Managed IT Cyber Security Services

SMB1001 Framework – Certification for Perth Businesses

Our Services / Managed Security Services (MSSP)

SMB1001 Cybersecurity Framework Certification

The internationally recognised cybersecurity standard built for small and medium-sized businesses. Five tiers. One clear path. Epic IT manages the entire journey.

Book a Free Security Assessment

5 Tiers

Bronze to Diamond – start where you are, scale as you grow

5 Domains

Technology, access, backups, policies, and training

Updated Annually

Current edition: SMB1001:2026

Global Recognition

Certified in AU, US, UK, NZ, Singapore & more

What Is SMB1001:2026?

Most cybersecurity frameworks were designed for large enterprises with dedicated security teams and six-figure compliance budgets. The SMB1001 cybersecurity framework was not.

Developed by Dynamic Standards International (DSI), SMB1001 is the first internationally recognised cybersecurity standard built from the ground up for small and medium-sized businesses. The current edition – SMB1001:2026 – was released in September 2025 and is certified through CyberCert. For a detailed look at what changed in the latest edition, read our SMB1001:2026 update guide.

Controls are organised across five domains: technology management, access management, backup and recovery, policies and processes, and education and training. The standard aligns with the Australian Government’s Essential Eight, UK Cyber Essentials, and the US Department of Defense’s CMMC – so a single certification can demonstrate alignment across multiple frameworks.

IT consultant helping Perth business leaders plan SMB1001 cybersecurity certification

The Five Certification Tiers

Each level builds on the one before it – every control you implement at Bronze carries through to Diamond.

Bronze – Foundational Protections

The non-negotiable basics: qualified technical support, firewalls, antivirus and endpoint protection, automatic software updates, strong password hygiene, data backups with an offline copy, and baseline staff awareness training. These controls stop the most common attacks – and are where most SMBs still have gaps.

Certification: Self-attested | Timeline: Weeks

Silver – Consistent Security Practices

Multi-factor authentication (MFA) is required at this level, along with standardised access management: individual user accounts, restricted admin privileges, and a password manager for privileged users. The 2026 edition introduces email authentication controls at Silver – SPF records on every sending domain to prevent spoofing.

Certification: Self-attested | Timeline: 1-2 months

Gold – Proactive Risk Management

Where the framework gets serious. 27 controls under the 2026 edition, including Endpoint Detection and Response (EDR) on every device, DKIM email signing and DMARC enforcement, mandatory cyber insurance, a formal incident response plan, a digital asset register, ongoing staff security awareness training, and a responsible AI use policy. Our recommended baseline for Perth businesses.

Certification: Director self-attested | Timeline: 1-3 months

Platinum – External Assurance

External auditing begins. Platinum requires a third-party audit providing independent verification of your cybersecurity posture. Adds phishing-resistant MFA (SMS codes are out), regular vulnerability scanning of internet-facing systems, MFA on VPN, RDP, and cloud platforms, a formal recovery strategy with annual restore testing, and an 8-working-hour incident response SLA with your MSP.

Certification: Third-party audit | Timeline: 3-6 months

Diamond – Advanced Resilience

The highest tier. Full data encryption at rest, application control, disabled untrusted Office macros, adversary simulation through penetration testing and social engineering exercises, EDR backed by a Managed Detection and Response (MDR) service, annual incident response exercises, and a formal supply chain security programme (digital trust agreements with key suppliers). Security maturity typically associated with ISO 27001 – achieved through a framework designed for SMBs.

Certification: Third-party audit | Timeline: 6+ months

Which Tier Is Right for Your Business?

Start where your risk actually sits. A small trades or retail business with limited data obligations can self-attest at Bronze within weeks. A professional services firm holding client records should target Gold, our recommended baseline, which brings in cyber insurance, EDR, and a formal incident response plan. Businesses supplying government, enterprise, or critical infrastructure clients should plan for Platinum or Diamond, where third-party audit gives customers independent assurance. The gap assessment tells you exactly where you stand today and what the step up costs.

Not sure? Book a free assessment and we will recommend the right tier.

Why SMB1001 Certification Matters

Insurance

Cyber insurers increasingly require evidence of structured cybersecurity practices, and under the 2026 edition cyber insurance is itself a Gold control. Read our guide on cybersecurity vs compliance to understand the difference.

Client Expectations

Larger organisations running ISO 27001, Essential Eight, or APRA CPS 234 are pushing security requirements down to suppliers. Certification proves your posture.

Global Recognition

Originally developed in Australia, SMB1001 is now certified internationally – the Americas, Singapore, New Zealand, and the Pacific.

Always Current

Revised annually by a steering committee including the Australian Signals Directorate (ASD) and the Cyber Security Agency of Singapore.

SMB1001 and the Essential Eight

We are often asked how SMB1001 compares to the ACSC Essential Eight. The short answer: they are complementary, not competing.

The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate – rigorous, prescriptive, and focused on technical controls. SMB1001 covers much of the same technical ground but adds governance, policies, training, and formal certification on top. It also provides a gentler on-ramp: start at Bronze and build maturity over time, whereas Essential Eight Maturity Level 1 requires all eight strategies from the outset.

For most Perth SMBs, the practical path is: start with SMB1001 to build your security foundation and earn a recognised certification, then progress into Essential Eight compliance when your business requires it – whether driven by regulatory requirements, enterprise client expectations, or a desire for deeper technical assurance. We also offer Essential Eight plus Further Five for businesses that need the highest level of protection.

Engineer monitoring cybersecurity dashboards supporting SMB1001 and Essential Eight compliance in Perth

How Epic IT Helps

We do not just advise on SMB1001 – we implement and manage it as part of our managed cybersecurity services, working alongside our managed IT services. SMB1001 certification also supports your compliance posture under the Privacy Act 2026 and provides a framework for businesses adopting AI governance to protect your entire environment. If you are still comparing providers, our guide to the best cyber security companies in Perth explains where a managed security provider fits against a boutique specialist or an auditor.

  1. Gap assessment. We evaluate your current security posture against your target SMB1001 level and identify exactly what needs to change. No guesswork, no generic checklists.
  2. Implementation. Our engineers deploy the required controls – from MFA and endpoint protection to email authentication and backup verification – using the same tools and platforms we manage across our entire client base.
  3. Ongoing management. We manage patching, monitoring, access reviews, and policy updates continuously as part of your agreement. When DSI releases the next annual update, we handle the transition.
  4. Certification support. We prepare the evidence and documentation required for self-attestation (Bronze through Gold) or third-party audit (Platinum and Diamond), and guide your directors through the certification process with CyberCert.
  5. Progression planning. Whether you want to move from Bronze to Gold, from Gold to Essential Eight, or eventually toward ISO 27001, we map the path and manage the journey. Every control you implement carries forward – nothing is wasted.

SMB1001 certification investment

Practical pricing for Perth SMBs, no enterprise budgets required.

Bronze to Gold

Most Perth SMBs can achieve Gold certification within our standard managed IT agreement. The gap assessment, implementation, and certification support are included as part of our managed services. For standalone engagements, expect an initial assessment fee of $1,500–$3,000 plus implementation costs depending on your starting posture.

Platinum and Diamond

Higher tiers require third-party auditing and advanced controls (EDR/MDR, penetration testing, supply chain security). The external audit typically costs $3,000–$8,000 depending on scope. Implementation investment scales with the controls required. We provide a detailed quote after the gap assessment.

Ready to Get SMB1001 Certified?

Our Perth-based cybersecurity team will assess your current posture, recommend the right level, and manage the entire implementation.

Book a Free Assessment

Frequently Asked Questions

What is the SMB1001 cybersecurity framework?

SMB1001 is an internationally recognised cybersecurity certification standard developed by Dynamic Standards International (DSI) specifically for small and medium-sized businesses. It provides a five-tier pathway – Bronze, Silver, Gold, Platinum, and Diamond – that allows organisations to progressively strengthen their cybersecurity posture. The current edition is SMB1001:2026.

What is the difference between SMB1001 and the Essential Eight?

The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate. SMB1001 covers similar technical ground but adds governance, policies, staff training, and formal certification. SMB1001 also offers a staged entry point (Bronze) whereas Essential Eight requires all eight strategies from Maturity Level 1. Many businesses start with SMB1001 and progress to Essential Eight when required.

Can I get SMB1001 certified in Perth?

Yes. SMB1001 certification is available to businesses anywhere in Australia and internationally. Epic IT is a Perth-based managed security services provider that helps local organisations implement, manage, and certify against the SMB1001 cybersecurity framework at every level from Bronze to Diamond.

What level of SMB1001 should my business aim for?

For most Perth SMBs, Gold is a strong target – it covers 27 controls under the 2026 edition across technology, access, backups, policies, and training, and is self-attested by a company director. Businesses with enterprise clients or insurance requirements may benefit from Platinum or Diamond, which include external auditing. Epic IT can assess your risk profile and recommend the right level.

How long does it take to achieve SMB1001 certification?

Bronze can typically be achieved within a few weeks. Gold certification usually takes one to three months depending on your starting posture and the number of controls that need implementing. Platinum and Diamond take longer due to the external audit requirement. Epic IT manages the full process to minimise disruption to your operations.

Does SMB1001 help with cyber insurance?

Yes. Cyber insurers are increasingly requiring evidence of structured cybersecurity practices before issuing or renewing policies, and under SMB1001:2026, holding cyber insurance is itself a Gold-level control. An SMB1001 certification at any level provides recognised proof of your cybersecurity posture that insurers can assess during the underwriting process.