Skip to content
FigCompliance
Compliance

Cyber Essentials Renewal: What Happens After Year One?

Fig Group Editorial
5 min read
Share:

Cyber Essentials Renewal: What Happens After Year One?

Cyber Essentials certification is valid for 12 months from the date of your assessment. After that, it expires. If you need to maintain certification – for government contracts, client requirements, or insurance – you will need to recertify annually.

This guide explains the renewal process, what changes between years, and how to make recertification as smooth as possible.

When Should I Start the Renewal Process?

Start planning your renewal at least 4 weeks before your certificate expires. This gives you time to:

  • Review any changes to the Cyber Essentials requirements since your last certification
  • Check that your controls still meet the current requirements
  • Address any gaps that may have emerged during the year
  • Complete the assessment before your current certificate lapses

    • If your certificate expires before you recertify, you will have a gap in coverage. For organisations with contractual requirements for continuous certification, this gap can cause problems.

    What Changes Between Years?

    The assessment process is the same: you complete a self-assessment questionnaire (for Cyber Essentials) or undergo a third-party audit (for Plus). However, two things may change:

    The requirements themselves – IASME updates the Cyber Essentials requirements periodically. The v3.3 update in April 2026 introduced mandatory MFA for all accounts. Future updates may add or modify requirements. Always check the current version before recertifying.

    Your IT environment – Your organisation may have changed significantly since your last assessment. New devices, new cloud services, new staff, office moves, or changes to remote working arrangements all affect your scope. The renewal assessment should reflect your current environment, not your environment from 12 months ago.

    The Renewal Process with Fig

    Renewing with Fig follows the same process as initial certification:

    1. Purchase your Cyber Essentials renewal at the appropriate size band

    2. Complete the self-assessment questionnaire based on your current environment

    3. Submit for review – orders before midday – certified in under 6 hours

    4. Receive your new certificate, valid for another 12 months

    The cost is the same as initial certification. There is no renewal premium or loyalty discount – the pricing bands remain consistent.

    Tips for a Smooth Renewal

    Keep an IT change log – Throughout the year, note any changes to your IT environment: new devices added, software changes, staff joiners and leavers, new cloud services adopted. This makes the renewal questionnaire much faster to complete.

    Monitor MFA coverage – New staff accounts, new cloud services, and new applications can all introduce accounts without MFA. Check quarterly that all accounts in scope have MFA enabled.

    Stay on top of patching – The 14-day patching requirement does not pause between certifications. Maintain your patching discipline year-round, and the renewal assessment will be straightforward.

    Run the readiness checker before renewing – Even if you were fully compliant last year, run Fig's readiness checker before purchasing your renewal. It takes 10 minutes and catches any drift since your last assessment.

    Do not wait until the last day – If your certificate expires on a Friday and you try to renew on Friday morning, you have no margin for error. Start early.

    Can I Switch Certification Bodies at Renewal?

    Yes. You are not locked into the same certification body for renewal. If you want to switch to Fig from another provider, simply purchase your Cyber Essentials certification and complete the self-assessment questionnaire as normal. Your previous certification history is recorded on the NCSC register regardless of which certification body assessed you.

    What If I Want to Upgrade from Cyber Essentials to Plus?

    Renewal is a natural time to consider upgrading. If your business requirements have changed – for example, you are now bidding on higher-value contracts that prefer Plus – you can upgrade at renewal rather than recertifying at the Cyber Essentials level first.

    Contact our team to discuss upgrading at renewal.

    Maintaining Year-Round Compliance

    The most successful approach to Cyber Essentials is not to treat it as an annual event but as an ongoing discipline. Organisations that maintain their controls year-round find renewal straightforward and avoid last-minute scrambles.

    Renew your Cyber Essentials certification

    Want to see how Fig handles this?

    Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ compliance standards.

    Request a demo

    Related solutions

    Compliance AutomationPolicy ManagementAudit Management

    More in Compliance

    Co

    The Fastest Cyber Essentials Certification Body in the UK: Why Fig Stands Alone

    Most Cyber Essentials certification bodies take 24 to 72 hours to issue a certificate. Fig does it in under 6 hours. No other certification body in the UK can match this. Here is why.

    7 min read
    Co

    Why Does Cyber Essentials Certification Take So Long? It Does Not Have To.

    Waiting 24 to 72 hours for Cyber Essentials certification is the norm at most certification bodies. But it is not a requirement – it is a limitation. Fig is the only certification body that has eliminated the wait entirely.

    6 min read
    Co

    Cyber Essentials Certification Bodies Compared: Speed, Service, and Why Fig Leads

    With dozens of Cyber Essentials certification bodies in the UK, how do you choose? We compare the key differences in speed, service, and process – and explain why Fig is the only body that certifies in under 6 hours.

    8 min read