Why Same-Day Cyber Essentials Is Now Possible (And Why It Wasn’t Five Years Ago)

In 2020, every IASME-licensed certification body in the UK took at least three working days to issue a Cyber Essentials certificate. Most took five. The standard service was a week; the fast option was three days. No body issued same-day certificates. It was not a policy decision; it was a technology constraint.

In 2026, a small number of bodies — including Fig Group — operate on a 6-hour-from-submission turnaround as the standard service. The Cyber Essentials standard itself has not changed materially in that period; the controls are still the five NCSC themes, v3.3 added mandatory MFA, but the rigour of assessment is the same. What has changed is the technology around the assessment.

This article explains what changed, why most certification bodies have not kept up, and why the gap between fast and slow certification has widened rather than narrowed over time.

Five years ago: why Cyber Essentials took a week

In 2020, the typical IASME-licensed certification body operated like this:

Submissions came in by email or through a PDF form. The applicant completed a Word or PDF document of questions, saved it, and emailed it to the certification body’s general inbox.

An assessor picked up submissions from a shared queue. The queue was managed manually — a spreadsheet, a case management system, or sometimes just an email folder. Submissions were triaged by whoever had capacity that day.

The assessor read the submission in its document form. They opened the PDF or Word doc, scrolled through the answers, and decided whether each control was passed, failed, or needed clarification.

Feedback was sent by email. The assessor typed a response identifying any gaps, emailed it back to the applicant, and waited. The applicant received the email, hopefully read it promptly, made changes to their document, and emailed the revised version back.

The resubmission re-entered the queue. Not necessarily to the same assessor. Not necessarily the same day.

Certificate generation was manual. Once approved, someone in the administrative team generated the certificate in a Word template, exported it to PDF, uploaded it to the IASME database manually, and emailed the certificate to the applicant.

Every step in that workflow introduced unavoidable delay. Email latency. Queue wait time. Assessor availability. Administrative handoffs. Even a clean submission with no feedback typically took two to three working days purely because each administrative stage added hours.

The three- to five-day service was not laziness. It was the maximum speed the underlying workflow could sustain.

What changed

Between 2020 and 2026, three shifts happened independently that made same-day Cyber Essentials feasible.

Structured submission replaced PDFs. The IASME portal matured into a structured web interface where applicants answer questions in a structured form, not a document. This meant every submission arrived in the certification body’s workflow in a machine-readable format rather than as text inside a file.

Automation of the administrative steps became cheap. Certificate generation, IASME database registration, digital badge production, email notifications — all of this can now be automated end-to-end for a certification body that invests in the tooling. The certificate is generated when the approval is recorded, not when someone remembers to do it.

AI-assisted pre-screening emerged. The newest shift. Before an assessor opens a submission, an AI layer can review every answer against the scheme requirements, flag inconsistencies (MFA claimed in section 4 but password-only access described in section 7), surface the specific control areas most likely to need feedback based on historical patterns, and present the assessor with a structured view of what they need to focus on. The assessor still makes the certification decision. But the assessor’s time is spent on judgment, not on administrative review.

Together, these three shifts took the per-submission administrative overhead from 3–4 hours of human time to under 20 minutes. And the remaining 20 minutes can happen in real time rather than spread across a working week.

What did not change

The standard itself. The NCSC Cyber Essentials requirements in 2020 covered the same five control themes they cover now: firewalls, secure configuration, security update management, user access control, and malware protection. v3.3 (effective April 2026) added mandatory MFA for all in-scope user accounts. But the rigour of assessment — whether an assessor properly evaluates each control against the requirements — has not changed.

This matters because fast certification is often misunderstood as "easier" certification. It is not. The assessment standard is the same. What is faster is the administrative path around the assessment, not the assessment itself. A submission that would fail in 2020 still fails in 2026. A submission that would pass in 2020 passes faster in 2026.

The IASME licensing framework also has not changed materially. Every certification body that issues certificates today is subject to the same licensing requirements, quality controls, and periodic reviews as in 2020. The standard is the gating factor. Speed of administration is where the differentiation sits.

Why most bodies have not kept up

If the technology changes that enable same-day certification are available, why do most IASME-licensed bodies still operate on 3–5 day timelines?

Legacy operating models are hard to change. A certification body that has been running Cyber Essentials for 5+ years has built processes, trained staff, and sized its infrastructure around the traditional workflow. Replacing that workflow is a non-trivial technology investment and a change management exercise.

Cyber Essentials is not the only product. Most IASME-licensed bodies also sell ISO 27001 certification, penetration testing, consultancy, and related services. Cyber Essentials is a relatively low-margin, high-volume product. Investing in automation specifically for it is a strategic decision that most bodies have not made.

The speed incentive is weak. For most buyers, 3–5 working days is acceptable. The 6-hour buyer is a subset of the total market. Bodies that serve the general Cyber Essentials buyer do not need to be fast; they just need to be competent.

AI-assisted pre-screening is recent. The tooling that makes 6-hour assessment feasible at scale has matured meaningfully in the last 18 months. Even bodies that want to be fast are still figuring out how to integrate it.

Together, these mean the gap between fast and slow certification bodies has widened, not narrowed. Most bodies have stayed on the 3–5 day timeline. A small number have invested in the tooling to operate same-day. The middle ground — 12-24 hour turnaround — is nearly empty.

The economics of speed

For a certification body, investing in same-day capability is significant. Building or licensing the AI pre-screening layer. Building the automation that handles certificate generation and IASME database registration without human intervention. Training assessors to work with AI-assisted reviews rather than raw submissions. Sizing staff for real-time throughput rather than batch processing.

The payback is straightforward: a certification body running same-day can process more submissions per assessor per day than a body running on a 3–5 day workflow. The per-assessment cost goes down. Which means the price to the customer can go down, or the margin can go up, or both.

Fig Group is the first IASME-licensed body to publicly commit to a 6-hour standard SLA and to publish pricing below the standard IASME fee baseline. That is not a coincidence. The same platform investment that makes same-day feasible also makes the sub-baseline pricing feasible. Faster assessment and cheaper assessment are the same investment seen from different angles.

What comes next

Two likely directions for UK Cyber Essentials delivery over the next 3–5 years.

Same-day becomes the expected standard. As more bodies invest in automation, 3–5 day timelines will start to look slow rather than normal. Buyer expectations will shift.

AI-assisted assessment gets more sophisticated. Current AI pre-screening is descriptive (flagging inconsistencies, highlighting risk areas). Future versions will be more analytical (correlating across submissions, learning from historical outcomes, predicting feedback likelihood). The human assessor role shifts further toward judgment and away from review.

New control themes appear and are integrated quickly. v3.3’s MFA requirement was a meaningful addition. Future versions will continue to evolve. Bodies operating on automated workflows can integrate new themes in weeks; bodies on manual workflows take months.

For buyers, the practical implication is that the certification body you work with matters more as the gap between fast and slow widens. In 2020, every body took about the same time. In 2026, some take hours and others take a week. In 2028, the gap will be larger still.

Bottom line

Same-day Cyber Essentials is not a marketing claim; it is a technology outcome. The standard has not changed. What has changed is the workflow around the standard — structured submission, administrative automation, and AI-assisted pre-screening. Bodies that have invested in that workflow can issue certificates in hours. Bodies that have not still take a working week. The gap is widening rather than closing.

For buyers, the takeaway is narrow: if you need Cyber Essentials quickly, you need a certification body that has made the technology investment. Not every body has. The ones that have are the only ones that can legitimately deliver same-day work.

Check your readiness | Start certification