How long is Cyber Essentials valid for?

Following on from our last blog post, “Steps to prepare and pass Cyber Essentials” this post builds on that advice and discuses the time it takes to achieve certification.

Cyber Essentials scheme encourages businesses to adopt best practices to protect themselves against common security threats. With time, the variety and complexity of these cyber threats are increasing, consequently, cybersecurity standards such as such as Cyber Essentials are constantly evolving their requirements.

This is the reason most standards and schemes have a validity period for their certification. Cyber Essentials is reviewed annually and the UK Government recommends that all certificate holders must review their certification annually to remain on the official register of certified businesses.

In this blog post, we discuss the validity period for Cyber Essentials and how the recertification process works.

How much time does it take to get your business certified?

When you apply for Cyber Essentials, and following payment of £300 plus VAT (at the time of publication), you will receive a self-assessment questionnaire. You have up to 6 months to submit the questionnaire to the certifying body for review and a decision on your certification. If you fail to submit your self-assessment questionnaire within this period, your application will be cancelled, and you will have to make the payment again.

On average, we have found that it takes small businesses around 2 weeks to complete their assessment.

Following submission, it usually takes on average 3 days for the certification body to give you a response. If everything is in order, they will award you your Cyber Essentials certification.

In the case of Cyber Essentials Plus, the process takes a little longer and will typically involve an additional on-site audit and a system vulnerability scan from a registered competent contractor.

Depending on the time and size of your business, it can take up to 6 months to receive a Cyber Essentials Plus certification.

How long is your certification valid for?

There is no definitive period of validity for a Cyber Essentials certification. But, the UK government recommends that businesses renew their certification annually. If you fail to renew your certification within a year, you will be removed from the list of certified organisations.

Cybersecurity is continuously evolving with new requirements and best practices being established every day. To keep your business protected, it is important you stay updated with these new developments. Re-certifying helps demonstrate to your clients that you are improving your security to counter newer threats.

Your accreditation body should inform you by email around a month before you are expected to re-certify. When you receive this email, it is a good time to start preparing for the re-certification process.

How long does will it take to re-certify?

The recertification process is almost the same as the certification process.

Therefore, time durations are similar and you should receive your updated certification within 3 days of you submitting your assessment.

You should factor in the personal time and investment to re-enter all the original information from your previous applications to the recertification questionnaire as the sequence and content do change annually to reflect the changing security environment and requirements for cybersecurity.

In case of changes to the security infrastructure of your organisation, your answers should reflect the changes. If there are no changes, then you can copy and paste the answers from the questionnaire that you filled the previous year.


The bottom line is that you and your business need to re-certify annually to retain your accredited Cyber Essentials registration. The scheme’s current certified businesses are registered on a publicly accessible register, so there is no hiding if you have not completed your annual recertification.

The benefits of getting re-certified include improved protection against emerging cyber threats and reduced risk to your business through an annual review of your adherence to compliance standards.

CyberSmart is an automated compliance service that helps businesses seamlessly track and renew their Cyber Essentials certification. In our next post, we will look at how CyberSmart has been proven to speed up the process for you and your business, saving valuable time, effort and potentially cost. If you would like to learn more about how we can help you remain protected and compliant, get in touch with us right away.