For years, the conversation around cyber security for small businesses in Australia has been stuck between two uncomfortable positions: do nothing, or attempt to implement frameworks that were designed for organisations with dedicated security teams and enterprise-grade resources. The Essential Eight is rigorous and genuinely effective, but it was designed with government agencies and large organisations in mind. For a 30-person business in Adelaide without an IT manager, it can feel completely out of reach.
SMB1001 was built to close that gap. It's an Australian cyber security standard developed specifically for businesses that don't have a dedicated security function, don't have unlimited time and budget, and have historically been told that "good security" means something they can't realistically achieve. That framing is changing, and SMB1001 is a significant part of why.
What Is SMB1001 and Where Did It Come From?
SMB1001 was developed by Dynamic Standards International (DSI) in collaboration with industry, and released in 2023. The standard was designed specifically for businesses under 200 staff, the segment of the Australian economy that generates the most employment but has historically been the least supported when it comes to practical cyber security guidance.
The premise behind SMB1001 is straightforward: small businesses face real cyber risks, but the frameworks available to them were either too basic to be meaningful ("use strong passwords, run antivirus") or too complex and resource-intensive to be achievable without a dedicated team. DSI's answer was to design a framework from the ground up for businesses without a dedicated IT security function, one that acknowledges the resource constraints of small business while still providing a credible, structured path to improved security posture.
The result is a standard with a clear scope, a practical set of controls, and a certification model that allows businesses to demonstrate their security posture to clients, insurers, and partners in a format that actually means something.
How SMB1001 Works: The Tiered Certification Model
The defining feature of SMB1001 is its tiered certification structure. Rather than requiring all-or-nothing compliance, the standard is organised into five progressive tiers:
- Bronze: Foundational controls, self-assessed. The starting point for most businesses, covering the basics: MFA, patching, backups, access controls, and security awareness.
- Silver: Builds on Bronze with additional technical and procedural controls.
- Gold: Further depth across control areas, with increasing documentation requirements.
- Platinum: Higher assurance requirements, moving toward independent assessment.
- Diamond: The highest tier, requiring full independent assessment and demonstrating a mature, well-documented security programme.
The tiered model is deliberate and genuinely useful. A small business with 15 staff can achieve Bronze certification through self-assessment in a matter of weeks. That's a real, certifiable result they can show clients and insurers, not a promise that they're "working on security." As the business grows or its risk profile changes, it can progress through the tiers at a pace that makes sense.
The controls at Bronze level cover the fundamentals that research consistently shows would prevent the majority of cyber incidents affecting small businesses: multi-factor authentication, regular patching and updates, tested backups, sensible access controls, and a baseline of security awareness training. These aren't exotic controls, and many businesses are already doing some of them. SMB1001 gives those practices structure and a certification outcome.
SMB1001 vs. the Essential Eight: What's the Difference?
The ACSC's Essential Eight is Australia's best-known cyber security framework. It covers eight mitigation strategies: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict admin privileges, patch operating systems, multi-factor authentication, and regular backups, and scores organisations across three maturity levels (ML1, ML2, ML3).
The Essential Eight is rigorous and technically demanding. At ML2 and ML3, it requires a level of technical control implementation, application whitelisting, granular privilege management, macro blocking, that presupposes significant IT infrastructure and the expertise to configure and maintain it. For government agencies, defence contractors, and financial institutions operating under mandatory compliance frameworks, that rigour is appropriate and necessary.
For a small professional services firm in Adelaide with 25 staff, a shared Microsoft 365 environment, and no internal IT capability? The Essential Eight at ML2 is not the right starting point. It's not that the controls are wrong. It's that the implementation depth required exceeds what most small businesses can realistically achieve without significant external support.
SMB1001 was designed for precisely that environment. It covers many of the same fundamental control areas, MFA, patching, backups, but frames them at a level of depth that is achievable for a small business and builds progressively. The two frameworks are not in competition; they serve different contexts. The question for any given business is which one is the right starting point based on their size, risk profile, and who they're selling to.
Why Small Businesses Are Increasingly Being Asked About Their Cyber Security Posture
Something has shifted in the South Australian market over the past two years. Small businesses that previously never thought about formal cyber security frameworks are now being asked direct questions, by their larger clients, by government procurement teams, and by their cyber insurance providers, about what security controls they actually have in place.
The drivers are converging. Insurance underwriters have tightened their requirements significantly following the wave of ransomware and data breach incidents that affected Australian businesses from 2022 onwards. Many policies now require documented evidence of specific controls, MFA, patching cadence, backup testing, as a condition of coverage or as a factor in premium pricing. "We have antivirus" is no longer a sufficient answer.
At the same time, larger organisations are extending their security due diligence into their supply chains. A government department or ASX-listed company contracting with a small Adelaide business will increasingly ask: what is your security posture, and how do you evidence it? SMB1001 provides a clear, certifiable answer to that question. It gives small businesses a framework to point to and a certification outcome that demonstrates a genuine, structured approach, not just good intentions.
For managed IT clients we work with across South Australia, this has become a recurring conversation. The pressure is real, and it's increasing.
What SMB1001 Implementation Looks Like in Practice
The starting point for any SMB1001 implementation is a gap analysis. Before you start remediating, you need to understand where you currently sit against each control tier. In our experience, most small businesses are already doing some things right, they have backups running, they have some form of MFA in place for email, but they have meaningful gaps in documentation, access control reviews, or patch management discipline.
The gap analysis is also where the prioritisation happens. Not every gap carries equal risk, and a good implementation doesn't try to fix everything at once. The remediation plan should target the controls with the highest risk impact first, then work systematically through the remainder.
For most businesses targeting Bronze or Silver certification, the implementation timeline runs to 8–16 weeks from initial gap analysis to certification-ready. That range is wide because the starting point varies significantly. A business that already has documented processes and a reasonable security baseline will move faster than one starting from scratch. The ongoing commitment after certification is lower than most businesses expect: quarterly reviews of key controls and annual renewal to maintain currency.
One practical observation worth sharing: the documentation requirement is often the biggest gap, not the technical controls themselves. Many businesses have the controls in place but haven't documented them in a way that satisfies a framework assessment. Getting controls documented, tested, and evidenced is a significant part of the implementation work.
How to Know If SMB1001 Is Right for Your Business
If your business has under 200 staff, doesn't have a dedicated security team, and you're starting to receive questions from clients, insurers, or partners about your cyber security posture, SMB1001 is worth understanding seriously. It was designed for your situation.
If your business operates in a government supply chain, holds a defence security clearance, or is in a regulated financial services context, the Essential Eight may be the more relevant framework. Those environments have specific compliance requirements that SMB1001 isn't designed to satisfy. The two frameworks are not interchangeable at those levels.
For businesses that are genuinely unsure which framework is appropriate, the right first step is an honest conversation about your risk profile, your client base, and what your insurers and partners are actually asking for. At InterIntra, we help Adelaide businesses work through that question before they commit time and resources to either framework, because the wrong starting point wastes both.