The internationally recognised cybersecurity standard built for small and medium-sized businesses. Five tiers. One clear path. Epic IT manages the entire journey.
Bronze to Diamond – start where you are, scale as you grow
Technology, access, backups, policies, and training
Current edition: SMB1001:2026
Certified in AU, US, UK, NZ, Singapore & more
Most cybersecurity frameworks were designed for large enterprises with dedicated security teams and six-figure compliance budgets. The SMB1001 cybersecurity framework was not.
Developed by Dynamic Standards International (DSI), SMB1001 is the first internationally recognised cybersecurity standard built from the ground up for small and medium-sized businesses. The current edition – SMB1001:2026 – was released in September 2025 and is certified through CyberCert. For a detailed look at what changed in the latest edition, read our SMB1001:2026 update guide.
Controls are organised across five domains: technology management, access management, backup and recovery, policies and processes, and education and training. The standard aligns with the Australian Government’s Essential Eight, UK Cyber Essentials, and the US Department of Defense’s CMMC – so a single certification can demonstrate alignment across multiple frameworks.
Each level builds on the one before it – every control you implement at Bronze carries through to Diamond.
The non-negotiable basics: qualified technical support, firewalls, antivirus and endpoint protection, automatic software updates, routine password changes, and reliable data backups. These controls stop the most common attacks – and are where most SMBs still have gaps.
Certification: Self-attested | Timeline: Weeks
Multi-factor authentication (MFA) is required at this level, along with standardised access management policies and basic security monitoring. The 2026 edition introduces email authentication controls at Silver – including SPF records to prevent domain spoofing.
Certification: Self-attested | Timeline: 1-2 months
Enhanced monitoring, advanced access controls, and proactive incident response. Formalised cybersecurity policies, regular staff security awareness training, and tested backup and recovery procedures. DKIM email signing and DMARC enforcement are required under the 2026 standard. 23 controls – our recommended baseline for Perth businesses.
Certification: Director self-attested | Timeline: 1-3 months
External auditing begins. Platinum requires a third-party audit providing independent verification of your cybersecurity posture. Introduces Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) – threats are not just prevented but actively hunted and contained.
Certification: Third-party audit | Timeline: 3-6 months
The highest tier. Full data encryption at rest, application whitelisting, adversary simulation through penetration testing and social engineering exercises, and a formal supply chain security programme (Digital Trust Agreements with key suppliers). Security maturity typically associated with ISO 27001 – achieved through a framework designed for SMBs.
Certification: Third-party audit | Timeline: 6+ months
We are often asked how SMB1001 compares to the ACSC Essential Eight. The short answer: they are complementary, not competing.
The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate – rigorous, prescriptive, and focused on technical controls. SMB1001 covers much of the same technical ground but adds governance, policies, training, and formal certification on top. It also provides a gentler on-ramp: start at Bronze and build maturity over time, whereas Essential Eight Maturity Level 1 requires all eight strategies from the outset.
For most Perth SMBs, the practical path is: start with SMB1001 to build your security foundation and earn a recognised certification, then progress into Essential Eight compliance when your business requires it – whether driven by regulatory requirements, enterprise client expectations, or a desire for deeper technical assurance. We also offer Essential Eight plus Further Five for businesses that need the highest level of protection.
We do not just advise on SMB1001 – we implement and manage it as part of our managed cybersecurity services, working alongside our managed IT services to protect your entire environment.
Practical pricing for Perth SMBs — no enterprise budgets required.
Most Perth SMBs can achieve Gold certification within our standard managed IT agreement. The gap assessment, implementation, and certification support are included as part of our managed services. For standalone engagements, expect an initial assessment fee of $1,500–$3,000 plus implementation costs depending on your starting posture.
Higher tiers require third-party auditing and advanced controls (EDR/MDR, penetration testing, supply chain security). The external audit typically costs $3,000–$8,000 depending on scope. Implementation investment scales with the controls required. We provide a detailed quote after the gap assessment.
SMB1001 is an internationally recognised cybersecurity certification standard developed by Dynamic Standards International (DSI) specifically for small and medium-sized businesses. It provides a five-tier pathway – Bronze, Silver, Gold, Platinum, and Diamond – that allows organisations to progressively strengthen their cybersecurity posture. The current edition is SMB1001:2026.
The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate. SMB1001 covers similar technical ground but adds governance, policies, staff training, and formal certification. SMB1001 also offers a staged entry point (Bronze) whereas Essential Eight requires all eight strategies from Maturity Level 1. Many businesses start with SMB1001 and progress to Essential Eight when required.
Yes. SMB1001 certification is available to businesses anywhere in Australia and internationally. Epic IT is a Perth-based managed security services provider that helps local organisations implement, manage, and certify against the SMB1001 cybersecurity framework at every level from Bronze to Diamond.
For most Perth SMBs, Gold is a strong target – it covers 23 controls across technology, access, backups, policies, and training, and is self-attested by a company director. Businesses with enterprise clients or insurance requirements may benefit from Platinum or Diamond, which include external auditing. Epic IT can assess your risk profile and recommend the right level.
Bronze can typically be achieved within a few weeks. Gold certification usually takes one to three months depending on your starting posture and the number of controls that need implementing. Platinum and Diamond take longer due to the external audit requirement. Epic IT manages the full process to minimise disruption to your operations.
Yes. Cyber insurers are increasingly requiring evidence of structured cybersecurity practices before issuing or renewing policies. An SMB1001 certification at any level provides a recognised, third-party-certifiable proof of your cybersecurity posture that insurers can assess during the underwriting process.
Managed Security Services (MSSP)
Transformations
ABS Institute
ABS Institute is a leading Western Australian training organisation and trusted state government partner, delivering professional development and mentoring programmes across the state.
Blackburne
Blackburne is one of Perth’s most recognised property groups, with a portfolio spanning residential development, property management, and commercial real estate across Western Australia.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
