TL;DR
If you are an Australian SMB under 50 staff with no government contracts in play, start with SMB1001 Bronze. It is faster to reach, recognised by Australian cyber insurers, and gives you a credible posture inside 30 days. If you need a government contract or your customers ask for Essential 8 specifically, start with Essential 8 ML1 instead. The two standards overlap enough that work on one accelerates the other.
What each standard actually is
Essential 8 is the Australian Cyber Security Centre's set of 8 mitigation strategies, graded across three maturity levels (ML1 → ML2 → ML3). ML1 is the entry point. Government contractors and many enterprise procurement teams require it. It is rigorous, well-understood internationally, and harder to fake.
SMB1001 (DSI 2026) is an Australian standard built specifically for small and medium businesses, organised into five tiers from Bronze through Diamond. Bronze is reachable in weeks, not months. Each tier maps onto realistic SMB capabilities, so a 12-person accounting firm and a 200-person services company can both find the right starting point.
CYBERWHITE is a DSI Licensed Commercial Holder of the SMB1001 standard and one of the small number of platforms that natively assesses both frameworks.
How they overlap
Around 60% of SMB1001 Bronze controls map directly onto Essential 8 ML1 controls. Patch management, MFA on cloud services, restricting admin privileges, daily backups — these are SMB1001 tier-1 requirements and Essential 8 ML1 requirements at the same time. The work compounds.
That is the practical reason to pick the right starting standard rather than chasing both at once. Get one done, then the second one is 30 to 50% lighter.
When to start with SMB1001 Bronze
Pick SMB1001 if any of these are true for you:
- Under 50 staff and no government contracts in your pipeline
- Looking for credibility for cyber insurance renewals
- Need something visible on your website inside 60 days
- Your buyers are other SMBs or mid-market firms, not government or Fortune 500
- You want a tiered roadmap that grows with you over 2 to 3 years
A 30-person Sydney consulting firm we worked with reached Bronze in 28 days and used it as a talking point for two enterprise deals that closed in Q2. They moved to Bronze Plus six months later and are working towards Silver this year.
When to start with Essential 8 ML1
Pick Essential 8 if any of these are true:
- A specific customer or government contract requires Essential 8 ML1 or ML2
- You sell to government, defence, or the Big 4 consultancies who flow Essential 8 down their supply chain
- Your in-house IT team is mature enough to handle the full 8 strategies
- You plan to pursue ML2 within 18 months for stronger procurement positioning
A 90-person managed services provider we work with started with Essential 8 ML1 because three of their largest clients required it for their MSA renewals. They reached ML1 in 11 weeks and are now scoping ML2 for a defence subcontract opportunity.
What CYBERWHITE actually does for each
We are a self-guided assessment platform plus automated scanner. For both frameworks:
- The platform walks you through the assessment in plain English
- For Essential 8, we have 149 AutoFix actions across ML1 and ML2 that deploy via Microsoft Graph API with your approval. SMB1001 currently has fewer automated remediations but more are shipping each quarter
- We integrate with Microsoft 365, Azure, AWS, and GitHub for evidence collection
- You get an audit-ready PDF with cross-framework mapping (so the work toward Essential 8 also shows your SMB1001 progress, and vice versa)
We are not yet IRAP assessed and we are not SOC 2 certified ourselves. We are Australian owned and operated (ABN 31 598 198 475). The honest line is: we are best for ANZ SMBs who want to reach a credible compliance posture faster than DIY or a quote-driven consultancy.
The mistake to avoid
Do not try to do both frameworks in parallel from a cold start. Your team will burn out on documentation and you will end up with two half-done standards instead of one credible one. Pick the standard your buyers actually ask for, ship it, then pick up the second one with the 30 to 50% headstart.
What to do this week
If you are not sure which one applies to you, run our free Essential 8 maturity check (/tools/essential-8-maturity-assessment) or read the full Essential 8 guide at /essential-8-compliance. If you have already decided SMB1001 is the path, the SMB1001 guide walks through each tier.
FAQ
Is SMB1001 recognised by the Australian government?
SMB1001 is an Australian standard administered by the DSI and recognised by Australian cyber insurers. Direct government procurement still typically asks for Essential 8 specifically.
Can I jump straight from Bronze to ML1 later?
Yes. Around 60% of Bronze maps onto ML1, so the jump is materially smaller than starting ML1 from scratch.
How long does each take to reach?
Bronze: 4 to 6 weeks for a typical 30-person firm using CYBERWHITE. ML1: 8 to 14 weeks depending on Microsoft 365 licensing and team readiness.
What does CYBERWHITE cost?
For SMBs running their own compliance, plans start at AUD 99/mo. Full pricing at /pricing.
What if I already use Drata or Vanta?
Drata and Vanta are excellent for SOC 2 in US-style sales contexts. They do not natively assess Essential 8 or SMB1001. For Australian-specific frameworks, CYBERWHITE is purpose-built. We compare honestly at /compare.