TL;DR: SMB1001 certification is a tiered Australian cybersecurity credential published by Dynamic Standards International (DSI). The five tiers run from Bronze to Diamond. Bronze and Silver are self-assessed. Gold, Platinum, and Diamond require an independent audit by a DSI-accredited assessor. Most Australian SMBs pursue Bronze first to satisfy a contract or insurer requirement, then climb tiers as their security posture matures.
As a DSI Licensed Commercial Holder of the SMB1001 standard (ABN 31 598 198 475), CYBERWHITE works with Australian businesses through this process every day. This guide explains what each tier requires, who needs certification, and how to approach the evidence and assessment process honestly.
What is SMB1001 certification?
SMB1001 certification is formal recognition that your organisation has met the cybersecurity requirements of the SMB1001 standard at a specified tier. DSI publishes the standard specifically for Australian small and medium businesses, and it is updated annually.
Certification signals to customers, government bodies, and cyber insurers that your business has implemented a credible, verified baseline of security controls. For Australian businesses bidding on government contracts or supplier panels, SMB1001 certification is increasingly listed alongside the ACSC Essential 8 as an expected credential.
Unlike a one-time certificate, the SMB1001 standard is updated each year. The current edition is SMB1001:2026. Organisations that certify under a given edition must recertify against the new edition the following year. Plan for it as an annual rhythm, not a one-time event.
The five SMB1001 certification tiers
SMB1001 is structured as five cumulative tiers. Each tier builds on the one below it. You cannot hold Gold without also meeting all Bronze and Silver requirements.
DSI organises controls across five domains at every tier: Technology Management, Access Management, Backup and Recovery, Policies and Processes, and Education and Training.
Bronze
Bronze is the entry tier and covers foundational cyber hygiene: antivirus and endpoint protection, firewalls, automatic software updates, changed default passwords, multi-factor authentication on key accounts, secure email configuration, regular tested backups, and basic staff cyber awareness training. Bronze is self-assessed.
In the SMB1001:2026 edition, staff cyber awareness training moved into the Bronze tier, making it a day-one requirement rather than something reserved for higher tiers.
Silver
Silver raises the bar across the same five domains. It adds stronger access controls, more formalised policies, and deeper backup and recovery requirements. Like Bronze, Silver is self-assessed.
Gold
Gold moves into mature security controls: supply chain management, enhanced incident response, and tighter governance requirements. Gold is the first tier that requires an external audit by a DSI-accredited assessor. This is a meaningful shift. Gold means a third party has verified your controls, not you alone.
Platinum
Platinum extends controls further into advanced threat detection, formal incident response testing, and supply chain security. An independent audit is required, and the scope broadens significantly compared to Gold.
Diamond
Diamond is the highest SMB1001 tier and adds ongoing independent monitoring and penetration testing on top of a full external audit. Diamond is appropriate for organisations handling highly sensitive data, operating in regulated industries, or seeking to satisfy the most demanding enterprise or government customers.
Self-assessed vs independently audited: what the difference means
The distinction between self-assessed and independently audited tiers determines your cost, your timeline, and the weight your certificate carries with third parties.
Self-assessed (Bronze and Silver): You complete the assessment yourself and attest that the controls are in place. You maintain an evidence pack but no external auditor reviews it before you certify. Self-assessment makes Bronze and Silver accessible on a short timeline and at a lower cost. The credential is real, but it rests on your own attestation.
Independently audited (Gold, Platinum, Diamond): A DSI-accredited assessor reviews your controls and evidence. You need to engage an assessor, allow time for their review, and address any findings before certification is granted. External audits add cost and time but produce a credential that customers and regulators can independently verify.
For most Australian SMBs starting their SMB1001 journey, Bronze self-certification is the first practical goal. Our SMB1001 Bronze checklist walks through reaching Bronze inside 30 days.
Who needs SMB1001 certification in Australia?
SMB1001 certification is not currently mandated by law for private-sector businesses in Australia. However, it is increasingly expected in specific situations.
Government and public-sector suppliers: State and federal government supplier panels are listing SMB1001 (typically at Bronze or Silver) as a requirement for new and renewed suppliers. If your business provides services to government, check the specific panel requirements before tendering.
Businesses in regulated industries: Healthcare, financial services, legal, and transport businesses face growing pressure from regulators and enterprise customers to demonstrate a verified security baseline. SMB1001 provides a structured, tiered credential that answers this without the full overhead of ISO 27001 or SOC 2.
Businesses seeking cyber insurance: Many Australian insurers now ask for evidence of a security baseline as part of underwriting. An SMB1001 certificate at Bronze or Silver is a recognised answer to that question.
Businesses in enterprise supply chains: Larger customers are auditing their suppliers more rigorously. An SMB1001 certificate is a fast, credible response to a supplier security questionnaire because it is verifiable by the certifying body rather than self-declared.
How long does SMB1001 certification take?
Timelines depend on your starting position, the tier you are targeting, and whether you are self-assessing or going through an external audit.
Bronze: A typical small Australian business with an existing Microsoft 365 environment can reach Bronze in 20 to 30 days. The effort is mostly in configuring and evidencing controls that many businesses assume are already in place but have never verified.
Silver: Adds four to eight weeks beyond Bronze for most organisations, depending on how much additional policy work the specific controls require.
Gold (with external audit): Allow three to six months from beginning your Gold preparation to receiving the certificate. The assessment timeline partly depends on accredited assessor availability and the number of findings raised.
Platinum and Diamond: These typically require six months or more from baseline and are pursued by organisations with dedicated security resources or a specific contractual need.
All of these are typical ranges, not guarantees. The actual time in your environment depends on how close your current controls are to each tier's requirements before you start.
What evidence do you need for SMB1001 certification?
For self-assessed tiers (Bronze and Silver), you maintain your own evidence pack and attest to it. For independently audited tiers, the accredited assessor reviews your evidence as part of the engagement.
A workable evidence pack covers the same areas as the controls: configuration exports or screenshots showing antivirus and endpoint status, patch and update confirmation, MFA policy settings, firewall configuration, email security records, a completed backup restore test, staff training completion records, and (at Silver and above) documented policies for the relevant domains.
The aim is not volume but clarity. Can you demonstrate that a specific control is active on a specific date? One clear, dated screenshot beats a 30-page policy document that no one follows.
Maintain your evidence pack in a named folder with the SMB1001:2026 edition noted. Diarise the recertification date for the following year before you close the folder.
SMB1001 certification vs Essential 8 compliance
SMB1001 and the ACSC Essential 8 both strengthen Australian business cybersecurity, but they differ in structure, scope, and what the credential means to a third party.
The Essential 8 is mandatory for Australian Federal Government entities at Maturity Level 2 and is frequently required by federal contractors. It focuses on eight specific technical mitigation strategies and does not carry a formal certification. There is no "Essential 8 certificate" to present to a customer. You can read more on our Essential 8 compliance guide.
SMB1001 is designed for smaller businesses, is broader across five domains, and comes with a formal tiered certification that a customer or insurer can ask DSI to verify. It is better suited to businesses that need a recognised, third-party-verifiable credential without the complexity of ISO 27001 or SOC 2.
Many Australian businesses pursue both: SMB1001 for the certification credential and Essential 8 for the technical depth required by government customers. CYBERWHITE supports both frameworks in a single platform, so one scan can assess your Microsoft 365 environment against both simultaneously.
How CYBERWHITE supports your SMB1001 certification
CYBERWHITE is an Australian-owned compliance platform (ABN 31 598 198 475) and a DSI Licensed Commercial Holder of the SMB1001 standard. The platform provides guided SMB1001 assessment across all tiers, automated scanning of your Microsoft 365 environment for SMB1001-relevant control gaps, one-click AutoFix remediation for gaps that can be addressed through Microsoft Graph, and evidence capture as you progress through each control.
For businesses targeting Bronze or Silver, the platform turns the self-assessment process from a spreadsheet exercise into a guided, evidence-backed workflow. Gaps are flagged, fixes are available where automatable, and the evidence pack builds as you work.
For businesses preparing for a Gold, Platinum, or Diamond external audit, the platform gives you a clear gap analysis and evidence base before the assessor arrives. This reduces the number of findings raised during audit and shortens the time to certification.
To see how your current environment maps against SMB1001, start on our SMB1001 overview page. To see the platform against your own tenant, book a demo. For subscription details, see our pricing page.
Frequently asked questions
What is SMB1001 certification?
SMB1001 certification is formal recognition from DSI that your organisation has met the cybersecurity requirements of the SMB1001 standard at a specified tier, from Bronze at the entry level through to Diamond at the highest level.
Is SMB1001 certification mandatory for Australian businesses?
SMB1001 is not currently mandatory by law for private-sector businesses. However, it is increasingly required by government supplier panels, enterprise customers, and cyber insurers as a condition of doing business.
How many tiers does SMB1001 have?
SMB1001 has five tiers: Bronze, Silver, Gold, Platinum, and Diamond. Each builds on the previous one. Bronze and Silver are self-assessed. Gold, Platinum, and Diamond require an external audit by a DSI-accredited assessor.
What is the difference between SMB1001 Bronze and Gold?
Bronze covers foundational hygiene controls and is self-assessed. Gold adds mature supply chain, incident response, and governance controls and requires an independent audit by an accredited assessor. Gold carries more weight with third parties because a DSI assessor has verified it, not the business itself.
How much does SMB1001 certification cost?
Costs depend on the tier and your approach. Bronze and Silver are self-assessed, so there is no auditor fee, though you may use a platform or consultant to assist. Gold and above require an accredited assessor, which adds cost. For CYBERWHITE's platform pricing, see our pricing page.
How long is an SMB1001 certificate valid?
SMB1001 is an annual standard, so certification is valid for one year. Recertification against the current edition is required annually. Treat it as a recurring process rather than a one-time event.
Can CYBERWHITE help with SMB1001 certification?
Yes. CYBERWHITE is a DSI Licensed Commercial Holder of the SMB1001 standard. The platform provides self-guided and automated SMB1001 assessment, scans your Microsoft 365 environment for control gaps across all tiers, and can apply AutoFix for many common issues while capturing the evidence. See our SMB1001 overview or book a demo.
Does SMB1001 certification cover the same controls as Essential 8?
SMB1001 and the Essential 8 overlap on several technical controls, particularly patching, MFA, and access management. However, SMB1001 is broader across governance, backup, and training domains, while the Essential 8 goes deeper on specific technical mitigation strategies. You can read a detailed comparison on our Essential 8 compliance page.
What changed in SMB1001:2026 compared to earlier editions?
DSI updates SMB1001 annually. In the 2026 edition, staff cyber awareness training moved into the Bronze tier, and the standard sharpened its focus on email-based attacks. Organisations certified under an earlier edition should review the current requirements before their next annual recertification. For the precise current control wording, the DSI standard is the authoritative source.
Where do I find the official SMB1001 standard?
The SMB1001 standard is published and maintained by Dynamic Standards International (DSI). For the authoritative control list and the current list of accredited assessors, contact DSI directly. CYBERWHITE describes the framework at a category level to guide planning; for the precise wording of each control, the DSI standard is the source of truth.