SMB1001 is the only cybersecurity certification standard built specifically for small and medium-sized businesses, and the 2026 edition (released September 2025) is the most consequential revision since the framework launched. If your business has ever wondered which cyber framework to pursue, this is the one most Perth SMBs should be looking at first, and the 2026 changes affect what certification actually costs you to achieve.
This guide explains what changed, what it costs, what it takes to get certified, and which tier your business should target. We work with Perth businesses across law, healthcare, construction, and professional services, so this is written from the perspective of actually getting clients certified, not summarising the marketing material.
SMB1001 is an Australian-developed cybersecurity certification standard for small and medium businesses, published by Dynamic Standards International (DSI). It defines five tiers of cybersecurity maturity (Bronze, Silver, Gold, Platinum, Diamond), each with a specific set of controls. Bronze and Silver are self-assessed and inexpensive. Gold and above require an external audit by an accredited body. The point of the framework is to give SMBs a credible, affordable, and tiered way to prove cyber maturity to clients, insurers, and regulators, without having to attempt ISO 27001 or implement the full Essential Eight.
The 2026 edition is the second annual revision. DSI updates the standard every year, which is one of its underrated strengths. Compare that to ISO 27001, which had a major revision in 2022 and the next one will not arrive for years. Annual revisions mean SMB1001 stays current with the threat landscape.
The 2026 changes fall into three buckets.
SPF, DKIM, and DMARC are required from Silver upward. Previously these were recommended; now they are certification requirements. If your domain does not have these records configured properly, you cannot certify to Silver or above under the 2026 standard.
This is the single most important technical change, because business email compromise (BEC) is consistently the most expensive single attack category for Australian SMBs. The ACSC’s most recent threat report recorded over 87,000 cybercrime reports, with BEC averaging losses of $84,000 per incident. SPF/DKIM/DMARC stops most spoofing attempts before they reach inboxes, and they cost nothing to implement (only the time of someone who knows what they are doing).
The Gold tier is where most serious SMBs end up. The 2026 edition adds four new controls focused on incident response readiness, vendor and supply chain risk, security awareness training cadence, and configuration management evidence. These are not new ideas, but making them explicit Gold requirements raises the bar for what counts as Gold certified. Businesses already Gold-certified under the previous edition will need to demonstrate the new controls at their next audit.
SMB1001:2026 publishes control mappings to Essential Eight, UK Cyber Essentials, US CMMC, and ISO 27001. This matters for Perth businesses with interstate or international clients. A Perth law firm certified to SMB1001 Gold can demonstrate substantive alignment with ISO 27001 controls without paying for a separate ISO audit. For supply chains that span Australia and the UK or US, this is genuinely useful.
| Tier | What it proves | Assessment | Indicative cost |
|---|---|---|---|
| Bronze | You have basic cyber hygiene: antivirus, MFA, patching, backups | Self-assessment | ~$75/year certification fee |
| Silver | Email is authenticated, policies are documented, basic incident response exists | Self-assessment | ~$150-300/year certification fee |
| Gold | 27 controls including EDR, tested backups, security training, vendor management | External audit | $3,000-8,000 for audit, plus implementation costs |
| Platinum | Formal risk management, advanced monitoring, board-level reporting | External audit | $10,000+ for audit, plus implementation |
| Diamond | Comprehensive governance, continuous improvement, full enterprise-grade controls | External audit | $20,000+ for audit, plus implementation |
Indicative costs assume a business of around 20-50 staff. Larger organisations pay more for external audits because there is more in scope. Implementation costs depend entirely on where you are starting from. For businesses already using a managed cybersecurity provider, most Gold controls are typically already in place.
This is the question we get asked most often. Here is the practical answer for different situations.
If you have no formal cyber framework today, target Bronze first. It forces the basics into place (MFA on email, working backups, current antivirus, patched operating systems) and you can self-assess. Most well-run Perth SMBs are already close to Bronze without realising it.
If clients or insurers have started asking for evidence, target Silver within 60-90 days. The big technical lift is email authentication. Once SPF/DKIM/DMARC are configured properly, the rest of Silver is mostly documentation: a written acceptable use policy, an incident response plan, a backup test record.
If you handle sensitive client data or government-related work, target Gold within 6-12 months. Gold is where SMB1001 starts to mean something serious. The 27 controls cover endpoint detection and response, security awareness training, vendor risk management, and continuous configuration management. Achieving Gold typically requires either a strong internal IT team or a managed cybersecurity provider running it for you.
If you are a larger SMB (150+ staff) with mature operations, Platinum is appropriate. At this size the gap to Diamond is small and the cost difference relatively minor compared to the credibility benefit.
Bronze and Silver are achievable for most businesses with good IT hygiene. Gold is the interesting tier, because it is where SMB1001 becomes a real test of cybersecurity maturity rather than a paperwork exercise.
The 27 Gold controls span seven domains: technology management, access management, data management, security policy, security education, incident response, and continuous improvement. Some of the work is technical (EDR deployment, MFA enforcement on all accounts, tested backups). Some is process-driven (written policies, vendor reviews, incident response exercises). Some is cultural (regular security training, evidence of management oversight).
For a typical Perth SMB with 30-80 staff and an existing managed IT provider, the Gold path looks like this:
For businesses without managed cybersecurity in place, add three to six months to the timeline, because the technical controls take longer to deploy than to document.
Three forces are converging that make SMB1001 more than a nice-to-have in 2026.
Clients are asking for evidence of cyber maturity. Larger organisations, particularly in government, financial services, healthcare, and legal, are increasingly requiring suppliers to demonstrate a recognised framework. The Queensland Law Society has formally endorsed SMB1001 as a recommended standard for law firms handling client data. The Western Australian legal and accounting sectors are moving the same direction. If you supply to government or to enterprise clients, expect this requirement in the next 12-24 months if it has not already arrived.
Cyber insurance underwriters are tightening. Premiums have risen and coverage has narrowed. A formal framework certification gives underwriters something concrete to assess and frequently translates to better terms. We have seen clients with Gold certification negotiate premium reductions of 15-25% at renewal.
Regulation is moving. Mandatory ransomware reporting is now enforced. Privacy Act penalties have increased to $50 million for serious breaches. Businesses that proactively adopt a recognised framework now will be in a stronger position when further mandatory requirements arrive, and they will be there.
This is the second-most-common question. Here is the honest comparison for Australian SMBs.
SMB1001 versus Essential Eight. Essential Eight is a technically focused framework from the Australian Cyber Security Centre covering eight specific mitigation strategies (application control, patching, MS Office macro settings, user application hardening, restricting admin privileges, OS patching, MFA, regular backups). It is the right answer if you supply to Australian government or if your clients specifically require it. SMB1001 is broader in scope (covering policies, training, vendor management) and lighter to implement at the lower tiers. Most Perth SMBs should pursue SMB1001 first and add Essential Eight Maturity Level 2 if government work is on the roadmap. We have written a separate Essential Eight vs SMB1001 comparison if you want the deeper breakdown.
SMB1001 versus ISO 27001. ISO 27001 is the international gold standard but it is expensive (typical first-year cost $30,000-80,000 for a 50-person business including audit and remediation) and overkill for most SMBs. SMB1001 Gold gets you most of the way at a fraction of the cost, and the 2026 control mappings let you demonstrate ISO 27001 alignment without paying for the audit. If your clients specifically require ISO 27001, you have no choice; if they accept “a recognised framework”, SMB1001 is the better SMB answer. See our ISO 27001 guide for Australian businesses for the full comparison.
SMB1001 versus “we do cybersecurity already”. Most Perth SMBs we audit have decent cybersecurity already (MFA enabled, antivirus running, backups configured). What they lack is the documentation, the testing, the evidence, and the ongoing review. SMB1001 is as much a forcing function for those gaps as it is a recognition of the controls themselves. Many of our clients reach Gold within 90 days because the controls are mostly already in place; what they need is the process discipline to evidence them.
We do not treat SMB1001 as a checkbox exercise. Our approach starts with a gap assessment against the framework, then a practical implementation plan, then ongoing management of the controls so the certification stays valid year after year.
Our managed cybersecurity services already cover most of the technical controls required for Gold certification. Where clients are missing the process side (policies, training records, incident response documentation), we work with them to build it without adding administrative burden. For businesses that want certification but do not have an internal IT or security team, we run the entire process end to end. For businesses with their own IT team, we provide the framework expertise and audit preparation while the in-house team handles the technical implementation.
We also provide security awareness training and endpoint detection and response as standalone services for businesses that already have an IT partner but need specific SMB1001 controls covered.
Check your email authentication today. Open MXToolbox and run an SPF, DKIM, and DMARC check on your domain. If any of the three is missing or misconfigured, you cannot certify to Silver or above. This is the easiest gap to close and the most common one we find.
Decide your target tier honestly. Bronze is genuinely achievable for almost any business. Silver is achievable within 60-90 days with normal effort. Gold takes real commitment, time, and budget. Decide what your clients and insurers actually need rather than aiming low or high by default.
Talk to us about a gap assessment. Contact us on 1300 EPIC IT and we will map your current position against SMB1001:2026 and give you a clear, costed path to your target tier.
SMB1001 is a cybersecurity certification standard developed by Dynamic Standards International specifically for small and medium-sized businesses in Australia and globally. It defines five tiers of maturity (Bronze through Diamond), each with a specific set of controls. It exists to give SMBs a credible, affordable, and tiered alternative to ISO 27001 or full Essential Eight implementation. Most well-run Perth SMBs should target Silver or Gold depending on their client and insurer requirements.
The 2026 edition (released September 2025) made email authentication (SPF, DKIM, DMARC) mandatory from Silver level upward, expanded the Gold control count from 23 to 27 (adding incident response, vendor risk, training cadence, and configuration management), and published control mappings to Essential Eight, UK Cyber Essentials, US CMMC, and ISO 27001. It is the second annual revision of the standard.
Bronze costs around $75 per year through CyberCert and is self-assessed. Silver costs $150-300 per year, also self-assessed. Gold requires an external audit costing $3,000-8,000 for a typical 20-50 person Perth business, plus the cost of implementing any missing controls. Platinum runs $10,000+ for audit and Diamond $20,000+. Businesses already using a managed cybersecurity provider often have most Gold controls in place, reducing implementation cost significantly.
Bronze can be achieved in 2-4 weeks for a business with basic IT hygiene already in place. Silver typically takes 6-12 weeks, with the biggest task being email authentication setup. Gold takes 4-6 months for a business with strong existing IT, or 6-12 months if technical controls (EDR, tested backups, MFA on all accounts) need to be deployed first. Epic IT can accelerate this by running the gap assessment and implementation in parallel.
Essential Eight is a technically focused framework from the Australian Cyber Security Centre covering eight specific mitigation strategies, with three maturity levels (ML1, ML2, ML3). SMB1001 is broader, covering technology, policies, people, and governance across five tiers (Bronze through Diamond). SMB1001 is more accessible for SMBs and lighter to implement at lower tiers. Essential Eight is typically required for Australian government suppliers. Most Perth SMBs should pursue SMB1001 first and add Essential Eight if government contracts are on the roadmap.
Yes. SMB1001:2026 publishes formal control mappings to ISO 27001, UK Cyber Essentials, the US Department of Defense’s CMMC framework, and the Australian Essential Eight. CyberCert certifications are recognised across Australia, New Zealand, Singapore, the Americas, and the South Pacific. For Perth businesses with interstate or international clients, a single SMB1001 Gold certification can demonstrate alignment with multiple frameworks simultaneously.
Often, yes. Cyber insurance underwriters increasingly want concrete evidence of cybersecurity controls rather than self-attestation. A formal certification like SMB1001 Gold gives underwriters something tangible to assess. We have seen Perth clients negotiate premium reductions of 15-25% at renewal after achieving Gold. The exact saving depends on your insurer, industry, and claim history, but the direction is consistent.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
