More Brisbane businesses are being asked to prove their cyber security: by insurers, by larger clients, and in tenders. SMB1001 is the certification built to do exactly that, without the cost and complexity of a standard like ISO 27001. (If you’re still weighing it up against the Essential Eight, start with SMB1001 vs Essential Eight: which does your business need?.)
If you’ve decided to go for it, here’s how certification actually works, step by step.
Step 1: Choose your tier
SMB1001:2026 has five tiers, and each builds on the one below:
- Bronze: foundational hygiene like backups, antivirus, multi-factor authentication and basic policies.
- Silver: formalises your practices with access controls, email security and documented policies.
- Gold: advanced monitoring, governance and incident response. Where most compliance-driven SMBs aim.
- Platinum: mature security operations with threat detection and third-party verification.
- Diamond: the highest tier, with penetration testing, supply-chain trust and enterprise-grade governance.
Bronze, Silver and Gold are self-attested. Platinum and Diamond are independently audited. Most small businesses start at Bronze or Silver and work up to whatever level their clients and insurers expect. There’s no need to over-reach: pick the tier that matches what’s actually being asked of you.
Step 2: Run a gap assessment
Before you certify, you need an honest picture of where you stand against your target tier. A gap assessment benchmarks your current setup (accounts, devices, email, backups, policies) against the controls that tier requires, and produces a short list of what needs to change.
This step matters because it stops you either over-investing in things you don’t need, or attesting to controls you haven’t actually got in place (which is how certifications come back to bite you).
Step 3: Close the gaps
This is the real work, and for most SMBs it’s smaller than expected, because the controls SMB1001 asks for are exactly the security fundamentals you should have anyway. Typically that means:
- Multi-factor authentication on every account.
- Reliable, tested backups kept separate from your main systems.
- Email security to catch phishing and invoice scams.
- Endpoint protection on every device.
- Security-awareness training so your team is a defence, not a weak point.
- Documented policies for access, devices and incidents.
A lot of this is already available inside tools you’re probably paying for. Microsoft 365 Business Premium, for example, includes most of the security and device-management features the lower tiers require. The point of closing gaps properly is that your certificate reflects real, operating security, not paperwork. That’s the whole idea behind our IT security work.
Step 4: Gather evidence and attest
Once the controls are in place, you document the evidence: the settings, policies and processes that show each control is genuinely operating. For Bronze, Silver and Gold, certification is then self-attested: a director or owner confirms the controls are met, through CyberCert, and the certificate is issued.
For Platinum and Diamond, an independent assessor verifies your posture before certification. Either way, having the evidence organised up front makes this step quick rather than stressful.
Step 5: Certify and show it off
With attestation complete, you receive your SMB1001 certificate at your chosen tier. This is the bit that does the heavy lifting: you can show it to clients, attach it to tenders, and reference it at insurance-renewal time. Unlike a self-assessment against a framework, it’s a recognised, dated credential someone else can actually verify.
Certificates are valid for 12 months, so it’s a yearly rhythm rather than a one-off.
Step 6: Maintain it and climb
Security isn’t “set and forget,” and neither is certification. To stay certified you keep your controls operating year to year, and when you’re ready, you can step up to the next tier as your business grows or your clients’ expectations rise. Building good habits now (patching, reviewing access, testing backups) makes each renewal straightforward. It’s the same discipline that keeps you aligned to the Essential Eight.
How long does it take, and what does it cost?
Honestly, it depends where you’re starting from. If your fundamentals are already solid, lower-tier certification can move quickly, mostly evidence-gathering and attestation. If there are real gaps to close, the work is in Step 3, not the certification itself. Certification tiers, control counts and fees are set by Dynamic Standards International and CyberCert and are updated each year, so check the current figures when you begin.
The bigger point: the money and effort go into being secure, and SMB1001 simply turns that into something you can prove.
Getting started
You don’t have to navigate this alone. We help Brisbane businesses through the whole process: gap assessment, closing the gaps (most of which we already deliver day to day), preparing the evidence, and guiding the director through sign-off. It’s part of our compliance and data-protection service.
Get in touch for a no-obligation review and we’ll tell you which tier fits, what’s already in place, and what it would take to certify.
Adam leads the Itopia team in Brisbane, helping professional-services firms get secure, productive and confident with their technology, in plain English.

