PROCUREMENT & TENDERS
Responding to a tender that requires Cyber Essentials — a practical guide.
A tender has landed that requires Cyber Essentials certification. You do not currently hold it. Here is a realistic assessment of what is involved, how long it takes, and whether you can make the deadline.
Assess the actual requirement first
Before you do anything else, confirm exactly what the tender requires. Is it Cyber Essentials or Cyber Essentials Plus? Must you hold the certificate at bid submission, at contract award, or within a specified period after award? Is there any flexibility stated in the documentation?
These details matter. The difference between "certificate required at submission" and "certificate required within 90 days of contract start" is the difference between a realistic bid and an impossible one.
Realistic timelines
For an organisation with a reasonably well-maintained IT environment and no major compliance gaps, Cyber Essentials can typically be achieved in four to six weeks. This includes a readiness assessment, any necessary remediation, completion of the self-assessment questionnaire, and certification body review.
For Cyber Essentials Plus, add another two to four weeks for the independent technical verification. The combined timeline for CE Plus is typically six to ten weeks from start to certificate — longer if significant remediation is required.
If your IT environment has known issues — legacy systems, inconsistent patching, poor access controls, or unclear scope boundaries — add time for remediation. Trying to certify without addressing known gaps leads to failed assessments and wasted time.
What to prioritise
If time is tight, focus on the areas most likely to cause a failed assessment: patch management (are all devices running supported software with security updates applied within 14 days?), access controls (are admin accounts properly controlled? Is MFA in place where required?), and scope definition (do you know exactly which systems are in scope for the assessment?).
A readiness assessment at the start of the process will identify the specific gaps in your environment. This is not optional if you are working to a deadline — it is essential.
What to tell the buyer
If you cannot certify in time for the bid deadline but want to proceed, be honest in your response. State that you are in the process of obtaining certification, provide a realistic expected date, and offer to provide evidence of progress (such as confirmation of your readiness assessment or remediation plan).
Some buyers will accept this. Others will not. But submitting a bid that claims you can certify in two weeks when you cannot is worse than being honest about your timeline.
IF THE DEADLINE IS IMPOSSIBLE
If the tender requires certification at submission and your realistic timeline extends beyond that date, you have a decision to make. Either do not bid, or contact the buyer to ask whether there is any flexibility. Do not submit a bid based on an unrealistic certification timeline.
Related guides
Cyber Essentials for government suppliers — what PPN 014 means for your contract.
Scoping & ProcessHow to scope a Cyber Essentials assessment — and why getting it wrong is costly.
Certification BasicsCyber Essentials vs Cyber Essentials Plus — what is the difference and which do you need?
TENDER DEADLINE APPROACHING?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.