SMB1001
SMB1001: The Complete Guide for Australian Small Business
22 June 2026 · Updated 22 June 2026
SMB1001 is a multi tiered cyber security certification built for small and medium businesses by Dynamic Standards International, a not for profit standards body. It has five levels, certified Bronze through Diamond. The lower three rest on a company director’s attestation; the top two are independently verified. It is practical and affordable, and it is a private certification, not a standard named in Australian law.
Most cyber security standards were written for large organisations and then handed down to everyone else. SMB1001 was written the other way around, for the small business first. That is its real point of difference, and it is also where the careful reading starts.
What is SMB1001?
SMB1001 is a cyber security certification standard published by Dynamic Standards International (DSI), an Australian founded not for profit that develops what it calls dynamic standards, updated every year rather than every few years. The current edition is SMB1001:2026, released in September 2025. DSI traded as Cyber Security Certification Australia until 2023, and the standard is now positioned as an international edition.
The framing DSI uses is a martial arts one: no one starts with a black belt, so a business earns the coloured belts first and works up. The five levels let an organisation certify at the maturity it actually has, then climb, without throwing away the earlier work.
The five levels
The standard runs from Level 1 to Level 5, certified under the badge names Bronze, Silver, Gold, Platinum and Diamond. A business does not have to complete all five; it certifies at the level that fits its risk and its customers.
| Level | Badge | Focus | How it is certified |
|---|---|---|---|
| Level 1 | Bronze | Basic preventive controls: firewall, antivirus, updates, backups | Director attestation |
| Level 2 | Silver | More advanced preventive measures | Director attestation |
| Level 3 | Gold | Holistic risk management across people, process and technology | Director attestation |
| Level 4 | Platinum | Formal governance, policy and verification | Independently verified |
| Level 5 | Diamond | Advanced governance and risk management | Independently verified |
The split in that last column matters more than anything else on this page. Bronze, Silver and Gold are self assessed: a company director signs an attestation that the controls are in place. Platinum and Diamond are checked by an independent party. Most certificates issued in the market today sit in the self attested tiers.
What does SMB1001 actually require?
SMB1001 is built on a people, process and technology approach and groups its controls into five areas: technology management, access management, backup and recovery, policies and procedures, and education and training. Level 1, for example, asks a business to engage technical support, run a firewall and antivirus on every device, turn on automatic updates, follow a password practice and put a backup and recovery strategy in place. Each level adds to the one below, bringing in measures like multi factor authentication, email authentication, endpoint detection and response, an incident response plan, staff training and, at the top, independent testing and supplier due diligence.
How does certification work?
DSI writes and maintains the standard but does not certify anyone against it. Certification is issued by an appointed Dynamic Standard Certifier; at present that is CyberCert, which runs the assessment platform and issues the certificate. Independent verification organisations, including BSI Group, handle the checks at the audited levels. Keeping the standard setter separate from the certifier is deliberate, and it mirrors how the larger certification schemes are structured.
In practice that means for Bronze, Silver and Gold the assurance is a director’s signed attestation, backed by the legal weight that a knowingly false attestation carries for a company director. For Platinum and Diamond, an independent body has verified the controls.
What does SMB1001 cost?
There are two costs, and they are easy to confuse. Buying the standard itself runs from about USD $95 for a micro business up to USD $995, scaled by organisation size. Certification, issued separately by CyberCert, is priced by tier; independent reporting puts it in the range of roughly AUD $95 a year at the entry level to about AUD $5,995 a year at Diamond, with the common mid tier Gold around AUD $395 a year. Both sets of pricing change, so confirm the current figures before you budget. Either way, the cost sits well below an ISO 27001 certification, which is the point.
Does SMB1001 satisfy regulators, customers or insurers?
This is where to be precise. SMB1001 is a private market certification. It is not named in the Cyber Security Act 2024 or in the Security of Critical Infrastructure rules, so it is not a legislated or government mandated standard, whatever a marketing page implies. As a supplier assurance signal it has real uses, and DSI runs programs aimed squarely at that, helping a small supplier show a larger customer it meets a baseline. On cyber insurance, many providers are said to recognise it, but published underwriting policy that names SMB1001 and a specific discount is hard to find. If your broker says it will move your premium, ask which named insurer’s guidance recognises it.
How does it compare with the Essential Eight and ISO 27001?
DSI maps SMB1001 to international frameworks such as the United Kingdom’s Cyber Essentials, the United States’ CIS Controls and CMMC, and positions it as a stepping stone toward ISO 27001. In the Australian market, though, the languages most buyers, insurers and regulators speak are the Essential Eight and ISO 27001. SMB1001 alignment with the Essential Eight is partial: some Essential Eight Maturity Level One strategies, like application control and hardening Microsoft Office macros, only appear at the top SMB1001 level. So a Gold certificate covers a meaningful slice of Essential Eight Maturity Level One, but it is not equivalent to it. We set out the detail in SMB1001 vs the Essential Eight.
The honest summary: SMB1001 is a strong internal baseline and an accessible first certificate for a business that is not ready for ISO 27001 or an Essential Eight assessment. It is weaker as a badge to wave at a sophisticated buyer who is fluent in those other frameworks.
Who should pursue SMB1001, and at what level?
A small business that has never structured its cyber posture gets the most value: the levels give an owner a clear, affordable list of the things to actually have in place, and the director attestation forces the list to be taken seriously. Gold is the realistic mass market target. Go higher when a customer or insurer needs independent verification, and pick Platinum or Diamond then. If your buyers are already asking for Essential Eight evidence or ISO 27001, treat SMB1001 as the starting rung, not the destination. Our SMB1001 certification service gets the controls genuinely in place and prepares you for the right tier.
Is SMB1001 a government standard?
No. It is a private certification from a not for profit standards body. It is not named in Australian legislation and is not government mandated, though it is used as a supplier assurance signal.
How is SMB1001 certified?
DSI sets the standard but does not certify. CyberCert is the appointed certifier. Bronze, Silver and Gold are based on a company director’s attestation; Platinum and Diamond are independently verified.
Is SMB1001 the same as the Essential Eight?
No. They overlap, but alignment is partial, and some Essential Eight Maturity Level One strategies sit only at the top SMB1001 level. A Gold certificate is not equivalent to Essential Eight Maturity Level One.
Which level should a small business aim for?
Gold is the common target for a business wanting a credible baseline. Move to Platinum or Diamond when a customer or insurer needs independent verification rather than a director’s attestation.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Dynamic Standards International, SMB1001:2026 Standard, accessed June 2026
- CyberCert, the appointed Dynamic Standard Certifier for SMB1001, accessed June 2026
- Cyber Security Act 2024 (Cth), Federal Register of Legislation, accessed June 2026
- ACSC, Essential Eight Maturity Model, accessed June 2026
Last updated: 22 June, 2026