How to Get Cyber Essentials Certified in Under 6 Hours

How to Get Cyber Essentials Certified in Under 6 Hours

To get Cyber Essentials certified in under 6 hours, submit a clean, complete self-assessment to an IASME-licensed certification body with a published sub-day guarantee. Fig Group offers a 6-working-hour SLA on clean Cyber Essentials submissions made before midday; most UK certification bodies take 5-15 working days regardless of submission quality.

If you are facing a tender deadline, a client onboarding clause, an insurer renewal, or a client-side due diligence questionnaire that demands Cyber Essentials certification before the end of the week, waiting five to seven working days is not an option. It is entirely possible to achieve Cyber Essentials certification within a single UK working day - and at Fig Group, for compliant submissions placed before midday, it is the default turnaround.

This article is a practical playbook. It covers the preparation checklist, the purchase flow, the assessor-side view of what actually happens during the 6-hour window, a real redacted customer timeline, the seven most common delay traps, and what to do if your submission fails review.

Pricing and the Stripe checkout live at /cyberessentials#pricing. The free readiness checker lives at /cyberessentials#readiness.

Can you really get Cyber Essentials in under 6 hours?

Yes. Cyber Essentials is a self-assessed scheme. You complete a structured questionnaire covering the five NCSC control categories, submit it to an IASME-licensed certification body, and - if the submission is compliant on first review - you receive your certificate and your NCSC register listing within hours, not days.

Fig Group publishes a 6-hour turnaround guarantee for compliant Cyber Essentials submissions made before midday on a UK working day. No other IASME-licensed certification body in the UK publishes a sub-day guarantee. If the submission needs corrections, Fig provides structured feedback up to three times so you can resubmit without re-paying any fee.

The 6-hour clock starts when a compliant submission is received. It pauses if the assessor returns feedback and resumes once you re-submit the corrected version. "Compliant" means: every control category is answered, every account in scope has MFA enabled, every device in scope runs supported software, and the scope description is unambiguous.

The critical timing diagram

• 09:00 - Organisation starts preparation / remediation.
• 10:30 - Readiness checker complete, gaps addressed.
• 11:00 - Purchase at /cyberessentials#pricing (Stripe checkout).
• 11:05 - Self-assessment questionnaire opens.
• 11:55 - Submit to Fig Group.
• 11:57 - AI triage runs, assessor queue picks up submission.
• 12:20 - IASME-licensed assessor begins review.
• 13:30 - Assessor either approves or returns structured feedback.
• 14:30 - If approved: certificate issued, NCSC register notified.
• 17:00 - NCSC register listing appears publicly.

The above is the optimistic path - prepared organisation, clean submission, midday purchase. Real customer timelines tend to land between 3 and 5 hours from purchase to certificate.

Step 1 - run the readiness checker before you spend any money

The free Fig Group readiness checker walks you through every NCSC Cyber Essentials v3.3 control in 10–15 minutes. It is identical to the self-assessment questionnaire format, minus the paid submission. Use it to surface gaps before the clock starts.

The checker asks you, in order:

1. Scope declaration - which users, devices, and networks are in scope? Which are explicitly excluded?

2. Firewall and internet gateway controls - is every boundary device correctly configured?

3. Secure configuration - have default accounts been disabled, unnecessary software been removed, auto-lock timers been set?

4. Security update management - are high/critical patches applied within 14 days across every device and application?

5. User access control - does every human account have MFA? Are admin accounts individually named? Are leaver processes documented?

6. Malware protection - is anti-malware installed, updated, and running on-access scans?

If any question returns "unsure" or "no", the checker returns a specific remediation recommendation. Fix the gaps before you purchase - spending £299.99 on a submission that fails for a fixable reason burns your morning and does not save your afternoon.

Step 2 - the five-control preparation checklist

Before you buy, have the following in verified working order. If even one line is "not sure", pause and fix before you submit.

Firewalls and internet gateways

• Every boundary device (office router, office firewall, cloud firewall) has a non-default admin password.
• Firmware is current - no device running firmware that is flagged end-of-life by the vendor.
• Only necessary ports and services are open on the internet-facing side.
• Every remote worker's home router has its admin password changed from factory default (under Cyber Essentials v3.3 this is in scope unless the worker connects exclusively through a corporate VPN gateway).
• Inbound rules are documented - you can explain in one sentence what each open port is for.

Secure configuration

• Every device has auto-run disabled.
• Screen lock activates after 15 minutes of inactivity (or less) - via Group Policy on Windows, System Settings on macOS, MDM-enforced on iOS / Android.
• Default accounts are disabled (guest, local admin default, vendor-shipped accounts).
• Staff laptops have had bloatware removed - no manufacturer trial software.
• Server and workstation services are pared to what the role needs - no unused background services running.

Security update management

• Every in-scope device runs a supported operating system - Windows 11, Windows 10 with ESU, macOS Sonoma or later, iOS 17+, Android 13+, a maintained Linux LTS.
• High and critical patches are applied within 14 days of vendor release. The 14-day clock starts on the vendor's public release date, not on the date your scanner finds it.
• Third-party applications (Chrome, Adobe Reader, 7-Zip, Java, Node, Python) are kept current. Many CE failures come from out-of-date browser plug-ins, not from Windows Update.
• Firmware on network devices is supported and current.

User access control

• Every user has an individual named account - no shared credentials, not even for "the reception PC".
• MFA is enforced on every user account (Cyber Essentials v3.3 made this mandatory - no "most users have it" exemption).
• Admin accounts are separate from day-to-day accounts. Users who need admin rights have two accounts: a standard account for email and normal work, and an admin account used only for admin tasks.
• Leaver process is documented and runs same-day on termination.
• Service accounts (automation, API keys) that cannot use MFA are documented, scoped, and monitored.

Malware protection

• Anti-malware (Microsoft Defender, CrowdStrike, SentinelOne, or equivalent) is installed on every endpoint.
• Tamper protection is enabled (this catches many first-time submissions - Defender has it, but it is off by default on older tenants).
• Definitions are current - signature updates within 24 hours.
• On-access scanning is enabled and cannot be silently turned off by a standard user.
• For servers, either anti-malware is installed or the server is locked down with application allow-listing (WDAC on Windows, Gatekeeper + SIP on macOS).

If every bullet above is green, you are ready to buy.

Step 3 - purchase before midday

The 6-hour guarantee window runs from purchase to certificate issue. To stay inside it, purchase before 12:00 midday on a UK working day.

1. Visit /cyberessentials#pricing.

2. Select the right tier by total UK headcount (Micro 1-9, Small 10-49, Medium 50-249, Large 250+). Pricing is published: £299.99 + VAT through £549.99 + VAT.

3. Complete Stripe checkout. Payment is one-off, card-based, no recurring fee.

4. Confirmation email arrives within two minutes with the link to the self-assessment.

If you are an MSP reselling to multiple clients, the same flow applies per client certification. Ask about volume pricing at /contact.

Step 4 - complete the self-assessment questionnaire

The self-assessment takes 45–90 minutes for a prepared organisation. The form is structured question-by-question so you can save progress and return to it.

What to keep open in browser tabs while you fill it in:

• Your identity provider admin console (Entra ID, Google Workspace, Okta) - for MFA and user-registration evidence.
• Your MDM console (Intune, Jamf, Workspace ONE) - for device policy evidence.
• Your anti-malware admin console (Defender admin centre, CrowdStrike Falcon) - for tamper-protection and coverage evidence.
• A list of your in-scope cloud services.

How to answer for maximum pass-rate:

• Be concrete. "We use Microsoft 365 Business Premium with Entra Security Defaults enforcing MFA across all 42 users" beats "We have MFA enabled".
• Name products and versions - "Windows 11 Pro 23H2" not "up-to-date Windows".
• Mention the technical enforcement not just the policy - "Conditional Access policy requires compliant Intune-enrolled device for all corporate resources" beats "we require staff to use corporate laptops".
• For exclusions (sub-sets), state the device class, the technical control that enforces the exclusion, and the attested impact - "contractors' personal laptops are excluded from scope. Technical enforcement: Entra Conditional Access requires compliant device; non-compliant devices are blocked from Microsoft 365. Contractors access corporate resources exclusively through the Fig-managed Citrix virtual desktop."

Step 5 - what happens behind the scenes during the 6-hour window

This is the part most organisations do not see. The assessor's side of the process determines whether you certify at 14:30 or 17:30. Here is what happens in the Fig Group pipeline for a typical 11:55 submission.

11:56 - The submission lands in the queue. An AI triage layer scans the entire questionnaire in under 60 seconds and flags any lines that look inconsistent with Cyber Essentials v3.3 requirements. The AI does not make the pass/fail decision - it prioritises the assessor's attention so the highest-risk lines are reviewed first.

12:05 - Assessor opens the submission. For a 30-person organisation this is roughly a 40-minute review: open each control category, cross-check the evidence claims against scheme requirements, flag any ambiguities.

12:45 - One of two things happens:

• Path A (clean submission): The assessor approves the submission. The certificate is generated, digitally signed, and emailed to you. The NCSC register is updated.
• Path B (structured feedback): The assessor sends you a numbered list of items to clarify. Each item includes the specific scheme requirement, the answer you gave, why it does not meet the requirement, and the example answer that would pass. You correct and re-submit; the clock resumes.

14:30 - Typical certificate issue time for a Path A morning submission. The PDF certificate is in your inbox, the digital badge is attached, and your entry on the IASME / NCSC register is live.

The point of the AI triage: it shrinks the queue wait. Without triage, submissions sit in a FIFO queue waiting for an assessor. With triage, the assessor opens every submission within 15 minutes of arrival because the AI has already surfaced the highest-priority items. That is how 6-hour turnaround is possible against an industry average of 24-72 hours.

A real customer timeline

Redacted example from March 2026 (MSP customer running a CE refresh for a client who had missed their renewal window):

• 08:47 - Purchased Cyber Essentials Small (10-49 staff), £399.99 + VAT.
• 08:49 - Confirmation email. Self-assessment link active.
• 09:30 - Client had pre-filled the answers over the weekend. MSP reviewed and polished the MFA and scope sections.
• 10:12 - Submitted.
• 10:18 - AI triage flagged one line ("14-day patching rule" answer referenced "monthly" cadence).
• 10:34 - Assessor returned feedback on the patching line.
• 10:52 - MSP corrected the answer (the client did in fact apply critical patches within 14 days; the first answer was badly worded).
• 10:55 - Re-submitted.
• 14:23 - Certificate issued.
• 14:25 - NCSC register update confirmed.

Total elapsed time from purchase to certificate: 5 hours, 36 minutes. The 18-minute feedback round trip did not blow the window.

The seven most common delay traps

From 400+ Fig Group Cyber Essentials submissions in Q1 2026, these are the ranked reasons a 6-hour-possible submission gets pushed to the next business day.

1. Purchase after 12:00 midday. Submissions received after noon are reviewed in the afternoon queue and typically close the next working morning. If the deadline is today, purchase before 11:30.

2. MFA enforcement gap. The submission says "MFA enabled on every user", the evidence says "enabled but not enforced". Under v3.3 you need enforcement. Requires a 15-minute Conditional Access policy change + attested wait for sign-in, which blows the afternoon.

3. Unsupported Windows. A laptop running Windows 10 without Extended Security Updates fails on sight. Either upgrade to Windows 11, enrol in ESU, or remove the device from scope before submitting.

4. 14-day patching answered as "monthly". "We patch monthly" fails v3.3. Change to "high and critical patches applied within 14 days of vendor release; rolled out weekly via Intune update rings" and the line passes.

5. Home routers not addressed. Remote workers are present but the submission does not mention home-router scope. Either enforce a corporate VPN (boundary becomes the VPN gateway) or provide signed attestations from each remote worker confirming default admin password has been changed and firmware is current.

6. BYOD policy-only. The submission says "we do not allow BYOD" but there is no technical control. Replace with either "Conditional Access blocks non-compliant devices" or "Intune enrolment required for corporate-resource access".

7. Scope description ambiguous. "Everything except production" without naming production is ambiguous. Name the explicit account, subscription, or network that is excluded, and describe the technical boundary that enforces the exclusion.

What to do if your submission fails review

Fail is strong language. The reality is: first-pass compliant rate across Fig Group submissions is about 72%. The remaining 28% receive structured feedback on one to three items, correct them within an hour, and certify the same day.

If you receive feedback:

1. Read every feedback item carefully - each points at a specific scheme requirement.

2. Correct the specific answer. Do not rewrite the whole submission.

3. Confirm the evidence side matches the new answer - if you said "MFA enforced" update Conditional Access too, not just the form.

4. Re-submit.

Fig includes up to three free re-submissions in the purchase price. Most organisations use one; a few use two. Three is rare.

Recertification - the 12-month horizon

Your Cyber Essentials certificate is valid for 12 months from issue. Beyond that date you are no longer on the NCSC register and your contract-side CE references stop being current.

Plan your recertification 14 days before expiry. At Fig Group this means purchasing on the same tier (unless your headcount band has changed), re-completing the self-assessment with any control changes from the year, and submitting. A renewal submission for an organisation whose controls have not drifted is typically quicker than the first submission - the user has muscle memory and evidence is already gathered.

Many organisations use the 12-month renewal cycle to:

• Progress to Cyber Essentials Plus for third-party verification (required for many tenders and larger client contracts).
• Map CE controls to ISO 27001 Annex A.8 for broader compliance.
• Move onto the Fig governance-first platform for continuous compliance - so next year's renewal is essentially a one-click event.

Summary

Sub-day Cyber Essentials certification is achievable if you prepare before you purchase. The five-control readiness checklist, MFA enforced end-to-end, purchase before midday, clean self-assessment, and correct use of Fig Group's IASME-licensed pipeline is the pattern that consistently certifies inside the 6-hour window. If the submission needs corrections, three free re-submissions are built into the fee and structured feedback keeps the clock useful. Fig is the only UK IASME-licensed certification body to publish this guarantee.

Start the readiness checker · Buy Cyber Essentials Micro - £299.99 + VAT · See every pricing tier