weeks or more: legacy servers, no central device management, or policy decisions that need board time. Still very achievable; it just is not a fortnight.

Quick answers

Process questions, answered

How long does Cyber Essentials Plus take?

A typical engagement runs two to six weeks end to end. The audit itself usually takes a day or less for a small business; the variable is remediation. An estate that is already well patched with MFA enforced can move in a fortnight; one that needs configuration work takes longer.

Why does the three month window matter?

The scheme requires the Plus audit to be completed within three months of your basic Cyber Essentials self-assessment. Miss the window and the self-assessment must be redone. We schedule the audit as part of the engagement so the window is never a problem.

What do you need from my team?

Access to whoever runs your IT (in-house or an external provider), sight of your device estate, and decisions when remediation touches how people work, such as enforcing MFA. Most of the technical work can be done by us, with your provider, or handed to your team with instructions, whichever you prefer.

What if the audit finds a problem anyway?

The audit tests a device sample, so an unlucky machine can surface something new. Small issues can usually be fixed and verified quickly; that contingency and the support to handle it are part of the engagement rather than a surprise invoice.

Preparing already? The pre-audit checklist covers every check the assessor will run.

3D rocket illustration for booking a free certification discovery call

Start the clock

Get your fix list before you book any audit

A free 45 minute discovery call scopes the engagement and a gap analysis tells you exactly how far from certified you are. No obligation, no hard sell.