Why We Pursued Gold Certification
Late last year, All IT Services achieved SMB1001:2025 Gold level certification. We pursued this because we wanted to get behind a framework that brings real value to the medium-sized Australian businesses we work with. If we’re going to recommend it, we need to apply it ourselves first.
We Did It to Lead by Example
We work with medium-sized Australian businesses every day. These are organisations with 20 to 400 employees, often in hospitality, financial services, or the not-for-profit sector. Some have internal IT teams while others rely on us to be that team.
What we see repeatedly is confusion. Business owners and operations managers know cybersecurity matters, but they’re overwhelmed by conflicting advice, technical jargon, and frameworks designed for companies ten times their size.
SMB1001 was built specifically for businesses like yours. Not enterprises with dedicated security teams and unlimited budgets. Not tiny startups with three laptops. The businesses in between, where cybersecurity has to be practical, affordable, and actually achievable.
We pursued Gold certification because we wanted to prove that what we recommend to you works in practice. We’re a medium-sized business ourselves. We deal with the same budget constraints, the same competing priorities, the same need to keep trading while implementing security improvements.
Why This Actually Matters to Your Business
Good cybersecurity is no longer optional. It’s an essential business capability, like having insurance or maintaining accurate financial records.
The part many businesses struggle with is knowing if they are actually protected.
You might have antivirus software, backups, and a firewall. But is that enough? Are there gaps you don’t know about? If something goes wrong, will your cyber insurance actually pay out? When a major client asks about your security controls, can you give them a clear, credible answer?
Most existing cybersecurity standards, like ISO 27001, require significant costs and resources, making them impractical for small and medium-sized businesses. They were designed for large enterprises, and the certification process alone can cost tens of thousands of dollars and take months to complete.
That leaves medium-sized businesses in a difficult position. You’re too big to ignore cybersecurity, but the available frameworks feel unattainable.
Additionally, procurement processes, contracts, and tenders increasingly require businesses to demonstrate their cybersecurity maturity. Without a recognised certification, you might lose opportunities to competitors who can prove their security posture.
SMB1001:2025 helps governments and large enterprises ensure their suppliers meet cybersecurity requirements, reducing the risk to supply chains. If you supply larger organisations, they’re increasingly asking for evidence that you take security seriously. SMB1001:2025 gives you a straightforward way to provide that evidence.
What Makes SMB1001:2025 Different
SMB1001:2025 is a multi-tiered cybersecurity certification standard comprising five levels, each progressively increasing in complexity and maturity. You start where you are, not where someone thinks you should be.
The framework has five maturity levels: Bronze (foundational defences like firewalls, backups, patching, antivirus, staff training), Silver (broader adoption of security policies), Gold (enhanced monitoring, access controls, and proactive incident response), Platinum (external audit begins), and Diamond (maximum maturity and advanced threat resilience).
The five-tier system provides flexibility by allowing businesses to start at the appropriate level based on their current cybersecurity needs, grow at a pace that fits their resources and capabilities, and build on each level.
For Levels 1 to 3, you can self-attest. You implement the controls, document what you’ve done, and submit your attestation. For Levels 4 and 5, independent verification is required. One of SMB1001:2025’s strengths is that it is updated annually to keep pace with evolving threats.
The cost is reasonable. The guidance is clear. The requirements are practical.
What Gold Level Actually Involves
At Gold level, there are 23 requirements spanning five areas: Technology management, Access management, Backup and recovery, Policies and processes, and Education and training.
Here’s what that looks like in practice:
- Technology foundations: You engage an IT specialist or managed service provider to help manage your systems. You configure firewalls properly, install antivirus software on every device, and ensure software updates happen automatically. Your public-facing websites use secure certificates, and your servers are patched regularly.
- Access controls: Employees have individual user accounts, not shared logins. Administrative privileges are restricted to people who actually need them. Everyone uses a password manager. There’s an extra security step when logging into email and business applications to confirm it’s really you. If you use remote desktop access, it only works over a secure connection.
- Backup and recovery: You have a clear strategy for backing up the data and systems you need to keep operating. This isn’t just “we back things up sometimes.” It’s documented, tested, and reliable.
- Policies and processes: Employees sign confidentiality agreements. You have procedures to prevent invoice fraud, which is one of the most common scams targeting Australian businesses. Visitors are registered when they enter your premises. You have a cybersecurity policy that everyone understands, and a response plan for when something goes wrong. Sensitive documents and old devices are destroyed securely. You maintain a register of where your important data is stored.
- Training: Everyone in your business receives cybersecurity awareness training. Not a one-off tick-box exercise, but regular education about the threats they’ll actually face and what to do about them.
None of this is theoretical. It’s the practical foundation that protects your business from the most common threats while positioning you to meet client requirements, satisfy insurers, and compete for opportunities that require demonstrated security maturity.
What This Means for You
You don’t need to pursue SMB1001:2025 certification just because we did. But if you’re uncertain whether your current security measures are sufficient, if you’re struggling to answer client questions about your controls, or if you’re concerned about meeting compliance obligations, this framework gives you a clear path forward.
It’s not about perfection. It’s about demonstrating that you’ve implemented appropriate, practical controls that match your business size and risk profile.
We achieved Gold certification because we wanted to get behind a framework that brings real value to businesses like yours. We now use it as a roadmap when advising clients because we’ve seen firsthand that it’s achievable, affordable, and effective.
If you’d like to understand where your business currently sits and what practical steps would strengthen your security posture, that’s a conversation worth having. Not because we want to sell you something. Because we know from experience that clarity around cybersecurity gives you confidence to focus on what you do best.
TIME FOR A VERY IMPORTANT QUESTION…
Is Your Domain Protected from Cyber Threats?
Are you confident that your domain name is safe from threats like phishing, spoofing, fraud, and impersonation? If you’re unsure, then it’s time to check your domain’s DMARC status (that’s Domain-based Message Authentication, Reporting & Conformance, by the way).
It's super simple, takes just a minute, and guess what? It's free!
Check Your DMARC Status Today