SMB1001 is an Australian-developed certification standard published by Dynamic Standards International (DSI) and delivered through CyberCert. Rather than a single pass-or-fail audit, it offers five progressive tiers, so you certify at a level that matches your size, risk and budget, then climb as you grow.
It draws on the same controls as the ACSC Essential Eight and UK Cyber Essentials, but is designed to be achievable for businesses without a dedicated security team. The standard is revised every year to keep pace with the threat landscape, the current edition is SMB1001:2026.
Each tier builds on the one below it. Most businesses start at Bronze or Silver and work up to the level their clients and insurers expect.
Foundational hygiene, backups, antivirus, MFA and basic policies. The entry point for businesses just starting out.
Formalises your cyber practices with access controls, email security and documented policies.
Advanced monitoring, governance and incident response. Where most compliance-driven SMBs aim.
Mature security operations with EDR/MDR and third-party verification of your posture.
The highest tier, penetration testing, supply-chain trust and enterprise-grade governance.
Certification, control counts and fees are set by Dynamic Standards International and CyberCert and may change. This page is general information, not compliance advice.
Most of the controls SMB1001 asks for are things we already deliver, so certification reflects real, operating security, not paperwork.
We benchmark you against your target tier and map exactly what needs to change.
MFA, backups, EDR, email security and awareness training, most controls we already deliver.
We prepare the evidence and documentation, then guide your director through sign-off via CyberCert.
We keep your controls operating and map the path to your next tier as you grow.