Short answer
Typically 2–3 working days end to end. The assessor schedules a kick-off call, runs the external scan, samples 3–10 devices depending on organisation size, runs the malware-execution test, and issues the certificate.
Why this matters
Turnaround questions matter when a buyer has a tender deadline, insurer request, or supplier onboarding gate. Fast certification is only credible when the submission is complete and compliant; if the assessor has to return the application for fixes, the applicant controls the delay.
A same-day route normally depends on three things: the self-assessment is complete, the answers are consistent with the scope, and the organisation already meets the five Cyber Essentials controls. Cyber Essentials Plus adds scheduling and technical testing, so it should not be treated like a same-day document review.
What to check next
- Prepare scope, asset, user, cloud, and MFA information before submission.
- Submit before midday on a UK business day if you need the 6-hour guarantee.
- Use Cyber Essentials Plus planning time for device sampling and external scan remediation.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.