SMB1001 is a multi tiered cyber security certification for small and medium businesses, published by Dynamic Standards International, a not for profit standards body. It has five levels, certified Bronze through Diamond. The lower three are based on a company director’s attestation; the top two are independently verified. It is a private certification, not a standard named in Australian law.
A small business owner who has been told to “get certified” usually means one of three things: the Essential Eight, ISO 27001, or, increasingly, SMB1001. The last one is the newest and the most often misunderstood, so here is the plain version.
Who publishes SMB1001?
Dynamic Standards International (DSI), an Australian founded not for profit that traded as Cyber Security Certification Australia until 2023. DSI writes and maintains the standard but does not certify anyone against it. That is done by an appointed certifier, currently CyberCert, with independent verification organisations such as BSI Group involved at the higher levels. Keeping the standard setter and the certifier separate is deliberate.
What does SMB1001 certify?
That a business meets the controls at a chosen level. There are five, certified as Bronze, Silver, Gold, Platinum and Diamond, building from basic preventive controls at Bronze to formal governance and independent testing at Diamond. The controls sit in five areas: technology management, access management, backup and recovery, policies and procedures, and education and training. A business certifies at the level that matches its maturity and is not required to climb all five.
Is SMB1001 audited?
Only at the top. Bronze, Silver and Gold rest on a company director signing an attestation that the controls are in place; no external party checks them. Platinum and Diamond are independently verified. This is the single most important thing to understand about an SMB1001 certificate: unless it is Platinum or Diamond, it represents a director’s word, not an audit. That word carries legal weight, but it is not the same as verification.
Is SMB1001 required by law in Australia?
No. It is not named in the Cyber Security Act 2024 or the Security of Critical Infrastructure rules. It is a private market certification, used as a supplier assurance signal and an internal baseline, not a legislated requirement. For Australian government and enterprise tenders, the Essential Eight and ISO 27001 are still asked for far more often.
Who is SMB1001 for?
Small and medium businesses that want an affordable, structured way to lift and demonstrate their cyber posture without taking on the cost of ISO 27001. It is a genuinely useful first rung, and a reasonable answer when a customer asks a small supplier to show it takes security seriously. For the full picture, see the complete SMB1001 guide.
Is SMB1001 a certification or a standard?
Both. SMB1001 is the standard; the certification is issued against it by CyberCert, the appointed certifier. DSI publishes the standard but does not certify.
How many levels does SMB1001 have?
Five: Level 1 to Level 5, badged Bronze, Silver, Gold, Platinum and Diamond. A business certifies at the level that fits its needs.
Does SMB1001 replace the Essential Eight or ISO 27001?
No. It overlaps with both but is not equivalent, and in the Australian market it sits below them in formal recognition. It is best treated as a starting point.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Dynamic Standards International, SMB1001:2026 Standard, accessed June 2026
- CyberCert, the appointed Dynamic Standard Certifier for SMB1001, accessed June 2026
- Cyber Security Act 2024 (Cth), Federal Register of Legislation, accessed June 2026
Last updated: 22 June, 2026