The internationally recognised cybersecurity standard built for small and medium-sized businesses. Five tiers. One clear path. Epic IT manages the entire journey.
Bronze to Diamond – start where you are, scale as you grow
Technology, access, backups, policies, and training
Current edition: SMB1001:2026
Certified in AU, US, UK, NZ, Singapore & more
Most cybersecurity frameworks were designed for large enterprises with dedicated security teams and six-figure compliance budgets. The SMB1001 cybersecurity framework was not.
Developed by Dynamic Standards International (DSI), SMB1001 is the first internationally recognised cybersecurity standard built from the ground up for small and medium-sized businesses. The current edition – SMB1001:2026 – was released in September 2025 and is certified through CyberCert. For a detailed look at what changed in the latest edition, read our SMB1001:2026 update guide.
Controls are organised across five domains: technology management, access management, backup and recovery, policies and processes, and education and training. The standard aligns with the Australian Government’s Essential Eight, UK Cyber Essentials, and the US Department of Defense’s CMMC – so a single certification can demonstrate alignment across multiple frameworks.
Each level builds on the one before it – every control you implement at Bronze carries through to Diamond.
The non-negotiable basics: qualified technical support, firewalls, antivirus and endpoint protection, automatic software updates, strong password hygiene, data backups with an offline copy, and baseline staff awareness training. These controls stop the most common attacks – and are where most SMBs still have gaps.
Certification: Self-attested | Timeline: Weeks
Multi-factor authentication (MFA) is required at this level, along with standardised access management: individual user accounts, restricted admin privileges, and a password manager for privileged users. The 2026 edition introduces email authentication controls at Silver – SPF records on every sending domain to prevent spoofing.
Certification: Self-attested | Timeline: 1-2 months
Where the framework gets serious. 27 controls under the 2026 edition, including Endpoint Detection and Response (EDR) on every device, DKIM email signing and DMARC enforcement, mandatory cyber insurance, a formal incident response plan, a digital asset register, ongoing staff security awareness training, and a responsible AI use policy. Our recommended baseline for Perth businesses.
Certification: Director self-attested | Timeline: 1-3 months
External auditing begins. Platinum requires a third-party audit providing independent verification of your cybersecurity posture. Adds phishing-resistant MFA (SMS codes are out), regular vulnerability scanning of internet-facing systems, MFA on VPN, RDP, and cloud platforms, a formal recovery strategy with annual restore testing, and an 8-working-hour incident response SLA with your MSP.
Certification: Third-party audit | Timeline: 3-6 months
The highest tier. Full data encryption at rest, application control, disabled untrusted Office macros, adversary simulation through penetration testing and social engineering exercises, EDR backed by a Managed Detection and Response (MDR) service, annual incident response exercises, and a formal supply chain security programme (digital trust agreements with key suppliers). Security maturity typically associated with ISO 27001 – achieved through a framework designed for SMBs.
Certification: Third-party audit | Timeline: 6+ months
Start where your risk actually sits. A small trades or retail business with limited data obligations can self-attest at Bronze within weeks. A professional services firm holding client records should target Gold, our recommended baseline, which brings in cyber insurance, EDR, and a formal incident response plan. Businesses supplying government, enterprise, or critical infrastructure clients should plan for Platinum or Diamond, where third-party audit gives customers independent assurance. The gap assessment tells you exactly where you stand today and what the step up costs.
Not sure? Book a free assessment and we will recommend the right tier.
We are often asked how SMB1001 compares to the ACSC Essential Eight. The short answer: they are complementary, not competing.
The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate – rigorous, prescriptive, and focused on technical controls. SMB1001 covers much of the same technical ground but adds governance, policies, training, and formal certification on top. It also provides a gentler on-ramp: start at Bronze and build maturity over time, whereas Essential Eight Maturity Level 1 requires all eight strategies from the outset.
For most Perth SMBs, the practical path is: start with SMB1001 to build your security foundation and earn a recognised certification, then progress into Essential Eight compliance when your business requires it – whether driven by regulatory requirements, enterprise client expectations, or a desire for deeper technical assurance. We also offer Essential Eight plus Further Five for businesses that need the highest level of protection.
We do not just advise on SMB1001 – we implement and manage it as part of our managed cybersecurity services, working alongside our managed IT services. SMB1001 certification also supports your compliance posture under the Privacy Act 2026 and provides a framework for businesses adopting AI governance to protect your entire environment. If you are still comparing providers, our guide to the best cyber security companies in Perth explains where a managed security provider fits against a boutique specialist or an auditor.
Practical pricing for Perth SMBs, no enterprise budgets required.
Most Perth SMBs can achieve Gold certification within our standard managed IT agreement. The gap assessment, implementation, and certification support are included as part of our managed services. For standalone engagements, expect an initial assessment fee of $1,500–$3,000 plus implementation costs depending on your starting posture.
Higher tiers require third-party auditing and advanced controls (EDR/MDR, penetration testing, supply chain security). The external audit typically costs $3,000–$8,000 depending on scope. Implementation investment scales with the controls required. We provide a detailed quote after the gap assessment.
SMB1001 is an internationally recognised cybersecurity certification standard developed by Dynamic Standards International (DSI) specifically for small and medium-sized businesses. It provides a five-tier pathway – Bronze, Silver, Gold, Platinum, and Diamond – that allows organisations to progressively strengthen their cybersecurity posture. The current edition is SMB1001:2026.
The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate. SMB1001 covers similar technical ground but adds governance, policies, staff training, and formal certification. SMB1001 also offers a staged entry point (Bronze) whereas Essential Eight requires all eight strategies from Maturity Level 1. Many businesses start with SMB1001 and progress to Essential Eight when required.
Yes. SMB1001 certification is available to businesses anywhere in Australia and internationally. Epic IT is a Perth-based managed security services provider that helps local organisations implement, manage, and certify against the SMB1001 cybersecurity framework at every level from Bronze to Diamond.
For most Perth SMBs, Gold is a strong target – it covers 27 controls under the 2026 edition across technology, access, backups, policies, and training, and is self-attested by a company director. Businesses with enterprise clients or insurance requirements may benefit from Platinum or Diamond, which include external auditing. Epic IT can assess your risk profile and recommend the right level.
Bronze can typically be achieved within a few weeks. Gold certification usually takes one to three months depending on your starting posture and the number of controls that need implementing. Platinum and Diamond take longer due to the external audit requirement. Epic IT manages the full process to minimise disruption to your operations.
Yes. Cyber insurers are increasingly requiring evidence of structured cybersecurity practices before issuing or renewing policies, and under SMB1001:2026, holding cyber insurance is itself a Gold-level control. An SMB1001 certification at any level provides recognised proof of your cybersecurity posture that insurers can assess during the underwriting process.