DSI LICENSED COMMERCIAL HOLDER
SMB1001: Australia's 5-Tier Cybersecurity Framework for Small Businesses
SMB1001 is the DSI cybersecurity standard built specifically for Australian small and medium businesses that don't have a dedicated security team. Graduated across five achievable tiers from Bronze to Diamond, it gives your business a defensible cybersecurity baseline that insurers, enterprise customers, and government contractors recognise.
Australian Owned and Operated. ABN 31 598 198 475. CYBERWHITE is a DSI Licensed Commercial Holder of the SMB1001 standard.
What is SMB1001?
SMB1001 is an Australian cybersecurity standard published by the Digital Security Initiative (DSI). It exists because most Australian small and medium businesses cannot realistically implement enterprise-grade frameworks such as Essential 8 or ISO 27001 from a standing start. SMB1001 fills the gap with a graduated, accessible path to mature cybersecurity.
Unlike single-pass-or-fail frameworks, SMB1001 progresses through five distinct tiers, each adding more rigorous controls on top of the previous one: Bronze, Silver, Gold, Platinum, and Diamond. A business can start at Bronze with foundational hygiene that takes weeks (not years) to achieve, then move up as it grows and as customer or regulatory requirements demand.
Each tier covers controls across five operational domains:
- Technology Management — firewalls, antivirus, secure configuration
- User Access — passwords, MFA, account lifecycle
- Backup and Recovery — protecting data from ransomware and accidents
- Policies, Processes and Plans — written cyber policies, incident response
- People and Training — security awareness across staff
Holding an SMB1001 certification signals to customers, insurers, and government that your business takes cybersecurity seriously and has the controls to prove it. Increasingly, Australian enterprise procurement teams and cyber insurers are asking for it by name.
Who needs SMB1001?
Australian SMBs
Any Australian small or medium business that wants a defensible cybersecurity baseline without taking on the full weight of enterprise frameworks. Bronze alone is enough to satisfy most cyber insurance underwriters.
Government Contractors
Small businesses bidding for state or federal government contracts increasingly find SMB1001 (typically Silver or Gold) accepted as evidence of cybersecurity maturity, especially for sub-contracts under prime contractors.
MSPs and Their Clients
Managed Service Providers serving Australian SMBs find SMB1001 a natural productised service. The graduated tiers map cleanly to upsell paths: get a client to Bronze, then upgrade them through Silver and Gold as their needs mature.
B2B Suppliers
Australian SMBs supplying enterprise customers increasingly face security questionnaires. SMB1001 certification short-circuits much of that paperwork: produce one certificate instead of answering hundreds of questions.
The five SMB1001 tiers explained
SMB1001 is cumulative. Silver requires every Bronze control plus the new Silver controls. Gold requires Silver plus the new Gold controls. And so on through to Diamond.
Bronze — Foundational hygiene
30 to 60 days for most Australian SMBs
The starting tier. Bronze covers the absolute essentials every Australian business should have in place: firewalls, antivirus, MFA on email, backups, password discipline, and basic written cyber policies. Bronze is deliberately designed to be achievable by businesses without a dedicated IT or security team. Insurers and most enterprise customers accept Bronze as the minimum bar.
Silver — Intermediate controls
Adds 30 to 90 days beyond Bronze
Silver tightens access controls, adds device management, expands backup requirements to include tested restoration, and introduces formal incident response procedures. Suitable for SMBs handling customer data, payment information, or any sensitive business records. Silver is the typical bid-ready tier for government sub-contracts and is widely recognised by cyber insurers for premium reductions.
Gold — Mature controls
Adds 3 to 6 months beyond Silver
Gold introduces continuous monitoring, formal vulnerability management, structured security awareness training across all staff, supplier risk management, and tested business continuity processes. Gold is suitable for businesses handling regulated data (health, financial, legal records) and for SMBs that have grown to the point where ad-hoc cybersecurity is no longer adequate. Gold is also a common pre-cursor for businesses preparing for Essential 8 ML1.
Platinum — Advanced controls
Adds 3 to 6 months beyond Gold
Platinum extends the framework into supply-chain risk, formal incident response with rehearsals, advanced identity and access management including privileged access controls, and documented disaster recovery with regular drills. Platinum is suitable for SMBs supplying critical infrastructure operators, handling government data, or operating in highly regulated sectors.
Diamond — Peer-reviewed audit-ready
Adds 6 to 12 months beyond Platinum
Diamond is the top tier, requiring peer-reviewed evidence and equivalent rigour to enterprise frameworks. Suitable for SMBs that have outgrown the SMB label, operate in regulated industries (finance, healthcare, defence supply chain), or want a single demonstrable cybersecurity standard that satisfies the most demanding enterprise procurement teams. Diamond is often the strategic destination tier for businesses planning IPO, acquisition, or major government contract pursuit.
The five SMB1001 control domains
Each tier covers controls across five operational areas. The number and depth of controls increases as you move up the tiers, but every tier touches all five domains.
Technology Management
Firewalls, antivirus, device configuration, network segmentation, secure software deployment.
User Access
Strong passwords, multi-factor authentication, account lifecycle, principle of least privilege.
Backup and Recovery
Regular tested backups, immutable copies, recovery-time objectives, ransomware resilience.
Policies, Processes and Plans
Written cybersecurity policies, incident response plans, business continuity, change management.
People and Training
Security awareness for all staff, phishing simulations, role-based training, acceptable-use education.
SMB1001 vs Essential 8: which should you pursue?
Australian SMBs often ask whether to pursue SMB1001 or Essential 8 first. The honest answer is: SMB1001 is usually the better starting point, and many businesses end up doing both.
SMB1001 is broader and more accessible. It covers technology, people, processes, governance, and backup across five tiers. Bronze is achievable in weeks. The framework is built from the ground up for businesses without dedicated security staff.
Essential 8 is narrower and more technically prescriptive. It focuses on eight specific technical mitigation strategies. The framework assumes the organisation can implement enterprise-grade controls. Essential 8 is required for Australian Federal Government non-corporate entities and is widely requested for government contracts.
A typical Australian SMB journey looks like this: start with SMB1001 Bronze to establish a defensible baseline, progress to Silver or Gold as customer or regulatory requirements demand, then layer Essential 8 ML1 on top when bidding for government contracts that require it. Many CYBERWHITE customers maintain both certifications simultaneously.
How CYBERWHITE delivers SMB1001 compliance
CYBERWHITE is a DSI Licensed Commercial Holder of the SMB1001 standard. That means we are authorised to assess and certify Australian businesses across all five tiers, with automated scanning and evidence collection that compresses the audit timeline from months to weeks.
DSI Licensed end-to-end
As a DSI Licensed Commercial Holder, CYBERWHITE can guide you through the full SMB1001 lifecycle: initial assessment, gap closure, evidence collection, and certification at the appropriate tier. You deal with one Australian partner end-to-end, not a chain of consultants.
Automated assessment across all five domains
Our compliance agent connects to your Microsoft 365 tenant with read-only least-privilege scopes and assesses your environment against the SMB1001 controls at your target tier. No spreadsheets, no guesswork, no manually cross-referencing controls.
Tier-by-tier upgrade path
Start at Bronze, see your gaps to Silver, plan the lift to Gold. The platform shows you exactly which controls are missing for the next tier and what evidence is needed. Upgrade your tier when the business is ready.
Audit-ready evidence on demand
Every scan, every remediation, every approval is logged. Export an audit pack in minutes when a customer, insurer, or government procurement team asks for evidence. No more last-minute scrambling at certification time.
Frequently asked questions
What is SMB1001?
SMB1001 is an Australian cybersecurity standard published by the Digital Security Initiative (DSI) and built specifically for small and medium businesses. Unlike enterprise-grade frameworks such as Essential 8 or ISO 27001, SMB1001 is graduated across five accessible tiers (Bronze, Silver, Gold, Platinum, Diamond) so a business can start with foundational hygiene and progress as its maturity grows.
How is SMB1001 different from Essential 8?
Essential 8 is the Australian Cyber Security Centre framework focused on eight specific technical mitigation strategies. It assumes the organisation has the resources and technical capability to implement enterprise-grade controls. SMB1001 is broader in scope (covering technology, people, processes, governance, backup and recovery) but graduated for accessibility. Many Australian SMBs start with SMB1001 Bronze to establish a defensible baseline, then layer Essential 8 maturity on top as they grow.
What are the 5 tiers of SMB1001?
Bronze (foundational hygiene every Australian SMB should have), Silver (intermediate controls protecting customer data and access), Gold (mature controls suitable for businesses handling regulated data), Platinum (advanced controls covering supply chain and incident response), and Diamond (peer-reviewed, audit-ready, equivalent in rigour to enterprise frameworks). The tiers are cumulative, meaning each level requires the controls of all levels below it plus additional new controls.
Is SMB1001 certification mandatory?
SMB1001 is not legally mandatory for private Australian businesses but is increasingly being requested by enterprise customers, government contractors, and cyber insurers as evidence of mature cybersecurity practice. Holding an SMB1001 certification can reduce cyber insurance premiums and accelerate enterprise procurement processes.
Who can certify SMB1001?
SMB1001 certification can be issued by DSI Licensed Commercial Holders. CYBERWHITE is a DSI Licensed Commercial Holder and can guide your business through the assessment process across all five tiers, with automated scanning of your Microsoft 365 environment for evidence collection.
How long does SMB1001 Bronze take to achieve?
Most Australian SMBs reach SMB1001 Bronze within 30 to 60 days. Bronze is intentionally designed to be achievable by businesses without a dedicated security team. Silver typically takes another 30 to 90 days. Gold and above require more substantive operational changes and typically add 3 to 6 months each.
Can MSPs deliver SMB1001 to their clients?
Yes. MSPs are one of the most efficient channels for delivering SMB1001 because they already manage their clients' Microsoft 365 environments where most of the SMB1001 controls live. CYBERWHITE offers a dedicated MSP platform for delivering SMB1001 across multiple client tenants.
How does SMB1001 compare to ISO 27001?
ISO 27001 is an international information security management standard that requires significant organisational investment in policies, procedures, and a full Information Security Management System (ISMS). SMB1001 is designed to be far more accessible while still demonstrating mature cybersecurity practice. Many Australian SMBs choose SMB1001 as a more practical starting point and only pursue ISO 27001 if their customers or regulators specifically require it.
How much does SMB1001 cost?
SMB1001 costs vary based on the tier you pursue and whether you go consulting-led or platform-led. Consulting-led implementations can range from AUD 5,000 to AUD 30,000 for SMBs. Platform-led approaches such as CYBERWHITE start at a fraction of that, with monthly subscriptions including continuous scanning, prioritised remediation, and audit-ready evidence across all five tiers.
Does SMB1001 cover cloud workloads?
Yes. SMB1001 is technology-neutral and applies to cloud, on-premises, and hybrid environments. Because most Australian SMBs run on Microsoft 365, CYBERWHITE focuses its automated SMB1001 scanning on the M365 tenant where the majority of controls live.