SMB1001 vs Essential 8: when to use each in Australia
If you run an Australian SMB and someone has asked you for proof of cyber security maturity, you’ve probably been pointed at two frameworks: SMB1001 and the ACSC Essential Eight. They are often presented as alternatives. They aren’t. They solve different problems, and choosing the right one — or running them in the right order — saves months of wasted effort and tens of thousands of dollars.
Key takeaways
- The Essential Eight is a technical control list with a maturity model. It tells you what good looks like at the endpoint and the network. There is no formal certificate.
- SMB1001 is a tiered certification standard for businesses under 200 staff. It bundles technical controls with governance, training, policies and incident response.
- They overlap heavily but they are not the same. SMB1001 Silver/Gold covers most of Essential Eight Maturity Level 1; Essential Eight has technical controls (application control, macro restrictions) that SMB1001 does not require.
- Most Australian SMBs should start with SMB1001 Silver or Gold, then close any remaining Essential Eight ML1 gaps. Go straight to Essential Eight only when a contract or regulator names it.
What the Essential Eight actually is
The Essential Eight is a set of eight prioritised mitigation strategies published by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). It is not a certification, it is not an organisational programme, and it is not assessed by an accredited third party in the way ISO 27001 is. It is a technical baseline — a list of controls that, if implemented and maintained, demonstrably reduce the most common attack vectors used against Australian organisations.
The eight strategies are application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. Each strategy is implemented at one of four maturity levels (Maturity Level Zero through Maturity Level Three), with ML1 representing baseline hygiene against opportunistic attackers and ML3 representing resistance to adversaries with significant time, money and intent.
The 2025 model tightened expectations across the board. At Maturity Level 2 organisations are now expected to patch critical vulnerabilities in internet-facing services within 48 hours rather than the previous two-week window, and incident reporting to a nominated CISO and to the ACSC is now an explicit obligation. Backup requirements now mandate regular recovery testing — keeping backups is no longer enough; you have to prove you can restore them within a defined RTO.
What SMB1001 actually is
SMB1001 is a cyber security certification standard published by Dynamic Standards International (DSI), with offices in Canberra and Washington D.C. It is built specifically for small and medium businesses — in the Australian context, organisations with fewer than 200 employees — and certifies across five domains: Technology Management, Access Management, Backup and Recovery, Policies and Processes, and Education and Training.
The defining feature is the tiered model. There are five certification levels: Bronze, Silver, Gold, Platinum and Diamond. Bronze is foundational hygiene — antivirus, backups, basic policies. Silver adds multi-factor authentication, password managers and email authentication (SPF, DKIM, DMARC). Gold is where it starts to look like a grown-up security programme: EDR or MDR on every endpoint, a written incident response plan, a digital asset register, regular staff training, and a policy on responsible AI use. Platinum and Diamond add external verification, vulnerability scanning, encryption requirements, penetration testing, rehearsed incident response drills, and supplier due-diligence.
Bronze, Silver and Gold are validated by self-attestation from the SMB’s owner or director. Platinum and Diamond require third-party verification. The 2026 revision tightened Gold materially: the number of mandatory controls increased from 23 to 27, and EDR/MDR became mandatory rather than recommended.
How they overlap — and where they don’t
Both frameworks care about the same fundamentals: patching, MFA, backups, hardened endpoints. If you implement SMB1001 Silver well, you will have closed several Essential Eight ML1 controls — multi-factor authentication, regular backups, baseline patching cadence, restricted administrative privileges. SMB1001 Gold pushes you further: EDR/MDR coverage, formal patching processes, and operational discipline that lines up neatly with ML2 expectations.
The gaps go in both directions. The Essential Eight has technical controls that SMB1001 does not specifically require — most notably application control (allowlisting), Microsoft Office macro restrictions enforced through Group Policy or Intune, and detailed user application hardening (browser plugin restrictions, PDF reader sandboxing, and so on). Conversely, SMB1001 has organisational requirements that the Essential Eight does not address at all — written policies, staff training, an incident response plan, an AI usage policy, an asset register, and the governance discipline of an annual recertification cycle.
Put simply: the Essential Eight tells you what to do at the technical layer; SMB1001 wraps those controls in the policy, training and incident response that lets a non-technical board, auditor or insurer understand what you have in place.
Side-by-side comparison
| Dimension | SMB1001 | Essential Eight |
|---|---|---|
| Designed for | Australian-leaning SMBs under 200 staff | Any Australian organisation, originally tuned for Commonwealth entities |
| Type of framework | Tiered certification (Bronze → Diamond) | Technical control set with a 4-level maturity model (ML0 → ML3) |
| Scope | 5 domains: technology, access, backup, policies, training | 8 technical mitigation strategies — endpoint and network focused |
| Governance and training | Required from Silver onward | Not directly addressed |
| Formal certificate | Yes — annual recertification per tier | No — self-assessed or assessed against the ASD assessment process guide |
| Verification | Self-attestation (Bronze–Gold), third-party (Platinum, Diamond) | No mandated verification model for private business; ASD assessment process guide for assessors |
| Mandatory for | No-one — voluntary, market-driven | Non-corporate Commonwealth entities; increasingly named in state and critical infrastructure contracts |
| Typical SMB cost (initial) | Bronze/Silver under $5k · Gold $5k–$15k | $5k–$25k for ML1, $15k–$50k for ML2, depending on existing tooling |
| Maps to | Essential Eight, Privacy Act 1988, ISO 27001 (partial) | ISM, ISO 27001 (partial), NIST CSF |
When to use each
Use SMB1001 if…
You are under 200 staff, you don’t have a compliance officer or a CISO on payroll, and you need a single piece of paper you can hand to customers and insurers as proof of cyber maturity. You want a clear checklist and a defined outcome. Your customers are mid-market Australian businesses, not ASX-100 procurement teams. You want training, policies and incident response baked into the same standard rather than running three parallel projects.
Use Essential Eight if…
You are bidding for Commonwealth or state government work where Essential Eight maturity is named in the request for tender. You are in a critical infrastructure sector covered by SOCI obligations. You handle data for an enterprise customer whose vendor onboarding asks specifically for Essential Eight ML1 or ML2 attestation. You already have governance and training in place — for example, you are running an ISMS — and you need to demonstrate technical hardening on top of it.
Run them together — the practical sequence
This is what we recommend for the majority of Australian SMBs we work with. Start at SMB1001 Silver, which gets you to roughly Essential Eight Maturity Level 1 on the controls you both share. Move to SMB1001 Gold to add EDR/MDR, formal IR planning, and operational discipline that lines up with much of ML2. Then run an Essential Eight gap assessment to identify the technical controls that SMB1001 does not specifically require — application control, Office macro restrictions, deeper user application hardening — and close those targeted gaps. You finish with a credible answer to both “show me your cyber certification” and “show me your Essential Eight maturity.”
The Australian regulatory backdrop
Two realities sit underneath every cyber framework conversation in Australia in 2026. First, the Privacy Act 1988 and the Notifiable Data Breaches scheme require organisations to notify the OAIC and affected individuals when a breach is likely to cause serious harm — and penalties for serious or repeated interference with privacy have risen materially in recent reform packages. Second, cyber insurance underwriters now routinely ask for Essential Eight maturity evidence at policy renewal, and premiums move noticeably based on what you can show.
Either framework gives you a defensible answer to “what are you doing to protect data?” — but they answer it differently. Essential Eight gives a granular, technical answer that resonates with auditors and incident responders. SMB1001 gives a packaged answer that resonates with directors, customers and insurers. The two are stronger together than either alone.
How All IT Services helps
We work with Sydney SMBs across both standards every week. For SMB1001 we run the gap assessment against your current state, close the technical controls (EDR/MDR rollout, DMARC enforcement, MFA uplift, backup verification), write the policy pack, and walk you through the certifying body audit. For Essential Eight we use the ASD assessment process guide to produce a defensible maturity assessment, then build a remediation roadmap to ML1 or ML2 over a realistic timeframe. Where it makes sense — and it usually does — we run them in parallel so you don’t pay twice for overlapping work. Get in touch if you’d like a no-obligation gap assessment against either framework.
Frequently asked questions
Is the Essential Eight mandatory for Australian small businesses?
The Essential Eight is mandatory for non-corporate Commonwealth entities and is increasingly written into state government and critical infrastructure contracts. For private SMBs it is not legally mandatory, but cyber insurers, enterprise procurement teams and supply-chain auditors routinely ask for evidence of Essential Eight maturity, so in practice it functions as a de facto baseline even when it isn’t in legislation.
Does SMB1001 certification prove Essential Eight compliance?
Not by itself. SMB1001 maps to many Essential Eight controls — Silver and Gold cover most of Maturity Level 1, and Gold pushes into ML2 territory — but the Essential Eight has technical controls SMB1001 does not require, including application control and Microsoft Office macro restrictions. If you’re asked specifically for Essential Eight, you still need an Essential Eight assessment using the ASD assessment process guide.
Which framework should an Australian SMB tackle first?
For most Australian SMBs under 200 staff, SMB1001 Silver or Gold is the better first move. It bundles the technical controls with the policies, training, governance and incident response you also need, and produces a certificate you can hand to customers and insurers. Pure Essential Eight is the right starting point only when a contract or regulator names it specifically.
Can a small business reach Essential Eight Maturity Level 2?
Yes, but it is a genuine programme of work. ML2 requires patching critical internet-facing vulnerabilities within 48 hours, multi-factor authentication on all internet-facing services, application control on workstations, and Microsoft Office macro restrictions enforced through Group Policy or Intune. Most SMBs need three to nine months and a managed services partner to reach and sustain ML2.
Authoritative resources and Australian compliance guidance
- ACSC — Essential Eight Maturity Model (cyber.gov.au)
- ACSC — Essential Eight Assessment Process Guide (cyber.gov.au)
- ACSC — Essential Eight and ISM mapping (cyber.gov.au)
- Dynamic Standards International — SMB1001 standard (DSI)
- OAIC — Notifiable Data Breaches scheme (oaic.gov.au)
- ACSC — Small Business Cyber Security Guide (cyber.gov.au)
Related reading on allitservices.com.au
- SMB1001 vs ISO 27001 — a side-by-side for Australian SMBs
- Essential Eight ML1 checklist for Australian SMBs
- Glossary: Essential Eight
- Glossary: Maturity Level (cyber security)
- Cyber Security Services
- Client outcomes and case studies
Related comparisons and resources
SMB1001 vs ISO 27001: a side-by-side for Australian SMBs
From the IT Glossary: SMB1001 • Essential Eight • ACSC • Browse all 182 terms