SMB1001
SMB1001 vs the Essential Eight: What Australian SMBs Should Know
22 June 2026 · Updated 22 June 2026
SMB1001 and the Essential Eight solve different problems. SMB1001 is a tiered certification a small business can earn and show. The Essential Eight is an ACSC mitigation model that you assess against, with no certificate. They overlap on the basics, but SMB1001 alignment with the Essential Eight is partial, and in Australian tenders and insurance the Essential Eight is the more widely recognised language.
A small business that asks “should we do SMB1001 or the Essential Eight” is really asking two questions at once: which improves our security, and which do the people we answer to want to see. The answers are not the same.
They are different kinds of thing
The Essential Eight is a set of eight mitigation strategies from the Australian Signals Directorate, measured across maturity levels. It is guidance you assess against; there is no certificate and no certifying body. SMB1001 is a certification: you meet a level’s controls and receive a badge from CyberCert, the appointed certifier. One gives you a maturity rating in the language Australian institutions use; the other gives you something to hand a customer.
| SMB1001 | Essential Eight | |
|---|---|---|
| What it is | A tiered certification | A mitigation model you assess against |
| Issued by | CyberCert, against the DSI standard | Nobody; it is ACSC guidance |
| Output | A certificate, Bronze to Diamond | A maturity level, ML0 to ML3 |
| Assurance | Director attestation, or audit at the top tiers | Self assessment, or an independent assessment |
| Recognition in AU | Growing, private market | Established across government and enterprise |
Where they overlap, and where they do not
Both cover the foundations a small business needs: multi factor authentication, patching, backups, and limiting administrative access. So work done for one carries toward the other. But the overlap is partial. Two Essential Eight Maturity Level One strategies, application control and hardening Microsoft Office macros, only appear at the very top of SMB1001. Staff awareness training, which SMB1001 brings in at Level 3, is not part of the Essential Eight at all. So an SMB1001 Gold certificate covers a real slice of Essential Eight Maturity Level One, but it is not the same as reaching it, and neither claim should be made for the other.
Which one do your buyers want?
This is the deciding question for most SMBs. Australian government tenders, larger corporate customers and many insurers are fluent in the Essential Eight and ISO 27001. They are still learning SMB1001. If a specific contract or panel asks for Essential Eight evidence, an SMB1001 certificate does not answer it. If a customer simply wants assurance that a small supplier takes security seriously, an SMB1001 certificate can carry that, and it is cheaper and faster to reach than ISO 27001.
A practical order
For most small businesses the sensible path is not either or. Start with a free Essential Eight self assessment to see where you stand in the language your market speaks. Use SMB1001 as the structured, affordable way to lift and demonstrate the baseline, especially if you need something to show a customer now. Then, if a buyer or regulator requires it, move toward an Essential Eight assessment or ISO 27001. We help with all three and will tell you honestly which one your situation calls for, in the complete SMB1001 guide and in person.
Is SMB1001 the same as the Essential Eight?
No. They overlap on the basics, but SMB1001 alignment is partial, and some Essential Eight Maturity Level One strategies sit only at the top SMB1001 level.
Can I use SMB1001 to meet an Essential Eight requirement?
Not reliably. If a tender or panel specifically asks for Essential Eight evidence, an SMB1001 certificate does not satisfy it. They are different measures.
Which should a small business do first?
Assess against the Essential Eight to see where you stand, then use SMB1001 as an affordable way to lift and certify the baseline. Move to ISO 27001 if your buyers require it.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Dynamic Standards International, SMB1001:2026 Standard, accessed June 2026
- ACSC, Essential Eight Maturity Model, accessed June 2026
Last updated: 22 June, 2026