SMB1001

SMB1001 is a multi-tiered cybersecurity certification standard for small and medium-sized businesses. It was developed to bridge the gap between having no formal security structure and the overly complex ones meant for large enterprises. Key facts about SMB1001 include:

• Designed for SMBs: Unlike ISO 27001 or the Essential Eight—which are excellent but geared towards larger organisations—SMB1001 is built around the practical realities of SMBs. It offers a clear, step-by-step roadmap to strengthen your security posture without needing a dedicated security team or a six-figure budget. SMB1001 strips away the bureaucracy of enterprise-grade standards and delivers straightforward, actionable guidance to help secure your business.
• Continually updated: SMB1001 is a dynamic standard, refreshed annually to keep pace with emerging cyber threats and evolving best practices. Whether it’s AI-driven attacks or new regulatory requirements, the framework adapts to ensure certified businesses remain current and protected.
• Globally Aligned: The framework maps to internationally recognised standards including Australia’s Essential Eight, the UK’s Cyber Essentials, and the US Department of Defence’s CMMC. By adopting SMB1001, your business naturally progresses towards compliance with these benchmarks—without starting from scratch. Originally launched in Australia, SMB1001 is going global in 2025, meaning certifications earned here will be recognised internationally. Increasingly, government bodies, insurers, and large enterprises are accepting SMB1001 as credible evidence of sound cybersecurity practices.

Community & Support Focus: Notably, the very first requirement of SMB1001 is to “engage a technical support specialist”. In other words, small businesses aren’t expected to go it alone. The standard encourages collaboration with qualified IT/cyber partners, such as managed service providers, who understand cybersecurity, information technology, and business risk. This allows business owners to focus on running their business. This ecosystem-driven approach distributes the effort – technical experts help implement controls, while the SMB benefits from the protection, much like outsourcing the maintenance of a “washing machine” so you can just wash your clothes.

What does SMB1001 actually require companies to do? The framework spans a comprehensive set of technical, operational, and human-focused controls to ensure all aspects of cybersecurity are covered in a right-sized way. Key components and practices encouraged by SMB1001 include:

• Baseline Protections: Implement fundamental technical safeguards. Even at Bronze level, SMB1001 calls for installing and configuring firewalls, running antivirus/endpoint protection on all devices and keeping software updated with patches. It also requires establishing a data backup and recovery strategy so that critical information is safely backed up off-site or in the cloud. These measures defend against common threats like malware and ensure business continuity if an incident occurs.
• Strong Access Controls: Ensure that only the right people access sensitive data. SMB1001 mandates practices such as each employee having an individual user account (no shared logins), removing administrator privileges from daily user accounts and enabling multi-factor authentication (MFA) on important systems (especially email and remote access). It encourages the principle of least privilege – staff should only have access necessary for their role – and use of password managers to maintain strong, unique credentials.
• Policies and Documentation: Formalise your cybersecurity policies and procedures. From the Silver tier, SMB1001 requires businesses to have documented policies (such as an Acceptable Use Policy for IT, a Cybersecurity Policy outlining rules and an Incident Response Plan that guides what to do if a breach happens). It also introduces specific procedures to tackle threats like invoice fraud (a common email scam) and ensures even physical documents are handled securely (by shredding confidential papers and so forth). These policies don’t need to be long, but they provide clarity and assign responsibilities, which is crucial for compliance and consistent response.
• Employee Awareness and Training: People are often the weakest link in security, so SMB1001 emphasises regular cybersecurity training for all staff. Employees learn how to spot phishing emails, use good cyber hygiene and follow the company’s security policies. Many incidents can be prevented by an informed team, so building a security-aware culture is a key component of SMB1001. In fact, at Gold tier, conducting periodic security awareness training becomes a formal requirement.
• Monitoring and Incident Response: Be prepared to detect and handle incidents. SMB1001 encourages continuous monitoring of systems, especially at higher tiers. More importantly, it requires having an incident response process in place – know how to isolate a ransomware infection, who to call if systems go down and how to report incidents. This readiness can significantly limit damage from cyber attacks.
• Advanced Controls (Platinum/Diamond): For those pursuing the top tiers, SMB1001 adds controls usually seen in larger enterprises but scaled to small and medium business context. These include regular vulnerability scanning of internet-facing systems, stricter controls like enforcing MFA on VPN/remote desktop connections, ensuring all sensitive data is encrypted at rest (on disks/storage), and even penetration testing and security drills at Diamond level. Supplier security is another focus – Platinum introduces having a “digital trust program” for vetting and managing supplier risk, since even small businesses must be wary of weaknesses in their supply chain.

Together, these components form a holistic security baseline. Rather than overwhelming businesses, SMB1001 breaks down the journey into manageable steps. Many requirements are straightforward but when combined, they dramatically reduce the company’s cyber risk. By following SMB1001, an SMB also inherently addresses many common compliance requirements – from basic privacy protections to more specific laws.

Think of SMB1001 as a practical baseline and stepping stone. It doesn’t conflict with standards like ISO 27001 or SOC 2 – rather, it complements and aligns with them. A small business might use SMB1001 to quickly elevate security and demonstrate commitment, then later pursue an ISO certification if a client absolutely requires it. In many cases, though, SMB1001 will suffice; it’s increasingly seen as the “ISO for small business”.

Importantly, ISO 27001 focuses on establishing an information security management system (a lot of documentation and risk management processes), whereas SMB1001 focuses on implementing specific security controls and verifying they work. For an SMB, that concrete approach delivers tangible protection and is usually the higher priority.

SMB1001 is organised into five progressive certification levels, allowing organisations to start with basic hygiene and advance towards advanced security maturity as needed. Each tier builds on the requirements of the previous one:

• Bronze (Tier 1) – Basic cyber hygiene (self-attested). This entry level covers fundamental protections with six control requirements. Examples include having reliable IT support, enabling automatic software updates, and implementing routine data backups. Bronze establishes a foundation of awareness and simple technical safeguards.
• Silver (Tier 2) – Operational and baseline protections (self-attested). Silver builds on Bronze with 14 control requirements that introduce more structured policies and behaviours across the organisation. Examples include enforcing multi-factor authentication (MFA) for email, ensuring every staff member has individual (non-administrator) user accounts, and addressing common threats like invoice fraud with procedures. Silver certification has a special significance: meeting these fundamental controls “pre-qualifies” an SMB for cyber insurance coverage.
• Gold (Tier 3) – Incident readiness and maturity (self-attested). Gold adds further advanced requirements with 23 controls in total. It requires formalising security policies and incident response plans, conducting staff cybersecurity training, maintaining an asset register of important data, and other measures that significantly elevate an SMB’s cyber resilience. Achieving Gold means the business can detect, respond to, and recover from incidents in line with best practices. In fact, SMB1001 Gold covers all the controls needed to meet new Australian laws on ransomware incident reporting and data breach notification (APP 11). Gold certification strongly demonstrates a mature security culture for a small business.
• Platinum (Tier 4) – Independently audited cybersecurity program. At this level, the business’s security controls are externally verified. A third-party audit is required for certification, which examines 29 control areas. Platinum is ideal for organisations handling higher-risk data or operating in regulated industries. It includes advanced steps like purchasing and maintaining cyber insurance as well as regular testing (e.g. vulnerability scans). Achieving Platinum shows a business meets a robust standard validated by an auditor.
• Diamond (Tier 5) – Advanced controls and testing. Diamond is the highest tier, with 36 controls, including all Platinum measures plus rigorous practices like penetration testing of systems, testing of the incident response plan, and implementing a digital trust program with suppliers. This level is suited for SMBs that manage highly sensitive data or critical services that cannot afford downtime. Diamond certification signals top-tier security resilience on par with leading industry standards.

For Bronze, Silver, and Gold, SMB1001 opts for self-assessments and director attestations, steering clear of costly audits. A business sets up the necessary controls (with a helping hand from their IT partner) and then the owner or director signs off, confirming all requirements are met. This approach keeps things practical and affordable for smaller companies. Certification fees are kept minimal – AUD $95 for Bronze, $195 for Silver, and $395 for Gold per year – a deliberate move to encourage uptake.

For Platinum and Diamond, an independent certification body, CyberCert, steps in to conduct a verification audit (with associated audit fees) to ensure those higher-level controls are functioning effectively. Each certification is valid for 12 months and can be renewed or upgraded as the standard updates. The five-tier progression allows SMBs to start small and scale up their security as they grow or as their risk profile increases. A small company might begin at Bronze or Silver this year, then work towards Gold next year, and so on. There's no pressure to achieve the top tiers until it aligns with the business's needs and resources.

Adopting SMB1001 can help an SMB meet various legal and regulatory cybersecurity requirements with confidence. The standard was designed with compliance in mind, to serve as a baseline that satisfies many common obligations across many industries. For example:

• Data Protection and Privacy Laws: SMB1001’s controls, such as access restrictions, encryption, and breach response planning, align with the expectations of data privacy regulations. In Australia, SMB1001 Gold encompasses the practices needed for compliance with the Privacy Act’s Notifiable Data Breach Scheme rules. Essentially, it operationalises many of the security measures that privacy laws globally implicitly require.
• New Cyber Incident Reporting Rules: The Australian Government has heightened mandates on cyber incident reporting for businesses. For example, the Cyber Security Act 2024 will necessitate certain SMBs to report ransomware incidents. SMB1001 Gold explicitly prepares businesses for these “ransomware reporting obligations” by ensuring they have the capability to detect and log incidents, along with a defined process to respond and report them. Instead of scrambling post-breach, a Gold-certified SMB will be prepared to comply with reporting requirements calmly and accurately.
• New Consumer Rights: The Privacy and Other Legislation Amendment Act 2024 enables individuals to sue organisations for serious invasions of privacy. Implementing SMB1001’s best-practice controls helps businesses address many of the key obligations of the Act. Aligning with SMB1001 minimises privacy risks and streamlines operations amidst stronger legal requirements, thereby reducing the likelihood of breaches or non-compliance.
• Industry-Specific Standards: Various industries (finance, healthcare, defence contracting, etc.) have their own cybersecurity guidelines. SMB1001 can serve as a foundation to meet these standards. It closely maps to frameworks like NIST CSF, ISO 27001, and others – thus, by adhering to SMB1001 controls, an SMB is partway to meeting industry standards. SMB1001 is positioned as a stepping stone to broader compliance goals such as ISO 27001 or SOC 2. Once a business has matured through the SMB1001 tiers, advancing to an ISO27001 Information Security Management System becomes more attainable (and often unnecessary unless required – many may find SMB1001 covers their needs).
• Security Questionnaires and Audits: Companies with compliance obligations are frequently subjected to security assessments by partners or regulators. SMB1001 provides credible proof of due diligence. Instead of answering dozens of technical questions from a client or authority, an SMB can present their SMB1001 certification.

In summary, SMB1001 integrates compliance so that a small business meets many obligations by default. It transforms the vague requirement of “take reasonable (security) steps” – prevalent in laws and contracts – into a concrete to-do list tailored for small businesses. As regulations tighten and evolve, SMB1001’s annual updates will continue to incorporate new obligations, keeping certified businesses ahead of the curve.

SMB1001 certification is becoming a competitive differentiator for small businesses, especially when seeking contracts with government or big business. These entities are increasingly concerned about the security of their suppliers and often require evidence of cybersecurity practices during procurement. By obtaining SMB1001 certification, a small company can stand out and inspire confidence in these situations. Here’s how:

• Credibility and Trust: SMB1001 accreditation signals to potential clients or partners that your business has been vetted against an industry standard. It’s an instantly recognisable proof of your cyber readiness. For example, a government department or a corporate client will feel more comfortable knowing you meet an internationally recognised security benchmark. SMB1001 essentially earns the trust of larger clients and partners on your behalf. It shows you have the policies and protections that responsible suppliers should have, giving you a leg up on competitors who may not have any certification.

• Meeting Tender Requirements: If a tender or contract asks for “ISO 27001 or equivalent” or requires a detailed IT security questionnaire, SMB1001 can fulfil those requirements for an SMB. Rather than investing months and significant dollars into an ISO 27001 audit, SMB1001 gives a right-sized “seal of approval” that many enterprise procurement teams will accept for smaller vendors. This can open doors: businesses with SMB1001 may become eligible to bid on projects that previously would have been out of reach due to security prerequisites.
• Marketing Edge: Being able to say your company is “SMB1001 certified” is a selling point. You can display a badge on your website or marketing materials. In a crowded market, this signals that your business is not only tech-savvy but also cares about protecting customer data. It’s a competitive edge that can sway customer decisions. Clients who are security-conscious will favour a certified provider over one with unknown security posture.

In an era where clients are getting more security-conscious and demanding evidence of cyber efforts, SMB1001 helps turn good security into a business advantage. By achieving certification, you’re not just reducing risk – you’re unlocking opportunities and signalling that your business is secure, responsible, and ready for prime time. Many SMB1001-certified companies find that it’s easier to win contracts and form partnerships because they can immediately address the security question and move forward to business.

Cyber insurance has become an essential safety net for businesses of all sizes, covering financial losses from breaches, ransomware, and other cyber incidents. However, insurers have tightened their requirements in recent years. They now often ask detailed questions about your cybersecurity controls and may refuse coverage or charge higher premiums if you haven’t implemented basic protections. This is where SMB1001 proves extremely valuable to SMBs

Achieving SMB1001 certification, especially at the Silver tier and above, can significantly streamline the process of obtaining cyber insurance and even make you eligible for better terms. In fact, holding an SMB1001 Silver certification automatically “pre-qualifies” a business for cyber insurance coverage.

Here’s why: the Silver level includes 14 fundamental controls – things like MFA, regular backups, anti-virus, user access controls, etc. – which are exactly the minimum practices insurers expect to see in place. If you can show you’ve met those requirements and have been certified, many insurers will consider that as evidence you’re a lower risk client.

From the insurer’s perspective, an SMB1001 Silver or Gold-certified company is far less likely to suffer a severe breach than an uncertified one. For the SMB, this can mean:

• Easier Insurance Approval: Rather than struggling through pages of technical questions, you can provide your certification as proof of security maturity. Some insurance application forms explicitly accept “SMB1001 certification” in lieu of certain questionnaire sections. This saves time and reduces the chance of mistakes or omissions on applications.
• Avoiding Claims Denials: If you attest to having controls (like MFA) on an insurance form but don’t actually have them, a future claim could be denied. By implementing SMB1001’s controls properly, you ensure you truly meet the insurer’s criteria, avoiding nasty surprises.
• Lower Premiums or Higher Coverage Limits: Over time, as insurers gather data, SMB1001-certified businesses may enjoy better premiums. There is already an understanding that an SMB1001-certified business has managed its cyber risk, which could make insurance payouts less likely or less costly. Some brokers have started tailoring policies for SMB1001 certificate holders. At the very least, certification puts you in a “preferred risk” category for insurance, which can only help in negotiations.
• Financial Peace of Mind: While SMB1001 reduces the chance of an incident, no security is foolproof. Cyber insurance is there as a backstop. Knowing that the average cost of a cyber incident for a small business is around $50,000, insurance is key to survival. By using SMB1001 to qualify for insurance, an SMB ensures that even if the worst happens, they have financial protection.

In summary, SMB1001 and cyber insurance go hand-in-hand: the framework gets your security to an insurable state, and the insurance then covers any remaining risk. This integrated approach is increasingly recommended as part of good corporate governance for small businesses. Many SMB1001 partners and providers even help businesses obtain insurance once they’re certified. It’s a smart strategy to both prevent incidents and mitigate impact if one occurs.