The strongest demand is around choosing the right tier, understanding whether lower tiers are merely self-attested, and separating the low certification fee from the real implementation cost. A high-demand question missing from the fixed 10 is whether certification will satisfy a specific customer, insurer or professional duty-of-care test after a breach.
What is SMB1001, and who's asking me for it?
SMB1001 is a privately operated, five-level cyber security certification standard developed by Dynamic Standards International for small and medium businesses. DSI develops and maintains the standard, while CyberCert operates the current certification pathway; an MSP or consultant may help implement the controls but should not be confused with the certifying body. It is not a general Australian legal requirement for every SMB. Businesses are most likely to encounter it through enterprise supply-chain assurance, customer questionnaires, cyber-insurance discussions, professional associations and commercial contracts.
- enterprise supplier — A customer may nominate a required SMB1001 tier according to the supplier's access, data and operational risk.
- law practice — Queensland Law Society supports the standard and recommends members work towards Gold, but says certification is not a safe harbour.
- MSP-supported business — The MSP may implement and maintain controls, but DSI is the standards developer and CyberCert is the certification body and platform.
- Australian private-sector SMB — No universal Australian law was identified that automatically requires SMB1001 certification solely because the organisation is an SMB.
Who is requiring SMB1001 from us, which current edition and tier do they require, what assurance level will they accept, and will the certificate be issued by CyberCert rather than by the MSP or consultant implementing the controls?
Does it apply to a business my size or type?
SMB1001 is aimed at small and medium businesses, but the public material does not set a single Australian turnover, employee or revenue test that determines eligibility or the correct tier. The sensible tier depends on what the business handles, the systems it can access, its operational importance, customer requirements and the harm a compromise could cause. A sole trader may benefit from Bronze or Silver but can struggle to obtain affordable specialist support, while a small supplier with privileged access to a major customer may be asked for Gold, Platinum or Diamond. Certification should therefore be selected by risk and contractual need, not headcount alone.
- sole trader or microbusiness — The entry tiers are designed to be accessible, but sourcing a suitable technical support provider can itself be a practical barrier.
- professional services firm — The appropriate tier should reflect the sensitivity of client information, contractual duties and professional expectations.
- low-risk supplier — CyberCert's SCAP material commonly associates Bronze or Silver with lower-risk suppliers.
- medium- or high-risk supplier — CyberCert's SCAP material associates Gold with medium risk and Platinum or Diamond with higher assurance.
Explain why the proposed tier is proportionate to our data, access, customer contracts and operational impact, and show us the supplier-risk criteria used instead of recommending a tier from headcount or turnover alone.
What are the actual tiers and controls?
The five cumulative levels are Bronze Level 1, Silver Level 2, Gold Level 3, Platinum Level 4 and Diamond Level 5. Public 2026 summaries describe Bronze as foundational protection, Silver as stronger identity, email and policy controls, Gold as a 27-control program across people, process and technology, and Platinum and Diamond as independently verified higher-assurance tiers. Publicly reported Gold requirements include EDR, DKIM and enforced DMARC, cyber insurance, an incident response plan, a digital asset register and a responsible AI use policy. Because the complete current control text is a licensed commercial standard, businesses should obtain the actual SMB1001:2026 document or current CyberCert assessment rather than treating a provider checklist as exhaustive.
- Bronze — Level 1 — Foundational preventive controls publicly described as including technical support, firewall protection, endpoint protection, updates, backups and awareness.
- Silver — Level 2 — Builds on Bronze with controls publicly described as including MFA, individual accounts, restricted administration, SPF and additional written processes.
- Gold — Level 3 — The 2026 edition is publicly reported as containing 27 controls, including EDR, stronger email authentication, incident response, asset governance, cyber insurance and responsible AI use.
- Platinum — Level 4 — Higher-assurance controls publicly described as including phishing-resistant MFA, vulnerability scanning, recovery testing, stronger support commitments and independent verification.
- Diamond — Level 5 — The highest tier publicly described as adding advanced governance, application control, encryption, MDR, penetration and social-engineering testing, supplier assurance and independent verification.
Provide the licensed SMB1001:2026 control list for our proposed tier, show which lower-tier controls are cumulative, and map every requirement to an owner, implementation, evidence item and current certification outcome.
Which policies does it require me to have in writing?
The policy set grows with the tier and should be taken from the licensed current control list rather than copied from an older template pack. Public 2026 implementation material describes Silver documentation such as confidentiality and invoice-fraud controls, while Gold includes a cyber security policy, incident response plan, digital asset register, responsible AI use policy and evidence of awareness activities. Higher tiers add more formal recovery, testing, supplier and governance arrangements. Written documents are not enough by themselves: the business should be able to show that the controls are approved, communicated, operated, tested and reviewed.
- Bronze — The emphasis is foundational operation and awareness, although records and ownership are still needed to support attestation.
- Silver — Public provider summaries identify confidentiality, invoice-fraud, backup and access-related documentation.
- Gold — Public 2026 summaries identify a cyber security policy, incident response plan, digital asset register and responsible AI use policy.
- Platinum or Diamond — Expect more formal governance, recovery, testing, supplier assurance, monitoring and externally verifiable records.
List every written policy, plan, register, agreement and training record required by our exact SMB1001:2026 tier, cite the control it satisfies, and show how you will prove each document is approved, communicated and operating in practice.
What changed in the latest (2025) revision?
DSI labels the current edition SMB1001:2026 and gives it a release date of 1 September 2025. Public Australian implementation summaries say the revision moved cyber-awareness training earlier, introduced stronger email-authentication requirements, expanded Gold from 23 to 27 controls and added or strengthened EDR, cyber insurance, incident response, asset governance, supplier risk and responsible AI requirements. Silver now publicly includes SPF, while Gold requires DKIM and a DMARC policy set to quarantine or reject rather than monitoring-only. Some current Australian pages still call the framework SMB1001:2025, so businesses should write the edition and release date into every quote, assessment and contract instead of relying on the year in a marketing page.
- existing 2025-edition certificate — New or changed controls may need to be demonstrated at the next recertification against the current edition.
- Silver target — Public 2026 summaries identify valid SPF as a new certification requirement.
- Gold target — Public summaries identify 27 controls, including DKIM, enforced DMARC, EDR, cyber insurance and a responsible AI use policy.
- contract or tender naming an edition — Confirm whether the requiring party expects the edition released in September 2025 or an older named version.
Confirm that your assessment uses SMB1001:2026 released on 1 September 2025, then show every changed or newly added control affecting our tier and every older checklist, policy or configuration that must be replaced.
How is it certified — and by whom?
DSI develops and maintains the standard; CyberCert is the Australian-based conformity assessment and certification platform identified in current ecosystem material. Current CyberCert material describes Bronze and Silver as lower-risk certifications, Gold as a light-touch self-assessment, and Platinum and Diamond as independently verified. The applying business remains responsible for its claims, while an MSP or consultant can prepare systems and evidence but should not present itself as the certificate issuer. CyberCert's downloadable 2024 Certification Practice Statement predates the DSI name and current edition, so applicants should request the current assurance schedule and subscriber terms before relying on its older detail.
- Bronze, Silver or Gold — Current public CyberCert and Australian practitioner material describes these as attestation or self-assessment pathways with differing levels of validation.
- Platinum or Diamond — CyberCert markets these tiers as verified and requires a separate audit fee.
- MSP or consultant — The provider may implement controls and assemble evidence but is distinct from DSI and CyberCert.
- Australian applicant — The 2024 CyberCert CPS describes validation of the subscriber's Australian registered name and ABN.
Identify the standard owner, certificate issuer, assessor and implementation provider separately; state whether our tier is self-attested or independently verified; and provide the current CyberCert assurance schedule, subscriber terms and public-registry process.
What evidence do I need to show?
Evidence should show that every claimed control exists across the full business scope, not merely that a policy or product was purchased. Depending on the tier, that can include asset and user registers, firewall and endpoint configurations, patch reports, MFA settings, privileged-access records, SPF, DKIM and DMARC results, backup jobs and restoration tests, training records, signed policies, cyber-insurance evidence, an incident response plan and supplier agreements. Lower-tier certification may rely substantially on the business's attestation, but that does not remove the need to retain defensible evidence for a customer, insurer or later review. Platinum and Diamond require stronger independent verification, and any provider-generated evidence should remain accessible to the certified business.
- technical controls — Keep configuration exports, management-console reports, test results, logs, scan results and dated screenshots tied to the relevant assets.
- people and policy controls — Keep approved policies, acknowledgements, training attendance, assessment results, role assignments and review history.
- backup and response controls — Keep backup reports, restoration-test results, incident exercises, contact lists, response records and corrective actions.
- outsourced IT — The certified business should contract for access to the evidence held in the MSP's tools and retain copies needed to support its attestation.
Create an evidence register mapping every SMB1001:2026 control to the asset scope, control owner, live configuration, test result, supporting document, collection date and storage location, and confirm that our business can retrieve the evidence without depending on your continued appointment.
How does it compare to the Essential Eight and ISO 27001?
SMB1001 is a commercial, five-tier certification pathway designed for SMBs and covers technology, access, recovery, governance and staff awareness. The Essential Eight is ASD's Australian technical mitigation baseline with maturity levels zero to three; ASD says there is no general requirement for independent certification, although an assessment may be required by policy, regulation or contract. ISO/IEC 27001:2022 is an international, risk-based information security management-system standard with optional certification by an accredited conformity assessment body. DSI publishes cross-framework mappings, but mapping or partial coverage is not the same as holding an Essential Eight assessment result or ISO/IEC 27001 certificate, and SMB1001 does not create a legal safe harbour.
- SMB1001 — Five cumulative commercial certification tiers designed for SMB implementation and supplier assurance.
- Essential Eight — Eight technical mitigation strategies with maturity levels zero to three and no universal ASD certification requirement.
- ISO/IEC 27001 — A broad international ISMS standard based on organisational risk, governance and continual improvement, with accredited certification available.
- customer specifies a named standard — A crosswalk should not be substituted for the exact certificate or assessment result the customer has required.
Show us a control-by-control crosswalk between our proposed SMB1001 tier, the current Essential Eight maturity level and ISO/IEC 27001:2022, and mark every unmet or only partially covered requirement instead of claiming automatic equivalence.
What does it cost and how long does it take?
CyberCert's current Australian pricing page lists certification subscriptions in US dollars: Bronze US$95, Silver US$195, Gold US$395, Platinum US$595 plus a required US$3,000 audit fee, and Diamond US$995 plus a required US$5,000 audit fee, with tax where applicable. Those are certification and audit charges, not the full cost of software, remediation, internal time, MSP services, policy development or ongoing operation. CyberCert says prepared Bronze and Silver suppliers can sometimes certify in days, while businesses with many gaps may take a few weeks; Australian provider estimates for Gold range from roughly four to twelve months depending on readiness. The downloadable 2024 CPS says a purchased subscription must be completed within 12 months and CyberCert expects certificate issuance within one business day after approval.
- Bronze — Level 1 — Current listed subscription is US$95 plus applicable tax; implementation and support are additional.
- Silver — Level 2 — Current listed subscription is US$195 plus applicable tax; MFA, email, access and policy gaps can add implementation work.
- Gold — Level 3 — Current listed subscription is US$395 plus applicable tax; the 27-control implementation can cost substantially more than the certificate.
- Platinum or Diamond — Current listed subscriptions are US$595 and US$995, with required audit fees of US$3,000 and US$5,000 respectively, before tax and implementation.
Separate the CyberCert subscription, required audit fee, software licences, implementation labour, policy work, staff time, remediation, evidence preparation and annual recertification costs, and give us a milestone-based timetable tied to our actual gap assessment.
What's my next step?
Common misconceptions
- Every Australian small or medium business is legally required to become SMB1001 certified. INFERRED
- DSI, CyberCert and the MSP implementing the controls are the same organisation performing the same role. VERIFIED
- The US$95 Bronze subscription is the total cost of implementing and maintaining the required controls. INFERRED
- Every SMB1001 tier receives the same depth of independent audit. VERIFIED
- Gold certification is independently audited under every current certification pathway. INFERRED
- SMB1001 certification guarantees that the business will not suffer a cyber incident or data breach. VERIFIED
- SMB1001 creates a legal safe harbour or automatically proves that every professional or statutory duty of care has been met. VERIFIED
- A DSI mapping to the Essential Eight or ISO/IEC 27001 is equivalent to holding the mapped assessment result or certificate. INFERRED
- SMB1001:2025 is unambiguously the latest edition name across all current sources. VERIFIED
- Certification is permanent and requires no expiry monitoring or recertification. VERIFIED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Supply-chain SMB1001 requirement | Customer, procuring entity or supply-chain program owner | A contract, supplier-security clause, tender or assurance program requires the supplier to obtain and maintain a nominated SMB1001 tier. | As stated in the contract or onboarding requirement; ongoing validity and recertification may be required, with CyberCert alerting certificate holders before expiry. | Contractual consequences may include failed onboarding, remediation requirements, loss of supplier eligibility or breach remedies; no universal statutory penalty applies. |
| Professional, client or insurer assurance requirement | Professional body, insurer, client or digital platform imposing the requirement | The business accepts a contractual requirement or selects SMB1001 as evidence supporting its broader duty to take reasonable cyber security steps. | As stated by the requiring party or at insurance, membership, platform or client-contract renewal. | |
| CyberCert subscription and certificate conditions | CyberCert | An Australian business purchases a CyberCert SMB1001 certification subscription and agrees to the subscriber terms. | The 2024 CPS states that certification must be completed within 12 months of subscription purchase; certificates expire and require recertification rather than renewal, with at least three months' notice described in the CPS. | The CPS states that an incomplete subscription expires after 12 months and an expired certificate must not be used. |
Sources
- SMB1001 cybersecurity certification primary
- Dynamic Standards International FAQs primary
- Supplier Categorization Matrix primary
- Our Strategic Vision primary
- Detailed Standards Mappings primary
- Mapping to ASD Essential Eight Maturity Level 3 primary
- CyberCert SMB1001 Certification and Pricing primary
- SMB1001 Certification Practice Statement primary
- About the Supplier Cyber Assurance Program primary
- SMB1001 Cybersecurity Standard primary
- SMB1001 certification for ACS members with CyberCert primary
- Essential Eight maturity model primary
- ISO/IEC 27001:2022 Information Security Management Systems — Requirements primary
- SMB1001 Cybersecurity Australia forum
- SMB1001:2026 Changes Explained for Perth Businesses forum
- SMB1001 Includes DMARC for Risk Management forum
- SMB1001 standard (Dynamic Standards International) forum
- SMB1001 Certification in Australia forum
- Introducing SCAP: A New Standard for SMB Cybersecurity Assurance forum
- How to Deal with the SMB1001 Standard forum
- James Davis Post About SMB1001 Certification Levels forum
- DMARC Is Not a Set-and-Forget Job forum
- QLS Offers Free Cyber Security Certification for Small Firms forum
- Compliance Without Evidence Is Fiction forum
- Cyber Security Made Simple — A Guide to SMB1001 forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.