Cyber security certification built for your size of business.

SMB1001 is an Australian cyber security standard developed by Dynamic Standards International (DSI) for businesses under 200 staff that don't have a dedicated security function. It uses a five-tier certification model, Bronze, Silver, Gold, Platinum, and Diamond, designed to be achievable at each level without enterprise-scale resources. SMB1001:2025 is the current version of the standard.

Typically 8–12 weeks from initial gap analysis to certification-ready, depending on how many controls are already in place. Bronze is self-assessed, so you don't need to wait for an external assessor. Businesses that already have basic security hygiene, regular backups, some form of MFA, documented processes, will move through the remediation phase faster. The timeline is wide because starting points vary significantly; the gap analysis tells you where you realistically sit.

SMB1001 was designed for businesses under 200 staff without a dedicated security function. It's intentionally more accessible than the Essential Eight for that environment. The Essential Eight is better suited to organisations in government supply chains, financial services, or larger enterprise contexts where the ACSC's maturity model is the expected standard. Both frameworks cover many of the same fundamental controls; the difference is in the depth and complexity of implementation required at each level. If you're unsure which is right for your business, that's the first conversation we have.

Bronze, Silver and Gold are self-assessed. You document your controls, complete the assessment questionnaire, and declare your certification level. Platinum and Diamond require independent third-party assessment, where an accredited assessor verifies your controls and evidence before certification is issued. Most businesses targeting their first SMB1001 certification start at Bronze and work toward Gold before considering higher tiers. We guide you through the self-assessment process for the lower tiers and coordinate independent assessment when you're ready to progress.

Yes. SMB1001 certification requires annual renewal to remain current. This keeps your certification meaningful. It reflects your actual security posture, not where you were twelve months ago. The renewal process involves reassessing your controls against the standard and updating your evidence. We manage this as part of our ongoing cyber security programme so it doesn't sneak up on you.

SMB1001:2025 is designed for small and medium-sized businesses that lack a dedicated security function but still need a credible, certifiable security programme. If your business handles customer data, uses cloud services, or needs to demonstrate security credentials to clients or insurers, SMB1001 is the most practical starting point available to Australian businesses under 200 staff.

SMB1001:2025 covers both technical measures and organisational practices. On the technical side: multi-factor authentication, patch management, secure backups, network segmentation, and access controls. On the organisational side: cybersecurity policies, staff security awareness, incident response planning, and vendor management. The mix of technical versus organisational requirements increases in depth as you progress through the Bronze to Gold tiers.

SMB1001:2025 recognises that not all controls may be relevant or feasible for every small business. Organisations are encouraged to prioritise controls based on their specific context and risk profile. The gap analysis we run in Phase 1 maps exactly where you stand and sequences remediation so you're working on the highest-impact items first, not trying to achieve everything at once. We've helped businesses start from very low baselines and work methodically to certification.

Beyond the direct security improvements, certification delivers tangible business benefits: competitive advantage when tendering for contracts where security credentials are assessed, improved positioning for cyber insurance renewal, and demonstrated commitment to clients and stakeholders. Certification also builds an evidenced security foundation that makes progression to more demanding frameworks, such as the ACSC Essential Eight or ISO 27001, significantly faster, since much of the documentation and control work carries over.