Skip to content
FigTechnical Guides
Technical Guides

What Is the Fastest Way to Get Cyber Essentials?

Jay Hopkins
10 min read
Share:

What Is the Fastest Way to Get Cyber Essentials?

The fastest way to get Cyber Essentials certified is to be fully prepared before you begin the assessment. Most of the time between deciding to get certified and holding your certificate is not spent waiting for the certification body. It is spent getting your organisation ready to pass.

I assess organisations for Cyber Essentials every day. The ones that get certified fastest are not the ones who rush through the questionnaire. They are the ones who sort out their controls first and submit a clean application. A well-prepared submission with the right certification body can go from purchase to certificate in a matter of hours.

Here is how to make that happen.

The two things that determine speed

Getting Cyber Essentials quickly depends on two factors:

1. Your preparation. If your organisation already meets the five control requirements, you can complete the self-assessment questionnaire in an hour or two. If it does not, you need to fix the gaps first, and that takes however long it takes.

2. Your certification body's turnaround. Once you submit, the clock is in their hands. Some bodies take 3-5 working days. Others guarantee same-day turnaround.

You control the first factor. You choose the second.

Preparation: what to have in order before you start

The assessment covers five control categories. Here is what "ready" looks like for each one, and the specific things that trip people up.

Firewalls and internet gateways

What ready looks like:

  • Every device that connects to the internet is behind a firewall
  • Default admin passwords on all routers, firewalls, and access points have been changed
  • Only necessary ports and services are open
  • Remote workers' home routers have had default passwords changed

    • What catches people out:

  • Forgetting that home routers are in scope for remote workers. Under v3.3, if your staff work from home, their router is a boundary device. The admin password must be changed from the default and the firmware must be current.
  • Network devices with management interfaces still on factory credentials. This includes switches, wireless access points, and even some printers with web interfaces.

    • Quick check: Can you confirm, right now, that every router and firewall in your organisation has a non-default admin password? If you hesitate, check before you submit.

    Secure configuration

    What ready looks like:

  • Unnecessary software has been removed from all devices
  • Auto-run is disabled
  • Screen locks activate after 15 minutes of inactivity (or less)
  • Guest and default accounts are disabled
  • Only necessary services are running on servers

    • What catches people out:

  • Bloatware on new laptops. Manufacturer-installed software that nobody uses but nobody has removed.
  • Screen lock timers set to 30 minutes or "never" on some workstations.
  • Default accounts still active on servers or network devices.

    • Quick check: Pick any laptop in your organisation at random. Is there software installed that nobody uses? Is the screen lock set to 15 minutes or less?

    Security update management

    What ready looks like:

  • All operating systems are supported and receiving security updates
  • All applications are supported and receiving security updates
  • Security patches are applied within 14 days of release
  • Unsupported software has been removed or the device has been segregated from scope

    • What catches people out:

  • The 14-day rule. The clock starts from the date the vendor publishes the patch, not from when your scanner finds it. Monthly patching cycles do not meet this requirement.
  • Unsupported operating systems. Windows 10 reached end of support in October 2025. If you are still running it without Extended Security Updates, the device fails.
  • Third-party applications. Chrome, Adobe Reader, 7-Zip, Java - these all need to be current. It is not just about Windows Updates.
  • Firmware on network devices. Router and firewall firmware needs to be supported and current.

    • Quick check: Open Windows Update on any machine. Are there outstanding security updates older than 14 days? Check your router firmware version against the manufacturer's website.

    User access control

    What ready looks like:

  • Every user has their own individual account (no shared logins)
  • Administrative privileges are restricted to those who genuinely need them
  • MFA is enabled on every account that accesses organisational data or cloud services
  • Accounts for former staff have been removed or disabled
  • Passwords meet minimum complexity requirements

    • What catches people out:

  • MFA. Under v3.3, MFA is mandatory for all user accounts, not just admins. This is the single most common fail I see. Every Microsoft 365 user, every Google Workspace user, every CRM login - all need MFA.
  • Free cloud accounts. If your organisation uses Mailchimp, Canva, Trello, or any other SaaS tool that holds organisational data, those accounts need MFA too.
  • Shared accounts. A "reception@company.com" login used by multiple people is a fail unless each person authenticates individually.
  • Conditional Access policies that only require MFA off-network. The requirement is unconditional MFA for all users, not just remote access.

    • Quick check: Log into your Microsoft 365 or Google Workspace admin panel. Can you confirm that MFA is enforced for every single user? Not "available" - enforced.

    Malware protection

    What ready looks like:

  • Anti-malware software is installed and running on all in-scope devices
  • Automatic updates are enabled for malware definitions
  • Regular scans are configured
  • Alternatively, application allow-listing is in place

    • What catches people out:

  • Disabling Windows Defender because it "slows things down." If you disable it, you need an alternative in place.
  • macOS devices with no anti-malware. While macOS has built-in protections, the assessor will ask what malware protection is in place. Be prepared to answer specifically.
  • Servers running without anti-malware. Some organisations install AV on workstations but not servers.

    • Quick check: Open the security settings on any device. Is anti-malware active and up to date?

    The preparation checklist

    Before you purchase your certification, confirm all of the following:

  • [ ] All firewalls and routers have non-default admin passwords
  • [ ] Home worker routers have had default passwords changed (if applicable)
  • [ ] All operating systems are supported and patched within 14 days
  • [ ] All applications are supported and patched within 14 days
  • [ ] Router and firewall firmware is current
  • [ ] MFA is enforced on every user account across all cloud services
  • [ ] No shared accounts are in use
  • [ ] Admin privileges are restricted to those who need them
  • [ ] Former staff accounts have been disabled or removed
  • [ ] Screen locks are set to 15 minutes or less on all devices
  • [ ] Anti-malware is installed and current on all devices
  • [ ] Unnecessary software has been removed
  • [ ] Your scope is defined (which devices, users, and networks are included)

    • If you can tick every box, you are ready to submit. If you cannot, fix the gaps first. Submitting with known gaps does not save time - it adds a feedback cycle that pushes your certification back.

    Use a readiness checker before you purchase

    A readiness checker gives you a structured assessment of where you stand before you commit. It is faster than working through the checklist above because it asks the right questions in the right order and tells you exactly where the gaps are.

    Fig offers a free readiness checker based on the current v3.3 requirements. It takes 10-15 minutes and covers all five controls. If you score well, you are ready to submit. If it flags issues, you know exactly what to fix first.

    This step alone can save days. Submitting an assessment that fails on MFA compliance and then waiting for feedback, fixing the issue, and resubmitting can add 2-5 working days depending on your certification body. Identifying the gap beforehand takes 15 minutes.

    Choosing a fast certification body

    Once you are prepared, the remaining variable is how quickly your certification body processes the submission. This varies enormously.

    The industry range:

  • 3-5 working days - common for smaller or consultancy-led bodies
  • 48 hours - published target for Bulletproof
  • 24 hours - advertised best case for CyberSmart
  • 6 hours - guaranteed by Fig for compliant submissions ordered before midday

    • The difference between 6 hours and 5 working days is the difference between getting certified today and getting certified next week. If you have a deadline, this matters.

    What to look for:

  • A published turnaround commitment, not just "we aim to" or "typically"
  • Whether that commitment is a guarantee or a best-case estimate
  • How feedback is handled if corrections are needed - does a resubmission go to the back of the queue?
  • Whether faster turnaround costs extra

    • Fig guarantees certification within 6 hours for compliant submissions ordered before midday. Three rounds of feedback are included at no extra cost, and resubmissions are reviewed promptly rather than re-queued. There is no express fee or premium charge for speed - it is the standard service.

    At £314.99 + VAT for micro organisations, it is also the lowest-priced option from any IASME-licensed body.

    The fastest realistic timeline

    If you are fully prepared and use Fig:

    StepTime------------Run the free readiness checker15 minutesPurchase certification (before midday)5 minutesComplete the self-assessment questionnaire1-2 hoursAssessor review and certificate issuanceWithin 6 hours of submission

    Total: same day. For a well-prepared organisation, it is entirely realistic to decide to get certified in the morning and hold your certificate by the afternoon.

    If you are not yet prepared, add whatever time is needed to close your gaps. For most organisations, the common fixes (enabling MFA, changing default passwords, updating firmware) can be done in a day or two. The assessment itself is the fast part.

    Summary

    The fastest way to get Cyber Essentials is not to rush the assessment. It is to prepare properly so your submission passes first time, and then choose a certification body that does not keep you waiting.

    Prepare first. Check your readiness. Then submit to a body that guarantees a fast turnaround.

    Check your readiness for free | View pricing

    Want to see how Fig handles this?

    Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.

    Request a demo

    Related solutions

    Compliance AutomationPolicy ManagementAudit Management
    JH

    Jay Hopkins

    CEO & IASME-Licensed Cyber Essentials Assessor

    Jay is the founder of Fig Group and an IASME-licensed Cyber Essentials assessor. He has assessed hundreds of organisations for Cyber Essentials and Cyber Essentials Plus certification.

    More in Technical Guides

    Te

    Plain English Guide to the April 2026 Cyber Essentials Changes

    The Danzell question set and v3.3 requirements took effect in April 2026. This guide answers the exact questions IT managers and MSPs are asking about MFA auto-fails, cloud service scope, free accounts, and what assessors actually check.

    12 min read