TL;DR: SMB1001 Bronze is the entry tier of the five-tier DSI cyber security standard, and it is self-assessed, so a typical small Australian business can reach it inside 30 days. The fastest sensible order is to tackle the technical basics first (antivirus, firewalls, automatic updates, MFA), then backups, then staff awareness training, keeping a short evidence pack as you go. This checklist walks through what Bronze covers, the order we recommend, and the proof to keep on file.
As a DSI Licensed Commercial Holder of the SMB1001 standard, CYBERWHITE works with this framework every day. Below is the practical version of how Bronze actually gets done.
What SMB1001 Bronze covers
SMB1001 Bronze covers the foundational cyber hygiene every small business should already have in place, drawn from the standard's five domains. SMB1001 is published by Dynamic Standards International (DSI) and organises cyber security into five categories: Technology Management, Access Management, Backup and Recovery, Policies and Processes, and Education and Training. Bronze is the first credible baseline across those categories, not a deep governance exercise.
According to DSI-aligned guidance for the SMB1001:2026 edition, Bronze focuses on practical controls such as:
- Active antivirus or endpoint protection on every device, set to update automatically.
- Firewalls in place, including software firewalls enabled on each machine.
- Default and factory passwords changed on devices and accounts.
- Automatic security updates (patching) configured across machines.
- Multi-factor authentication (MFA) on key accounts such as email and admin logins.
- Secure email settings to reduce email-based attacks.
- Regular, protected backups of important data.
- Basic cyber awareness training for staff.
One notable change in the 2026 edition: cyber awareness training was moved into the Bronze tier, so staff education is now a day-one expectation rather than something deferred to higher tiers. We describe Bronze at this category level rather than reproducing the exact control wording, because the authoritative control list belongs to DSI. Always confirm the precise current requirements against the official standard before you self-assess.
Where Bronze sits in the five-tier DSI model
Bronze is the entry point of five tiers that build on each other: Bronze, Silver, Gold, Platinum, and Diamond. Each tier raises the bar across the same five domains. The intent is a clear progression, from minimal hygiene at Bronze to mature, enterprise-grade governance at Diamond.
A practical distinction matters here for planning and budget: Bronze and Silver are self-assessed, while Gold and above require an external audit by an accredited assessor. That is why Bronze is achievable on a short timeline. You are attesting to controls you can demonstrate, not booking an auditor. Most small Australian businesses start at Bronze to satisfy a contract, supplier, or insurance requirement, then climb tiers as they mature. You can read more about the standard and how the tiers map on our SMB1001 page.
SMB1001 is also a "dynamic" standard, updated annually by a steering committee, which is why the current edition is SMB1001:2026 and why recertification is an annual rhythm rather than a one-off. Plan for it like an annual service, not a set-and-forget certificate.
The fastest sensible order to reach Bronze
The fastest route is to fix the technical controls first, because they are mostly configuration you can verify the same day, then handle backups and training. Tackling them in this order means each step produces evidence you can screenshot or export as you go.
Step 1: Antivirus and automatic updates (Days 1 to 5)
Start here because it is usually the quickest win. Confirm antivirus or endpoint protection is installed and active on every laptop, desktop, and server, and that it updates automatically. Then confirm operating systems and key applications are set to install security updates automatically. On a Microsoft 365 and Windows fleet, much of this is centrally visible.
Step 2: Firewalls and default passwords (Days 5 to 9)
Check the firewall at the edge of your network is on, and that the software firewall is enabled on each device. Change any default or factory passwords on routers, network gear, and admin accounts. Document the date you changed them.
Step 3: Multi-factor authentication (Days 9 to 14)
Turn on MFA for email, administrator accounts, and any business-critical logins. For Microsoft 365 tenants this is the single highest-impact control, and it is where most small businesses have a gap. CYBERWHITE can detect MFA status automatically and, where appropriate, apply one-click AutoFix through Microsoft Graph, so this step does not have to be manual.
Step 4: Secure email settings (Days 12 to 18)
Tighten email security to reduce phishing and spoofing, in line with the 2026 edition's focus on email-based attacks. This typically includes email authentication settings on your domain and safer default configurations in your mail platform.
Step 5: Backups (Days 16 to 22)
Confirm important data is backed up regularly, that backups are protected, and that you have at least once checked a restore works. A backup you have never tested is a guess, not a control.
Step 6: Cyber awareness training (Days 20 to 27)
Run basic security awareness training for all staff and record who completed it and when. Because training moved into Bronze for 2026, this is now a required part of the baseline, not an optional extra.
Step 7: Self-assessment and evidence pack (Days 27 to 30)
With the controls in place, complete the Bronze self-assessment and assemble your evidence in one folder. Then you are ready to certify.
The evidence to keep for Bronze
Keep simple, dated proof for each control, because self-assessment still means you should be able to show your working. You do not need an enterprise GRC platform for Bronze, but a tidy evidence pack saves time at renewal and protects you if a customer or insurer ever asks.
A workable Bronze evidence pack includes:
- Screenshots of antivirus or endpoint status across devices.
- Evidence that automatic updates and patching are enabled.
- A short list of accounts with MFA turned on, with a screenshot of the policy.
- Firewall configuration confirmation and the date default passwords were changed.
- Email security settings, including domain authentication records.
- Backup configuration plus the date and result of your last restore test.
- A training completion record showing staff names and dates.
- The completed self-assessment, dated and signed by a responsible person.
Store it in one named folder with the SMB1001:2026 edition noted, and diarise the recertification date a year out.
How CYBERWHITE helps you reach Bronze
CYBERWHITE turns this checklist into a guided, evidence-backed workflow instead of a spreadsheet exercise. CYBERWHITE is Australian owned and operated (ABN 31 598 198 475) and a DSI Licensed Commercial Holder of the SMB1001 standard. The platform offers self-guided plus automated SMB1001 and Essential 8 assessment, with one-click AutoFix for common gaps through Microsoft Graph, and CARS adaptive risk scoring to show where your real risk sits.
In practice that means the platform can scan your Microsoft 365 environment, tell you which Bronze-relevant controls are already in place, flag what is missing, and in many cases fix it for you while capturing the evidence. If you want to see it against your own environment, book a demo.
Frequently asked questions
What is SMB1001 Bronze?
SMB1001 Bronze is the entry tier of the SMB1001 cyber security standard published by DSI. It establishes foundational cyber hygiene across antivirus, firewalls, automatic updates, MFA, secure email, backups, and basic staff awareness training.
Is SMB1001 Bronze self-assessed or audited?
Bronze is self-assessed, as is Silver. Gold, Platinum, and Diamond require an external audit by an accredited assessor. That is why Bronze is the most accessible starting point for small businesses.
How long does it take to reach SMB1001 Bronze?
For a typical small Australian business, around 30 days is a realistic plan. This is a sequencing estimate, not a guarantee, and your timeline depends on how many controls you already have and the size of your IT environment.
What are the five SMB1001 tiers?
The five tiers are Bronze, Silver, Gold, Platinum, and Diamond. Each builds on the one below, raising the bar across the standard's five domains as your security maturity grows.
What are the five SMB1001 domains?
DSI organises SMB1001 into five domains: Technology Management, Access Management, Backup and Recovery, Policies and Processes, and Education and Training. Every tier, including Bronze, touches these categories.
Does SMB1001 Bronze require multi-factor authentication?
Yes. Bronze expects MFA on key accounts such as email and administrator logins. For Microsoft 365 environments this is usually the highest-impact and most commonly missing control.
Did anything change for Bronze in SMB1001:2026?
Yes. In the SMB1001:2026 edition, cyber awareness training was moved into the Bronze tier, making staff education a day-one requirement. The edition also sharpened focus on email-based attacks and threat detection. Always confirm exact requirements against the current DSI standard.
How often do I need to recertify for SMB1001 Bronze?
SMB1001 is a dynamic standard updated annually, so recertification is an annual rhythm. Treat it like a yearly service against the current edition rather than a one-off certificate.
How does SMB1001 compare with the Essential Eight?
SMB1001 is a tiered certification built specifically for SMBs, while the Essential Eight is an Australian mitigation framework with maturity levels. The two overlap on practical controls, and SMB1001 is designed to align with frameworks like the Essential Eight. Many Australian businesses pursue both.
Can CYBERWHITE help me get to Bronze?
Yes. CYBERWHITE provides self-guided and automated SMB1001 assessment, scans your Microsoft 365 environment for Bronze-relevant gaps, can apply one-click AutoFix for many of them, and captures the evidence as it goes. You can start on the SMB1001 page or book a demo.