Compliance · SMB1001

SMB1001: cyber certification built for small business

SMB1001 is an affordable, tiered cyber security certification made for small and medium businesses, a practical way to prove your security to clients, insurers and regulators, without the cost and complexity of ISO 27001.

Get certified with Itopia Our compliance service
What it is

A right-sized cyber standard

SMB1001 is an Australian-developed certification standard published by Dynamic Standards International (DSI) and delivered through CyberCert. Rather than a single pass-or-fail audit, it offers five progressive tiers, so you certify at a level that matches your size, risk and budget, then climb as you grow.

It draws on the same controls as the ACSC Essential Eight and UK Cyber Essentials, but is designed to be achievable for businesses without a dedicated security team. The standard is revised every year to keep pace with the threat landscape, the current edition is SMB1001:2026.

At a glance
Current versionSMB1001:2026
Best forSMBs, 5–200 staff
Tiers5 (Bronze → Diamond)
Bronze–GoldSelf-attested
Platinum–DiamondIndependently audited
Validity12 months
The five tiers

Start where you are, climb as you grow

Each tier builds on the one below it. Most businesses start at Bronze or Silver and work up to the level their clients and insurers expect.

Level 1

Bronze

Self-attested

Foundational hygiene, backups, antivirus, MFA and basic policies. The entry point for businesses just starting out.

Level 2

Silver

Self-attested

Formalises your cyber practices with access controls, email security and documented policies.

Most aim here
Level 3

Gold

Self-attested

Advanced monitoring, governance and incident response. Where most compliance-driven SMBs aim.

Level 4

Platinum

Independently audited

Mature security operations with EDR/MDR and third-party verification of your posture.

Level 5

Diamond

Independently audited

The highest tier, penetration testing, supply-chain trust and enterprise-grade governance.

Certification, control counts and fees are set by Dynamic Standards International and CyberCert and may change. This page is general information, not compliance advice.

How we help

We do the work, you get certified

Most of the controls SMB1001 asks for are things we already deliver, so certification reflects real, operating security, not paperwork.

Gap assessment

Gap assessment

We benchmark you against your target tier and map exactly what needs to change.

Close the gaps

Close the gaps

MFA, backups, EDR, email security and awareness training, most controls we already deliver.

Evidence & attestation

Evidence & attestation

We prepare the evidence and documentation, then guide your director through sign-off via CyberCert.

Maintain & progress

Maintain & progress

We keep your controls operating and map the path to your next tier as you grow.

Ready to prove your cyber security?

We'll help you pick the right tier and get you certified, without the enterprise overhead.

Get a Quote Call 07 3063 2211