SMB1001 is a cybersecurity certification standard created by Dynamic Standards International (DSI) specifically for small and medium-sized businesses (SMBs). It provides a practical, risk-based framework using a 'People, Process, Technology' approach across five core areas: Technology Management, Access Management, Backup & Recovery, Policies/Plans/Procedures, and Education & Training. The standard helps SMBs protect their business from cyber threats and demonstrate cybersecurity maturity to clients, partners, and insurers.

SMB1001 was created by Dynamic Standards International (DSI), a cybersecurity standards organization founded in 2021. DSI is headquartered in Washington D.C. with offices in Canberra, Australia. The standard is designed specifically for SMBs and aligns with global cybersecurity frameworks including Australia's Essential Eight, UK Cyber Essentials, US CMMC, and CIS Controls.

What are the SMB1001 certification levels?

SMB1001 has 5 progressive certification levels: Bronze (7 controls) - foundational cyber hygiene for small businesses; Silver (17 controls) - for cyber-insurable businesses; Gold (27 controls) - for compliance-heavy industries; Platinum (32 controls) - for critical infrastructure and government suppliers; Diamond (39 controls) - for highest-assurance requirements. Bronze through Gold are self-attested, while Platinum and Diamond require independent external audit.

How long is an SMB1001 certification valid?

SMB1001 certifications are valid for 12 months from the date of issue. After 12 months, you will need to renew your certification to maintain your current level.

How long does it take to get SMB1001 certified?

The timeline to achieve SMB1001 certification depends on your current cybersecurity maturity and the level you're targeting. Bronze certification can typically be achieved within weeks to months, while higher levels (Silver, Gold) may take 3-6 months or longer as you implement additional controls and policies. Platinum and Diamond levels include external audit timelines. All IT Services can help you develop a realistic implementation roadmap.

Who needs SMB1001 certification?

Any small or medium-sized business can benefit from SMB1001. It's particularly valuable if you: supply to larger organizations with cybersecurity requirements; operate in compliance-heavy industries (finance, healthcare, legal, retail); want to reduce cyber insurance premiums; handle sensitive customer or employee data; need to demonstrate cybersecurity maturity to clients; or want to protect your business from costly cyberattacks. With 1 in 5 SMBs potentially forced out of business by a successful attack, SMB1001 provides essential protection.

How does SMB1001 differ from Australia's Essential Eight?

Essential Eight is Australia's top mitigation strategies from the Australian Signals Directorate. SMB1001 is a broader, more accessible certification standard for SMBs that includes Essential Eight principles but extends beyond them. SMB1001 covers not just technology controls but also people and processes, includes five progressive levels (so SMBs can start small and grow), and is internationally applicable. SMB1001 aligns with Essential Eight but is specifically designed for the SMB context.

Is SMB1001 certification mandatory?

SMB1001 certification is not mandatory by law in Australia or globally, but it is increasingly required or valued by: large organizations in their supply chain requirements; government agencies and contractors; cyber insurance providers; regulated industries (finance, healthcare, legal); and major customers. Getting certified gives you a competitive advantage, helps you meet customer demands, and reduces your cyber risk significantly.

What controls are required for Bronze certification?

Bronze (Level 1) certification requires 7 fundamental controls: firewalls, antivirus software, automatic patching, strong password practices, data backups, and staff cybersecurity awareness. These form the foundational cyber hygiene layer. Bronze is designed for small businesses with lower cyber risk and can be the starting point for businesses new to structured cybersecurity.

How do I get started with SMB1001 certification?

To get started with SMB1001: First, assess your current cybersecurity maturity using the SMB1001 framework. Determine which certification level is appropriate for your business (Bronze is a good starting point). Implement the required controls for your target level. Document your compliance and policies. For Bronze-Gold, you self-attest to your compliance through a Director-verified statement. For Platinum-Diamond, you'll need to engage an Independent Verification Organisation (IVO) for audit. All IT Services can guide you through the entire process - contact us at 1300 425 548 or via our contact page.

What is the current version of SMB1001?

The current version is SMB1001:2026, which became certifiable on January 1, 2026. This version incorporates updated guidance on emerging threats and technologies, including AI usage policies and digital asset management (particularly relevant for modern SMBs).

How much does managed cybersecurity cost for a small business?

Managed cybersecurity pricing for Australian SMBs typically depends on the number of users, devices, and the level of protection required. At All IT Services, our cybersecurity solutions are bundled into our managed IT plans so you get endpoint protection, monitoring, and training as part of a predictable monthly cost.

What is the Essential Eight framework?

The Essential Eight is a set of baseline cybersecurity mitigation strategies developed by the Australian Cyber Security Centre (ACSC). It covers eight key areas including application patching, restricting admin privileges, multi-factor authentication, and regular backups.

What is SMB1001 certification?

SMB1001 is a cybersecurity certification designed specifically for small and medium businesses. It provides a structured, tiered framework that helps SMBs demonstrate their commitment to cyber resilience without requiring the complexity of enterprise-grade standards like ISO 27001.

How often should we run phishing simulations?

We recommend running phishing simulations monthly. This frequency keeps security awareness top of mind without causing fatigue, and we vary the difficulty and type of simulated attacks each month.

What is endpoint detection and response (EDR)?

EDR is a cybersecurity technology that continuously monitors endpoint devices for suspicious behaviour. Unlike traditional antivirus that scans for known malware signatures, EDR uses behavioural analysis to detect fileless attacks, zero-day exploits, and advanced persistent threats.

Do you provide cybersecurity services outside Sydney?

Yes. We provide managed cybersecurity services to businesses across Sydney, Melbourne, Brisbane, the Gold Coast, Orange, Bathurst, and the Central West of NSW. Our monitoring and management tools are cloud-based, so we deliver the same level of protection regardless of your location.

What should we do if we experience a cyber incident?

If you suspect a breach, contact your IT provider immediately. All IT Services clients have access to our incident response process which includes isolating affected systems, preserving evidence, assessing the scope, and guiding you through your obligations under the Notifiable Data Breaches scheme.

SMB1001:2026 Gold Certified

What is SMB1001?

SMB1001 is an Australian cybersecurity certification standard designed specifically for small and medium-sized businesses. It provides a tiered framework — from Bronze through Diamond — that helps organisations demonstrate their security posture to clients, insurers, and partners. Protect your business, win contracts, and reduce cyber insurance premiums.

All IT Services is SMB1001:2026 Gold Certified
We practise what we preach — verified cybersecurity maturity.

SMB1001 Definition: What You Need to Know

SMB1001 is a cybersecurity certification standard created by Dynamic Standards International (DSI) specifically for small and medium-sized businesses. Rather than being a one-size-fits-all solution, SMB1001 offers five progressive certification levels (Bronze, Silver, Gold, Platinum, Diamond) so you can start with foundational protections and grow as your business evolves.

The “People, Process, Technology” Framework

SMB1001 doesn’t just focus on technical controls. It takes a balanced, practical approach across five core areas:

✓ Technology Management: Firewalls, antivirus, patching, device management
✓ Access Management: Strong passwords, multi-factor authentication, privileged access controls
✓ Backup & Recovery: Data backup strategies, disaster recovery, business continuity
✓ Policies, Plans & Procedures: Documentation, incident response, security policies
✓ Education & Training: Staff awareness, cybersecurity training, security culture

Why SMB1001 Matters for Your Business

Studies show that 1 in 5 SMBs would be forced out of business by a successful cyberattack. SMB1001 helps you avoid becoming a statistic.

Win More Contracts

Large organizations increasingly require their suppliers to have SMB1001 certification. Getting certified opens doors to bigger clients and contracts.

Reduce Insurance Premiums

Insurance providers recognize SMB1001 as a mark of cybersecurity maturity. Certified businesses qualify for lower cyber insurance premiums.

Protect Your Reputation

A successful cyberattack can destroy customer trust and brand reputation overnight. SMB1001 helps you prevent attacks and demonstrate your commitment to security.

Meet Compliance Requirements

If you operate in finance, healthcare, legal, or retail, SMB1001 helps you meet industry-specific compliance and security standards.

Global Alignment: SMB1001 aligns with Australia’s Essential Eight, UK Cyber Essentials, US CMMC, and CIS Controls—so your certification is recognized internationally.

SMB1001 Certification Levels

Choose the certification level that matches your business needs. You can start with Bronze and work your way up as you mature your cybersecurity program.

Bronze (Level 1) – Foundational Cyber Hygiene

7 controls | Director-attested | Valid for 12 months

Best for: Small businesses new to structured cybersecurity.

Controls include: Firewalls, antivirus software, automatic patching, strong passwords, data backups, and staff cybersecurity awareness training.

Bronze is the essential foundation—get this right and you’ve eliminated most common cyber threats.

Silver (Level 2) – Cyber Insurable

17 controls | Director-attested | Valid for 12 months

Best for: Businesses wanting to become cyber-insurable and reduce insurance costs.

Additional controls: Multi-factor authentication (MFA) on email, password managers, restricted admin privileges, email authentication (SPF/DKIM/DMARC), and invoice fraud prevention controls.

Silver certification demonstrates to insurers that you take cybersecurity seriously—a major factor in premium calculation.

Our Certification

Gold (Level 3) – Compliance & Advanced Protection

27 controls | Director-attested | Valid for 12 months

All IT Services holds SMB1001:2026 Gold Certification — we meet the same rigorous standard we help our clients achieve.

Best for: Compliance-heavy industries (finance, healthcare, legal, retail) and businesses handling sensitive data.

Additional controls: Documented cybersecurity policies, incident response plans, endpoint detection and response (EDR), cyber insurance requirement, AI usage policies, and digital asset management.

Gold shows clients and regulators that your cybersecurity is mature, documented, and taken seriously.

Platinum (Level 4) – Critical Infrastructure Ready

32 controls | Requires Independent Audit | Valid for 12 months

Best for: Critical infrastructure operators, government contractors, and defense suppliers.

Additional controls: Vulnerability scanning, stringent MFA across VPN/RDP access, and remote access credential management.

Platinum requires independent verification by an accredited IVO, confirming your controls meet the standard.

Diamond (Level 5) – Highest Assurance

39 controls | Requires Independent Audit | Valid for 12 months

Best for: Organizations with the highest security requirements, national security context, or handling highly sensitive information.

Additional controls: Penetration testing, application control/whitelisting, data encryption at rest, supply chain trust programs, police vetting, and live incident response drills.

Diamond is the gold standard of SMB1001 certification—demonstrating world-class cybersecurity maturity.

Understanding Self-Attestation vs. Audit

Bronze–Gold (Self-Attested): You document your compliance and have your Director attest to it. Faster to achieve, lower cost.

Platinum–Diamond (Audited): An independent verification organization (IVO) conducts a formal audit. More rigorous, but provides external validation.

Find Your SMB1001 Certification Level

Not sure which level is right for your business? Take our quick 4-question assessment based on the SMB1001:2026 standard.

SMB1001:2026 ASSESSMENT

Question 1 of 4

How sensitive is the information your business handles?

We only handle publicly available information.

(Example: Sharing general company news, public pricing, or marketing material.)

Some of our information is confidential.

(Example: Internal team documents, business plans, or project details only staff should see.)

Some of our information is sensitive or personal.

(Example: Storing customer names, addresses, phone numbers, or financial details.)

Our information requires enhanced protection.

(Example: Trade secrets, intellectual property, legal or medical records that need strict controls.)

Our information is classified or highly regulated.

(Example: Government contracts, defence data, or information subject to regulatory compliance like SOCI.)

Question 2 of 4

What level of system access do your team members have?

Only public websites and systems that don’t require login.

(Example: Browsing the company website or viewing publicly shared files.)

Standard user access to business apps and cloud platforms.

(Example: Logging into Microsoft 365, Xero, or a CRM to do everyday work.)

Administrative access to business apps and service platforms.

(Example: Creating user accounts, managing software settings, or configuring business tools.)

Physical and admin access to on-premise servers or operational systems.

(Example: Managing a server room, network infrastructure, or SCADA/OT systems.)

Admin access to critical infrastructure or essential services.

(Example: Managing utilities, healthcare systems, transport, or critical government platforms.)

Question 3 of 4

How critical are your products or services to your customers?

Non-essential — customers can easily find alternatives.

(Example: Retail products or services that are widely available from other providers.)

Replaceable — customers can manage without us for up to 30 days.

(Example: Cleaning, maintenance, or consulting services that can wait a while.)

Important — customers need us within 30 days.

(Example: Business supplies, accounting services, or IT support that clients rely on monthly.)

Critical — customers need us within 7 days.

(Example: Internet services, managed IT, payroll, or logistics that businesses depend on weekly.)

Urgent — customers need us within 8 hours.

(Example: Emergency services, healthcare, utilities, or 24/7 critical infrastructure.)

Question 4 of 4

Does your business require cyber insurance or need to meet compliance obligations?

No — we don’t currently have cyber insurance or compliance requirements.

(Example: A small business that hasn’t needed insurance or specific security standards yet.)

We’re considering cyber insurance or may need it soon.

(Example: Growing business that clients or partners are starting to ask about security posture.)

Yes — we hold or require cyber insurance.

(Example: Business with active cyber insurance policy or working towards one for client contracts.)

Yes — plus we need to meet industry or government compliance standards.

(Example: Must comply with Essential Eight, APRA CPS 234, PCI DSS, or similar frameworks.)

Yes — we require externally audited compliance and supply chain assurance.

(Example: Defence contracts, SOCI Act obligations, or customers requiring verified security certification.)

SMB1001:2026 Gold

All IT Services is SMB1001:2026 Gold Certified

We don’t just help businesses get certified — we hold the certification ourselves. Our SMB1001:2026 Gold certification means we meet 27 security controls across technology, access management, backup and recovery, policies, and education.

When you partner with All IT Services, you’re working with a team that has proven, documented cybersecurity maturity — the same standards we help our clients achieve.

Security Controls Met

Level 3

Certification Tier

12 mo

Renewed Annually

DSI

Accredited Standard

SMB1001:2026 — Current Version

The latest version, SMB1001:2026, became certifiable on January 1, 2026. It reflects current threat landscapes and includes updated guidance on emerging issues like AI usage policies and digital asset management — critical areas for modern SMBs.

How All IT Services Can Help You Get Certified

Getting SMB1001 certified doesn’t have to be complicated. We’re experienced Australian cybersecurity experts ready to guide you through the journey.

Our SMB1001 Certification Services

→ Cybersecurity Assessment: We evaluate your current security posture and recommend the right certification level for your business.
→ Gap Analysis & Roadmap: We identify what you need to implement to achieve your target certification level and create a realistic implementation plan.
→ Implementation Support: We help you implement the required controls, from technology to policies to training.
→ Documentation & Compliance: We help you document your controls and prepare for certification (Director attestation or independent audit).
→ Audit Support: For Platinum and Diamond levels, we provide guidance through the independent audit process.
→ Ongoing Maintenance: We help you maintain your certification with annual renewals and continuous improvement.

We’ve helped SMBs across Sydney, Melbourne, Brisbane, and regional Australia achieve SMB1001 certification. We understand the Australian business context and what certification looks like in practice.

Ready to Get Started?

Let’s discuss which SMB1001 certification level is right for your business and create a roadmap to get you there.

BOOK INTRO CALL CALL 1300 425 548

What SMB1001 Certification Delivers

Competitive Advantage

Stand out from competitors and win more contracts, especially from larger organizations with security requirements.

Lower Insurance Costs

Insurance providers recognize SMB1001 as proof of mature cybersecurity practices and offer premium discounts.

Risk Reduction

Significantly reduce your exposure to cyber attacks through systematically implemented controls.

Client Confidence

Demonstrate to clients that you take their data security seriously with externally validated certification.

Compliance Peace of Mind

Meet industry-specific regulations and government/customer supply chain requirements with documented proof.

Business Continuity

Implement backup and recovery procedures that keep your business running even after a cyber incident.

Frequently Asked Questions About SMB1001

What if I’m not ready for Bronze? Can I start smaller?

How much does SMB1001 certification cost?

Can I get SMB1001 certified if I’m in a specific industry like healthcare or finance?

What’s the difference between SMB1001 and Essential Eight?

How do I know if I need to be externally audited (Platinum/Diamond)?

What happens after I get certified? Do I need to do anything each year?

I’ve heard about CMMC in the US or Cyber Essentials in the UK. How does SMB1001 compare?

Is SMB1001 mandatory for my business?

Can All IT Services help me get SMB1001 certified?

Get Your SMB1001 Certification Today

Protect your business from cyber attacks, win more contracts, and reduce insurance costs with SMB1001 certification.

SCHEDULE FREE ASSESSMENT CALL 1300 425 548

Get in Touch

Phone: 1300 425 548

Contact Page: https://allitservices.com.au/contact/

All IT Services operates across Sydney, Melbourne, Brisbane, and regional Australia. We’re here to help you achieve SMB1001 certification and protect your business.

Feature	SMB1001	Essential Eight	ISO 27001
Designed for	Small & medium businesses	All Australian organisations	Enterprise / any size
Developed by	Cyber Security Certification Australia	Australian Cyber Security Centre (ACSC)	International Organization for Standardization
Complexity	Low — tiered levels	Moderate — 3 maturity levels	High — full ISMS required
Certification available	Yes — Bronze to Diamond	No formal cert (self-assessed)	Yes — accredited audit
Cost to implement	Low to moderate	Low to moderate	High (audit fees + implementation)
Focus areas	People, process, technology basics	8 technical mitigation strategies	Comprehensive information security management
Best for	SMBs wanting a starting point	Businesses aligning to ASD guidance	Enterprises needing global recognition
All IT Services alignment	Certified ✓	Aligned ✓	Can support implementation

1300 425 548