SMB1001 is an Australian-developed cyber security certification standard built specifically for small and medium businesses. It uses five ascending tiers — Bronze, Silver, Gold, Platinum and Diamond — so a business can prove it has sensible controls in place without the cost and overhead of an enterprise framework like ISO 27001.
If you have heard it referred to as “Cyber Certification” or under the Dynamic Standards branding, that is the same lineage. SMB1001 is the named standard that sits behind those schemes. For a Melbourne SME being asked by a larger customer or insurer to “prove your security,” it is increasingly the answer that gets accepted — and it is far more achievable than people assume.
What SMB1001 actually is
SMB1001 is a tiered, multi-level cyber security standard aimed squarely at the businesses that the bigger frameworks were never written for: the 5-person bookkeeping firm, the 30-person fabrication shop, the family logistics operation running three trucks and a back office. These businesses still hold client data, still process payments, still get phished — but they do not have a CISO, a security budget, or the appetite to spend six months and tens of thousands of dollars on an ISO audit.
The standard’s strength is that it is designed to be self-assessed at the lower tiers and independently certified at the higher ones. You do not need to boil the ocean. You pick a tier that matches your size, risk and what your customers are demanding, implement the controls, and certify against it. As your obligations grow, you climb.
It is genuinely useful, and it is genuinely not a silver bullet. A certificate on the wall does not stop a determined attacker, and the lower tiers in particular set a floor, not a ceiling. Treated as a starting point and a discipline rather than a finish line, though, it does real work.
The five tiers, and roughly what each requires
The whole point of the tiered model is that the requirements scale with the business. Bronze is a sensible baseline that almost any micro-business can reach; Diamond approaches the kind of maturity you would expect from an organisation handling sensitive data at scale. Here is the broad shape of it.
| Tier | Who it suits | Roughly what it asks for |
|---|---|---|
| Bronze | Micro-businesses and sole traders new to cyber | Foundational hygiene: multi-factor authentication, backups, patching/updates, basic staff awareness, antivirus. Self-assessed. |
| Silver | Small businesses wanting to show baseline diligence | Everything in Bronze plus tighter controls — documented processes, account management, a basic incident response approach. Self-assessed. |
| Gold | Growing SMEs, or those being asked for proof by customers | More formalised governance, access control, logging and a written security policy. Independent certification typically required. |
| Platinum | Established businesses with real compliance exposure | Stronger technical and procedural controls, risk management, supplier and data handling requirements, independently certified. |
| Diamond | SMEs handling sensitive data or operating in higher-risk supply chains | The most comprehensive set — closer to a small-scale information security management system, independently certified and reviewed. |
The exact control list at each tier is defined by the standard itself and is refreshed periodically, which is part of the “dynamic” idea — the requirements move as the threat picture moves, so a Bronze in 2026 is not the Bronze of several years ago. Treat the table above as the shape, not the letter of the law. When we scope this for a client we work from the current published control set, not memory.
Who SMB1001 suits
The honest answer is most Australian SMEs that have never certified against anything. If you have been muddling along with decent-enough IT, an MSP keeping the lights on, and a vague sense that you “should do something about cyber,” SMB1001 gives you a structured, affordable way to start — and a credential at the end that means something to the people asking.
It fits particularly well for businesses in supply chains. A construction subcontractor in Box Hill bidding for work with a tier-one builder, a manufacturer supplying a listed company, a professional services firm acting for larger corporate clients — all of these are increasingly being asked, in tender documents and vendor onboarding forms, to demonstrate a baseline of security. SMB1001 is built to answer that question proportionately. We see it most across the construction, manufacturing and professional services clients we work with.
How it differs from — and complements — the Essential Eight and ISO 27001
This is where a lot of business owners get confused, so it is worth being precise. The Essential Eight, ISO 27001 and SMB1001 are three different things that overlap rather than compete.
The Essential Eight is a set of eight technical mitigation strategies published by the Australian Cyber Security Centre (ACSC). It is a controls framework, not a certification scheme — there is no certificate you receive at the end, only maturity levels you self-assess or have assessed against. It is excellent at telling you what to harden (application control, patching, MFA, restricting macros and so on) but it does not, by itself, give you a credential to wave at a customer. We cover this in detail in our guide to Essential Eight compliance for Melbourne businesses.
ISO 27001 sits at the other end. It is an international standard for a full information security management system (ISMS) — risk-driven, documentation-heavy, externally audited annually, and respected globally. It is the right answer for businesses that need international credibility or are contractually required to hold it. It is also a serious undertaking in time and cost, which is exactly why it is overkill for a 15-person business that simply needs to prove it is not negligent.
SMB1001 lands in the gap between them. It borrows the practical, control-based spirit of the Essential Eight, packages it into a certifiable, tiered credential like ISO 27001 offers, and scales it down to SME reality. The tiers map sensibly onto the others: the lower tiers cover much of the same ground as the Essential Eight’s foundational maturity, while the upper tiers start to resemble a lightweight ISMS. None of them cancels the others out.
| SMB1001 | Essential Eight | ISO 27001 | |
|---|---|---|---|
| Type | Tiered certification standard | Technical controls framework | Full ISMS certification |
| Origin | Australian, SME-focused | Australian (ACSC) | International (ISO/IEC) |
| Gives you a certificate | Yes (independently at higher tiers) | No — maturity levels only | Yes — externally audited |
| Effort | Low to moderate | Low to high by maturity | High |
| Best for | SMEs needing proof, proportionate | Any business hardening its tech | Larger or globally-facing firms |
In practice we often run them together. We will harden a client against the Essential Eight because the controls are sound, then certify the business under SMB1001 because that is the thing a customer or insurer actually recognises. The work overlaps heavily, so doing both is far less than twice the effort.
Why customers and primes are asking for it
Three forces are driving the demand. First, supply-chain security has become a procurement issue — larger organisations have woken up to the fact that their weakest link is often a small supplier with the keys to their data, so they are pushing security requirements down the chain. Second, cyber insurers have tightened underwriting and want evidence of basic controls before they will quote, let alone pay a claim. Third, regulators expect more: under the Privacy Act and the OAIC’s Notifiable Data Breaches scheme, a business that suffers a breach has to be able to show it took reasonable steps, and “we had nothing in place” is not a defensible position.
SMB1001 gives an SME a clean, recognised way to satisfy all three at once. It is a credential a prime contractor’s procurement team will accept, a data point an insurer’s underwriter understands, and evidence of diligence if the worst happens. That is why it is showing up in tender packs and vendor questionnaires far more often than it did two years ago. If cyber insurance is part of your thinking, our cyber insurance guide for Australian SMEs covers how these pieces fit together.
The certification path, effort and cost
The route through SMB1001 is deliberately straightforward. You scope which tier you need — driven by your size, your risk and, frankly, whatever your biggest customer is demanding. You implement the controls for that tier. At Bronze and Silver you self-assess and attest; at Gold and above you engage an authorised assessor for independent certification. Certification is then maintained and renewed periodically rather than being a one-off.
On effort: for a business with reasonable IT already in place, Bronze or Silver can be a matter of tidying up MFA, backups, patching and staff awareness, then documenting it — weeks, not months. Gold and above take longer because the governance and evidence requirements are real, and because independent assessment means you actually have to demonstrate the controls, not just claim them. Where there is groundwork to do — and there usually is — the gap is the controls, not the paperwork.
On cost: SMB1001 is markedly cheaper than ISO 27001, which is the whole point. The certification fees scale with the tier, and the larger expense for most businesses is the remediation work to actually meet the controls rather than the certification itself. As a rough guide, the lower tiers are a modest annual outlay; the upper tiers cost more but remain a fraction of an ISO programme. Figures move, so we scope it per-business rather than quoting a number that ages badly.
A heads-up worth giving plainly: the certificate is the easy bit. The controls are what protect you, and they only protect you if they are maintained — MFA stays enforced, backups keep being tested, patches keep landing, leavers keep getting offboarded. A business that certifies and then lets it all drift has a piece of paper and a false sense of security. That ongoing discipline is exactly what a managed arrangement is for.
How TechAssist approaches it
We are a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk. We are Essential Eight aligned and ISO 27001 capable, which means the controls underneath SMB1001 are bread and butter for us. When a client comes to us holding a tender that demands certification, we scope the right tier, close the control gaps, and get them through assessment — then keep the controls live afterwards under fixed per-user monthly pricing so they do not quietly rot.
A recent example of the pattern: a transport and logistics operator in Dandenong we work with was told by a national client that ongoing work depended on demonstrating a baseline of cyber controls. They had no certification and a tender deadline. We mapped their environment, lifted the gaps — MFA across Microsoft 365, tested backups, patching discipline, basic staff training — and put them in a position to certify at a sensible tier without blowing the budget. The work doubled as genuine risk reduction, not box-ticking. Our cyber security services are built around exactly this kind of proportionate, evidence-backed uplift.
Frequently asked questions
Is SMB1001 mandatory in Australia?
No. SMB1001 is a voluntary certification standard. There is no law requiring you to hold it. The pressure to certify is commercial — customers, primes and insurers asking for proof of security — rather than legal. That said, demonstrating reasonable security steps does help your position under the Privacy Act and the OAIC’s breach-notification obligations.
Which SMB1001 tier should we aim for?
Start from what is driving the decision. If a specific customer or tender names a tier, that is your target. If you are certifying proactively, Bronze or Silver is a sensible entry point for most small businesses, with Gold and above reserved for those handling sensitive data or facing stronger contractual demands. We scope this per-business rather than guessing.
Does SMB1001 replace the Essential Eight or ISO 27001?
No — they complement each other. The Essential Eight tells you which technical controls to harden, SMB1001 gives you a recognised certificate proving you have a sensible baseline, and ISO 27001 is the heavyweight option for businesses needing international-grade assurance. Many SMEs run the Essential Eight controls underneath an SMB1001 certification.
How long does it take to get certified?
For a business with reasonable IT already in place, the lower tiers can be achieved in weeks once the remediation is done. Higher tiers take longer because of the governance and independent assessment involved. The timeline is driven mostly by how much control gap there is to close, not by the certification paperwork.
Where to start
If a customer, prime contractor or insurer has put SMB1001 in front of you — or you simply want a structured, affordable way to prove your business takes security seriously — the first step is an honest look at where your controls actually stand. We will tell you which tier is realistic, what it takes to get there, and whether the bigger frameworks are worth it for you. Get in touch and we will scope it properly.
