Cyber Essentials Tender Deadline Emergency: The 48-Hour Playbook

I get this call most weeks. A business is bidding on a public-sector contract, a corporate client procurement, or a professional services panel. They have just read through the final RFP document properly and spotted the requirement: Cyber Essentials certification must be held at the point of submission. The submission closes in 48 hours. They do not hold Cyber Essentials.

This guide is what I tell those organisations in the next ten minutes. It is a real playbook, not a sales pitch. It will not rescue every 48-hour scenario — some genuinely cannot be certified that fast — but it works more often than the people in this situation assume.

The honest answer: can you actually certify in 48 hours?

Yes, if three conditions are true:

1. Your controls are substantially already in place. MFA on your main cloud platforms, managed devices, reasonable patching cadence, no shared accounts. If your posture is already close to the Cyber Essentials standard, the 48 hours is about documenting and submitting, not about remediating.

2. You pick a certification body that actually operates at speed. Most IASME-licensed bodies take 3 to 5 working days to review a self-assessed submission. A handful operate same-day. If your certification body takes a week, no playbook saves you.

3. You have someone who can give this their full attention for the 48 hours. Not someone who will "try to fit it in between meetings". Dedicated focus.

If all three are true, the timeline is realistic. If one of them is not, you need a different plan (extend the deadline, submit non-compliant with a note, or accept that this tender is not available to you).

Hour 0–8: Inventory and readiness check

The first eight hours are preparation. Do not start the questionnaire yet.

Inventory every system. List every laptop, desktop, phone, tablet, server, router, firewall, switch, printer (if it touches organisational data), and every cloud service your team uses. This is scope. Miss something here and you will have to revisit every answer below.

Run a free readiness checker. Fig Group’s free readiness checker runs in 10–15 minutes and identifies the specific gaps that need closing before you submit. Do this at hour one. Everything downstream depends on knowing what is broken.

Identify the blockers. From the readiness output, the blockers typically fall into three categories:

• MFA not enforced on one or more cloud services
• One or more devices unmanaged (no MDM, no documented baseline)
• Accounts belonging to leavers still active somewhere

If you have more than three major blockers, the 48-hour timeline tightens significantly. If you have fewer than three, you are in good shape.

Hour 8–24: Fix the blockers

This is the triage window. Fix what you can, document the rest.

MFA enforcement is usually quick. Microsoft 365, Google Workspace, your CRM, your finance system, your document signing platform, every second-tier SaaS tool. Enforcing MFA on an existing platform usually takes under 30 minutes per service. Do them all. Announce to staff in advance so they expect the setup prompts.

Device management is slower but doable. If your laptops are not under MDM, the fastest path is Intune (for M365-using organisations) or the platform your IT team is already familiar with. A baseline security policy can be pushed to a small fleet in a couple of hours. For immediate compliance, focus on: software firewall enabled and locked, full-disk encryption (BitLocker for Windows, FileVault for Mac), screen lock, anti-malware active.

Leaver accounts are housekeeping. Pull your HR leaver list for the last 12 months. Reconcile against every in-scope system. Disable anything that should not be there.

If something cannot be fixed in time, document it honestly. The Cyber Essentials questionnaire does not require perfection. It requires accurate, consistent answers that an assessor can verify. If you have one legacy server you cannot patch, document the isolation or exception rather than pretending it does not exist.

Hour 24–36: Complete and submit

The questionnaire itself takes one to two hours for someone familiar with the organisation’s systems. Do it in one sitting. Do not spread it over days.

Answer with specifics. "We use Intune on all Windows devices with the Microsoft Security Baseline applied" is a passing answer. "We keep our devices up to date" is not. Every control area wants a named tool, a stated cadence, and an owner.

Get a second pair of eyes. Before submitting, have someone else in the organisation read the answers. Mistakes at this stage (accidentally claiming a control that is not in place, missing a declared system, inconsistent answers between sections) cost another round of feedback and potentially another 24 hours.

Submit through a body that operates same-day. Fig Group’s guarantee is under 6 hours from submission for compliant applications placed before midday. That means a submission in during the morning of hour 30 can have a certificate by hour 36.

Hour 36–48: Respond to feedback (if any)

Even a clean submission sometimes gets clarifying feedback. A good certification body provides specific, control-level feedback that tells you exactly what to change.

Respond fast and fully. Do not resubmit until you have addressed every feedback item. Each resubmission adds time; none adds value if the response is incomplete.

If you fail on something structural — an unsupported OS, shared credentials, no MFA on a genuinely in-scope system — be honest about it. Sometimes the correct answer is to take a deep breath, extend the tender by 24 hours if the buyer allows, and fix the underlying issue properly. A bad-faith certification that passes inspection but breaks down under audit is worse than a missed tender.

The five 48-hour scenarios where the playbook fails

Honest about where this does not work:

1. Unsupported operating systems in scope. If you are running Windows 7, Server 2012, or similar end-of-life systems that are inside your Cyber Essentials scope, you cannot be certified without removing or isolating them. That takes longer than 48 hours.

2. No MDM and no identity management. If every device is imaged individually and there is no central control, bringing the estate into coverage takes days, not hours.

3. Known unpatched critical CVEs. If a vulnerability scan would flag critical CVEs on your internet-facing infrastructure, the Plus audit will fail. For standard Cyber Essentials (self-assessed), you can claim and hope, but that is exactly the bad-faith scenario to avoid.

4. Split ownership of IT. When some of the IT estate is managed in-house and some is managed by an outsourced MSP that cannot respond within 48 hours, progress stalls. Align your MSP before starting.

5. Genuine complexity you did not know about. Sometimes the inventory turns up surprises — a legacy application, a shared spreadsheet with client data, a BYOD reality the leadership did not know about. If the surprises are significant, 48 hours is not enough.

If you are in one of these scenarios, the honest answer is to extend the deadline or withdraw the bid rather than rush a bad submission.

What this looks like when it works

A typical playbook-works scenario: a 20-person consultancy bidding on a Crown Commercial Service framework. They have Microsoft 365 with MFA on their main tenancy, laptops under Intune, Windows Defender active, and leaver processes in place. They do not have MFA on their expense management platform, their project management tool, or their recruitment portal.

Hour 3: readiness check identifies the three gaps.

Hour 4: MFA enforced on all three platforms.

Hour 5–20: documentation and questionnaire preparation.

Hour 22: submission via Fig Group.

Hour 26: feedback received on one clarification about BYOD phones.

Hour 27: response submitted.

Hour 30: certificate issued.

Tender submission at hour 47, Cyber Essentials certificate attached. Works.

What to do right now

If you are reading this with a live tender deadline in front of you:

1. Stop reading the tender document. You have read it.

2. Open the readiness checker and run it in the next 15 minutes.

3. Identify your top three blockers.

4. Fix what you can in the next eight hours.

5. Start the certification with a body that can actually deliver on a 48-hour window.

Do the inventory, close the gaps, submit cleanly. Fig Group is built specifically for this scenario. The 6-hour guarantee exists because we have seen this call a thousand times.

Bottom line

The 48-hour Cyber Essentials tender deadline is recoverable more often than people assume, provided three conditions are met: the controls are already substantially in place, the certification body actually operates at speed, and someone can give it their full attention. When those three conditions hold, the playbook above works. When they do not, the honest answer is a different plan — not a rushed certification that will not hold up.

If you are in that 48-hour window now, the clock is already running. The next action is the readiness check.

Check your readiness | Start certification