TL;DR: SMB1001 has five maturity levels: Bronze, Silver, Gold, Platinum, and Diamond. Bronze and Silver are self-assessed, so a small Australian business can reach them without booking an external auditor. Gold and above require an accredited third-party assessor. Most businesses start at Bronze to satisfy a contract or insurance requirement, then climb as their cyber controls mature.
As a DSI Licensed Commercial Holder of the SMB1001 standard, CYBERWHITE works with all five tiers daily. This guide explains what each level covers, how they build on each other, and how to choose where to start.
What is the SMB1001 framework?
SMB1001 is an Australian cyber security standard published by Dynamic Standards International (DSI), designed specifically for small and medium businesses. The SMB1001 framework organises security controls across five domains: Technology Management, Access Management, Backup and Recovery, Policies and Processes, and Education and Training.
The standard is updated annually by a DSI steering committee, so the current edition is SMB1001:2026. This annual cadence means recertification is a yearly rhythm, not a one-off exercise.
SMB1001 earns recognition from Australian government contractors, procurement teams, and cyber insurers because it is practical, graduated, and independently auditable at higher tiers. For a full overview of what the framework covers, start at our SMB1001 page.
How the five SMB1001 maturity levels are structured
The five SMB1001 maturity levels are cumulative. Each tier builds on every control from the level below it. You cannot certify at Gold without first satisfying all Silver requirements, and Silver requires all Bronze controls first.
The most important structural distinction is assessment method:
| Level | Assessment type | Typical timeline | |---|---|---| | Bronze | Self-assessed | Around 30 days | | Silver | Self-assessed | 30-60 days after Bronze | | Gold | External audit by DSI-accredited assessor | Three to six months | | Platinum | External audit | Six to twelve months | | Diamond | External audit plus penetration testing | Twelve months or more |
Bronze and Silver move quickly because the business assesses itself and attests to its controls. Gold through Diamond involve booking an external auditor, remediation cycles, and formal audit reports. Plan for those tiers as a multi-month project, not a checklist exercise.
SMB1001 Bronze: the starting point for most Australian SMBs
Bronze covers foundational cyber hygiene: active antivirus on all devices, enabled firewalls, automatic security patching, multi-factor authentication on key accounts, secure email settings, regular tested backups, and basic staff cyber awareness training.
One change to note for 2026: cyber awareness training moved into the Bronze tier, making staff education a day-one requirement rather than something deferred to Silver.
Bronze is self-assessed, which means no auditor booking, no consulting day rate, and no scheduling delay. A 10-20 person business with a Microsoft 365 tenant can reach Bronze in around 30 days if controls are tackled in the right order. The detailed sequence and evidence pack are covered in our SMB1001 Bronze checklist.
Most Australian SMBs pursue Bronze first because it satisfies an immediate trigger: a government supplier requirement, a cyber insurance question sheet, or a customer due-diligence request.
SMB1001 Silver: stepping up on access and governance
Silver raises the bar across the same five domains as Bronze. Additional controls at Silver typically cover stricter access management policies, stronger password requirements, more rigorous patch management cycles, and early governance practices such as a documented incident response procedure.
Silver remains self-assessed. A business that reaches Bronze can typically reach Silver within 30-60 days by closing the gaps identified during its Bronze self-assessment. Because the tiers are cumulative, there is no backtracking to earlier controls.
A business at Silver begins to look credible to mid-market customers and enterprise procurement teams that want evidence of a proactive security posture, not a minimum-viable checkbox.
SMB1001 Gold: the first tier requiring an external auditor
Gold requires an external audit by a DSI-accredited assessor. Controls at Gold extend into mature access management, advanced incident response planning, supply chain awareness, and formal risk management processes.
Gold is the right target for businesses that hold regulated data, operate in healthcare or financial services, or supply to enterprise organisations with stringent third-party security requirements.
The external audit process means Gold takes longer than Bronze or Silver. Expect a three-to-six month runway from the point of engagement: scope the audit, address any pre-audit gaps, book the assessor, receive the audit report, remediate findings, and receive certification. Build this into your planning before committing to a Gold timeline to a customer or insurer.
SMB1001 Platinum and Diamond: advanced maturity for high-stakes environments
Platinum extends Gold with controls around threat detection, continuous monitoring, and formal governance structures. It remains an external audit and carries a higher evidence burden than Gold.
Diamond is the highest SMB1001 maturity level and adds independent penetration testing, a maturity review by the assessor, and ongoing monitoring requirements. Diamond is designed for organisations where a cyber failure would have serious legal, commercial, or reputational consequences.
Few Australian SMBs target Diamond as an initial goal. The path that works in practice is Bronze, then Silver, then plan for Gold once internal processes are mature enough to survive external scrutiny. Platinum and Diamond typically follow Gold by one to two years once the organisation has embedded mature security operations.
Which SMB1001 maturity level should your business target first?
The right starting level depends on why you are pursuing certification:
- Contract or procurement requirement: Bronze satisfies most Australian government and commercial supplier requirements. Start here.
- Cyber insurance premium reduction: Bronze to Silver is typically the threshold insurers look for when assessing risk maturity.
- Enterprise customer due diligence: Silver or Gold, depending on how sensitive the data you handle is.
- Healthcare, financial services, or DISP supply chain: Gold as the target, with Bronze and Silver as interim milestones.
If you are uncertain, start at Bronze. It delivers a real certification, a tangible evidence pack, and a clear view of what needs closing before Silver. To understand how SMB1001 compares against Essential 8 when choosing where to invest first, read our post on Essential 8 vs SMB1001. Pricing for guided maturity progression is on our pricing page.
How CYBERWHITE accelerates SMB1001 maturity progression
CYBERWHITE is a DSI Licensed Commercial Holder of the SMB1001 standard (ABN 31 598 198 475) and an Australian-owned platform built around guided compliance. The platform covers self-guided and automated SMB1001 assessment, scans your Microsoft 365 environment for control gaps across all five domains, and captures evidence automatically as it goes.
Where gaps can be fixed programmatically, the AutoFix engine applies one-click remediation through Microsoft Graph with a full snapshot, execute, and rollback workflow. CYBERWHITE has 149 AutoFix actions across Essential 8 and SMB1001 combined, covering the controls that account for the most common gaps in Australian SMB environments.
MSPs using CYBERWHITE can manage SMB1001 maturity progression across their full client portfolio from one dashboard, tracking each client from Bronze through Diamond rather than running separate assessments manually.
To see the platform against your own environment, book a demo. For the full framework overview and tier breakdown, see the SMB1001 page.
Frequently asked questions
What are the SMB1001 maturity levels?
The five SMB1001 maturity levels are Bronze, Silver, Gold, Platinum, and Diamond. They are cumulative: each level requires all the controls from the level below. Bronze and Silver are self-assessed. Gold, Platinum, and Diamond require an external audit by a DSI-accredited assessor.
Is SMB1001 the same as the Essential 8?
No. SMB1001 is a tiered certification standard published by Dynamic Standards International, built specifically for Australian SMBs. The Essential 8 is a set of eight technical mitigation strategies published by the ACSC. Both address cyber security, but their scope, structure, and target audience differ. Many Australian businesses pursue both, using SMB1001 for tiered certification and Essential 8 for technical baseline measurement.
How long does it take to progress through the SMB1001 maturity levels?
Bronze typically takes around 30 days for a small business that actions controls in sequence. Silver adds another 30-60 days. Gold involves an external audit booking and remediation cycle, so expect three to six months from Bronze certification. Platinum and Diamond require sustained maturity work over 12 months or more.
What evidence do I need for SMB1001 Bronze?
Bronze evidence includes antivirus status screenshots, confirmation that automatic updates are enabled, a list of accounts with MFA active, firewall configuration records, email security settings, backup configuration with a dated restore test, a staff training completion record, and a completed self-assessment signed by a responsible person.
Do I need a consultant to reach SMB1001 Bronze?
No. Bronze is self-assessed, so you do not need an external consultant or auditor. You can complete the assessment using a guided platform like CYBERWHITE, which scans your environment, identifies gaps, and captures evidence automatically. Alternatively, you can work through the controls manually using the current DSI standard as your guide.
What is the SMB1001 framework built on?
The SMB1001 framework is built on five domains: Technology Management, Access Management, Backup and Recovery, Policies and Processes, and Education and Training. Every tier from Bronze to Diamond addresses all five domains at increasing levels of depth and formality.
Can an MSP use SMB1001 to certify multiple clients?
Yes. MSPs often use SMB1001 to deliver tiered cyber security certification across their client portfolio. CYBERWHITE supports MSP multi-tenant delivery, allowing an MSP to run simultaneous SMB1001 assessments across multiple clients and track maturity progression per client from one dashboard.
Is SMB1001 recognised by Australian government buyers?
Yes. SMB1001 is gaining recognition across Australian government supplier requirements and procurement processes. Some government contracts now accept or prefer SMB1001 certification, particularly at Silver or Gold, as evidence of baseline cyber security maturity. Always confirm specific requirements with the procuring agency.
What is a DSI Licensed Commercial Holder?
A DSI Licensed Commercial Holder is an organisation licensed by Dynamic Standards International to deliver commercial services based on the SMB1001 standard. CYBERWHITE (ABN 31 598 198 475) holds this licence. That means CYBERWHITE assessments are built directly on the authoritative DSI standard, not a third-party interpretation.
What happens after Diamond?
Diamond is the highest SMB1001 maturity level, so there is no further tier. At Diamond, the focus shifts to continuous improvement, regular penetration testing cycles, and maintaining the maturity posture year-on-year. DSI updates the standard annually, so a Diamond-certified business recertifies each year against the current edition.