What is SMB1001?
SMB1001 (latest version 2025) is a multi-tiered cyber security certification developed specifically for small and medium-sized businesses (SMBs). Designed in collaboration with Australian and international cyber leaders, the standard provides a clear, scalable pathway to help SMBs improve cyber hygiene, meet procurement requirements, and align with global best practices, including ISO/IEC 27001.
With 5 tiers of increasing maturity, SMB1001 enables businesses to start at a level suited to their current capabilities and advance as they grow. The certification is a flexible, annually updated standard that is ideal for resource-constrained organisations that need to meet the needs of clients and partners without the cost and complexity of enterprise-level certifications.
Why SMB1001?
Tiered Certification Levels
Each level in SMB1001 builds on the last, allowing organisations to progressively mature their cyber security practices across 5 key domains: Technology Management, Access Management, Backup & Recovery, Policies & Processes, and Education & Training.
Level 1
Foundational Security: For businesses just starting out with cyber security, focusing on essential controls like firewalls, antivirus, updates, password hygiene, and data backups.
Level 2
Establishing Baselines: Introduces critical policies, TLS encryption, user access management, and MFA to formalise cyber practices without overwhelming smaller teams.
Level 3
Risk-Based Maturity: Expands to risk management, employee awareness, server patching, and policies for incident response and asset tracking.
Level 4
Enhanced Governance: Adds vulnerability scanning, cyber insurance, cloud credential control, and mandatory third-party verification of controls.
Advanced Cyber Resilience: Completes the pathway with encryption-at-rest, application control, macro protections, red team testing, and supplier digital trust agreements.
From SMB1001 to ISO 27001
As businesses reach SMB1001 Level 5, they are well-positioned to pursue ISO/IEC 27001 certification. The control overlap means SMB1001 is an ideal preparatory framework, especially for businesses aiming to build a fully-fledged Information Security Management System (ISMS) over time. Learn more about our ISO 27001 implementation and auditing services.
Certification and Assessment Process
Levels 1–3
Levels 4–5
Annual renewal
Our team supports you throughout the journey, from readiness assessments to evidence collection and auditor preparation
Who is it for?
Common FAQs
on SMB1001
What is the difference between SMB1001 and the ACSC Essential Eight Maturity Model?
SMB1001 and the ACSC Essential Eight address similar cyber risks but differ in structure and purpose.
Can I skip levels and start at a higher tier?
Yes. You can start at any level that reflects your organisation’s current cyber maturity. However, you must implement the controls from lower tiers as part of meeting a higher-tier certification.
How often is the standard updated?
SMB1001 is updated annually by Dynamic Standards International, making it one of the most agile cyber certifications available.
Is SMB1001 recognised internationally?
Yes, while designed with Australian SMBs in mind, SMB1001 aligns with global standards such as ISO/IEC 27001 and the US CMMC, with equivalency mapped across various international frameworks.
Ready to get started?
Let us help you choose the right starting tier and guide you on your cyber security certification journey. Contact Us to speak with an advisor or request a free readiness check.
