Cyber Essentials for Greater Manchester SMEs: a plain-English guide

If you supply larger organisations, bid for public-sector work, or simply want to prove to customers that you take security seriously, you have probably come across Cyber Essentials. It is the UK's baseline cyber security certification, and for a Greater Manchester SME it is one of the most cost-effective things you can do to reduce risk and win work at the same time.
This guide explains, in plain English, what Cyber Essentials is, what the five controls actually mean day to day, what it costs in 2026, and how a small business in Bury, Manchester or the wider North West gets certified without the headache.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme. It is overseen by the National Cyber Security Centre (NCSC) and delivered through IASME and its network of licensed certification bodies. The idea is simple: put five sensible technical controls in place and you will stop the overwhelming majority of everyday, opportunistic cyber attacks — the phishing, malware and password attacks that hit small businesses far more often than targeted hacks.
There are two levels. Cyber Essentials is a verified self-assessment: you answer a questionnaire about your setup and a qualified assessor reviews it. Cyber Essentials Plus covers exactly the same five controls, but an independent assessor tests your live systems to confirm the controls really are in place. Both certificates last 12 months and are renewed annually.
The five controls, in plain English
Every part of the scheme comes down to these five control themes. Here is what each one means for a typical SME.
1. Firewalls
Every device that connects to the internet — your office router, cloud firewalls and the software firewalls built into laptops — needs to be properly configured. In practice that means changing default router passwords, closing ports you don't need, and not exposing anything to the internet that shouldn't be. If your team uses Microsoft 365 or works from home, conditional access and device firewalls are part of this picture too.
2. Secure configuration
Kit arrives set up for convenience, not security. Secure configuration means hardening devices before they go into use: removing software you don't need, disabling default and guest accounts, and turning off risky features like auto-run. Under the 2026 update this is stricter — a default install is no longer acceptable just because that's how it came out of the box.
3. Security update management
Keep everything patched. Operating systems and high-risk software (browsers, email clients, Office, PDF readers) must be kept up to date, and any update fixing a high or critical vulnerability must be applied within 14 days. Software the vendor no longer supports has to be removed from scope entirely — that old Windows box or unsupported line-of-business app will fail you.
4. User access control
People should only have access to what they genuinely need, and admin accounts should be used for admin tasks only — not day-to-day work. Multi-factor authentication (MFA) is now central: under the April 2026 requirements, MFA must be enabled on all cloud services, not just admin logins. Leavers' accounts must be disabled promptly.
5. Malware protection
Every in-scope device needs active protection — anti-malware/EDR software, application allow-listing, or a sandboxed environment. It must be switched on, kept up to date, and set to scan automatically, including on mobile devices.
What does Cyber Essentials cost in 2026?
IASME sets the basic certification fee centrally, banded by your total headcount, so you pay the same regardless of which certification body you choose (all figures exclude VAT):
- Micro (0–9 staff): from £320
- Small (10–49 staff): around £440
- Medium (50–249 staff): around £500
- Large (250+ staff): up to £600
Cyber Essentials Plus costs more because of the hands-on technical audit. It starts from around £1,400+VAT for a small, simple business and rises with the size and complexity of your network. You must hold a valid basic certificate first, and complete the Plus assessment within three months of it.
These are the direct certification fees. The real cost also includes any work needed to meet the controls first — things like turning on MFA everywhere, replacing unsupported software, or deploying EDR. For most Greater Manchester SMEs that groundwork is modest, especially if you already have managed IT in place.
The free £25,000 cyber insurance most SMEs miss
Here's a benefit that is easy to overlook: if your organisation turns over under £20 million and you certify your whole organisation to basic Cyber Essentials, you automatically get £25,000 of cyber liability insurance included at no extra cost, along with access to an incident-response helpline. For many small businesses that cover is worth more than the certification fee itself.
Why it's worth it for a Greater Manchester SME
Beyond the security itself, Cyber Essentials is increasingly a commercial requirement. It is mandatory for many UK government and public-sector contracts, and larger private-sector customers now routinely ask for it during supplier onboarding. If you sell into the NHS, councils, universities or bigger companies across Greater Manchester, having the certificate can be the difference between making a shortlist and being ruled out.
It also sends a clear signal to your own customers that you handle their data responsibly — which matters just as much for a Bury accountancy practice or a Manchester marketing agency as it does for a defence supplier.
How to get certified (the straightforward route)
The process is manageable, and it's much smoother with an IT partner who knows the scheme:
- Define your scope. Work out which devices, users and cloud services are in scope — under the current rules, anything internet-connected and any cloud service holding your data.
- Gap-check against the five controls. Compare where you are now to what the scheme requires, and list what needs fixing.
- Remediate. Turn on MFA everywhere, tidy up admin accounts, sort patching, remove unsupported software, confirm firewalls and endpoint protection.
- Complete the assessment. Submit the self-assessment questionnaire to your certification body for review (or, for Plus, prepare for the on-site technical test).
- Certify and diarise renewal. Once you pass, the certificate is valid for 12 months — set a reminder to renew before it lapses.
Most SMEs get through basic Cyber Essentials in a matter of weeks. The main variable is how much remediation you need up front, which is exactly where having managed IT and security already in place pays off.
How Tech Savvy Solutions helps
We help businesses across Bury, Manchester and the wider North West get Cyber Essentials-ready and stay there. Because our Savvy Secure cyber security suite already covers the controls the scheme cares about — EDR, MFA, patching, backup and staff training — most of the groundwork is done before you even start the questionnaire. We'll scope it, close the gaps, and guide you through certification without the jargon.
If you'd like to know where you stand today, book a free security review and we'll give you an honest picture of what certification would take for your business.
Ready to get Cyber Essentials-ready?
Book a free, no-obligation security review and we'll show you exactly what Cyber Essentials would take for your Greater Manchester business — and the simplest way to get there.