Privacy Act, Essential 8, and SMB1001: how the three frameworks overlap for AU SMBs

By Greg Markowski / May 22, 2026 / Cybersecurity & Compliance

The most common question we get from Perth SMBs working through their compliance obligations: “if I do Essential 8 (or SMB1001), does that cover Privacy Act compliance too?” The short answer is mostly yes, with important caveats. The long answer is the point of this post.

The three frameworks in one paragraph each

The Privacy Act is Australian law. It defines obligations around how businesses collect, use, store, and disclose personal information. It applies to businesses based on turnover, industry, and the type of information they handle. Non-compliance attracts civil penalties up to $50 million. The Privacy Act is the only one of the three frameworks that is legally enforceable. See our Privacy Act 2026 enforcement guide for the full picture.

Essential 8 is a technical cybersecurity framework from the Australian Cyber Security Centre. It defines eight specific mitigation strategies across three maturity levels (ML1, ML2, ML3). It is required for Australian government suppliers and is increasingly referenced by enterprise clients and cyber insurers as a standard for “adequate cybersecurity”. See our Essential 8 compliance guide for the full breakdown.

SMB1001 is a cybersecurity certification standard from Dynamic Standards International, built specifically for small and medium businesses. It defines five tiers (Bronze through Diamond) covering technology, policies, people, and governance. SMB1001 certification is voluntary but increasingly required by clients, insurers, and supply chain partners. See our SMB1001:2026 guide for the full breakdown.

Where they overlap

The three frameworks share roughly 70% of their substantive controls. All three require multi-factor authentication. All three require patched, supported operating systems. All three require working backups. All three require some form of access control and some form of incident response capability. Doing one well makes the next one materially easier, which is why we recommend most Perth SMBs work on them sequentially rather than separately.

The overlap matters for budgeting. If you implement SMB1001 Gold properly, you are well over halfway to Essential 8 ML1 and have addressed most of the technical controls the OAIC would expect under “reasonable steps” in the Privacy Act. Compliance work compounds.

Where they differ

The differences are as important as the overlap.

The Privacy Act covers information handling beyond cybersecurity. Things like collection notices, consent, access and correction rights, data retention limits, and disposal practices are not in Essential 8 or SMB1001. You can have perfect cybersecurity controls and still breach the Privacy Act by collecting information you do not need or retaining it longer than the law allows.

Essential 8 is deeper technically but narrower in scope. It is the only framework that goes deep on application control, macro hardening, and user application hardening. If you supply to government or handle highly sensitive data, Essential 8 ML2 or ML3 is where your technical baseline needs to sit.

SMB1001 is the broadest of the three. It covers technology (overlapping with Essential 8), policies (overlapping with Privacy Act expectations), people (security awareness training, role-based responsibilities), and governance (risk management, vendor management). It is the most practical starting point for an SMB that has done little formal compliance work to date.

Where ISO 27001 fits

A fourth framework comes up in almost every one of these conversations: ISO 27001, the international standard for information security management systems. It sits above the three frameworks covered here. Where Essential 8 prescribes specific technical controls and SMB1001 packages technology, policy, and governance into achievable tiers, ISO 27001 is a full management system standard with 93 controls, a certification audit by an external body, and annual surveillance audits to keep it. It is the framework that enterprise clients, government tenders, and international partners recognise by name.

For most AU SMBs under 200 staff, ISO 27001 is not the starting point. Certification typically takes 6 to 18 months and costs far more than the three frameworks above combined, and the technical controls it requires are largely the same ones you build through SMB1001 and Essential 8. Treat it as a later destination: if a tender, enterprise contract, or international expansion demands it, the SMB1001 and Essential 8 work you have already done covers a significant share of the technical requirements, leaving the governance and documentation layer to build. Our ISO 27001 accreditation guide covers what certification involves, what it costs, and how to tell whether your business genuinely needs it.

What this means for sequencing

For most Perth SMBs of 20-200 staff, the right sequence is:

Step 1: SMB1001 Bronze or Silver. Forces the basics into place and produces a recognised certification within weeks. Costs are low. This gets you to a defensible baseline against “reasonable steps” under the Privacy Act and starts you down the Essential 8 path.

Step 2: SMB1001 Gold or Essential 8 ML1. Choose based on your clients. Government supplier? Essential 8. Professional services with enterprise or insurer requirements? SMB1001 Gold. Both put you in genuinely strong shape for Privacy Act reasonable steps.

Step 3: Privacy Act compliance review. Once the technical controls are in place, review your Privacy Act-specific obligations: collection notices, consent practices, retention policies, breach response procedures, data subject access processes. These are the things the technical frameworks do not cover.

Step 4: Maintain. Annual review of all three. Frameworks change (SMB1001 revises annually, Essential 8 has periodic updates, Privacy Act is mid-reform). Your business changes. Annual review keeps everything current.

The mapping table

SMB1001 tiers below reflect the SMB1001:2026 edition (Bronze, Silver, Gold, Platinum, Diamond).

Control area Privacy Act Essential 8 SMB1001
Multi-factor authentication Reasonable steps (APP 11.1) Yes (E8 strategy) Required from Silver
Patched operating systems Reasonable steps (APP 11.1) Yes (E8 strategy) Required from Bronze
Backups with an offline copy Reasonable steps (APP 11.1) Yes (E8 strategy) Required from Bronze; annual restore testing from Platinum
Application control Implicit Yes (E8 strategy) Required at Diamond
Email authentication Implicit Implicit SPF from Silver; DKIM and DMARC from Gold (2026)
Endpoint detection and response Implicit Implicit Required from Gold
Security awareness training Implicit Not specified Required from Bronze
Vendor management Implicit (APP 8) Not specified Third-party confidentiality from Silver; supplier digital trust programme at Diamond
Collection notices and consent Yes (APP 3, APP 5) No No
Data retention limits Yes (APP 11.2) No No
Data subject access Yes (APP 12) No No
Incident response plan Yes (Part IIIC) Not specified Required from Gold; breach-reporting playbooks at Diamond

The common mistake we see

Businesses focus on the technical controls (which the frameworks cover well) and neglect the Privacy Act-specific obligations (which the cybersecurity frameworks do not cover). They end up with strong endpoint protection but a privacy collection notice that has not been reviewed since 2020, retention practices that keep records far beyond what the law requires, and no documented process for handling data subject access requests.

The technical work is necessary but not sufficient. If you are pursuing SMB1001 or Essential 8, plan time for the Privacy Act-specific work as a separate workstream. We typically allocate 30-40% of compliance effort to the technical controls and 60-70% to policies, processes, documentation, and training. Most businesses get this ratio backwards on first attempt.

How Epic IT helps

We work with Perth SMBs on integrated compliance programmes that address all three frameworks together rather than treating them as separate projects. The approach starts with a gap assessment across all three, then a unified implementation plan that delivers the technical controls and the policy/process work in parallel.

For our managed cybersecurity clients, framework alignment is part of the standard service. For businesses without managed cybersecurity in place, we offer compliance programmes as standalone engagements through our IT consulting team.

What you should do now

Decide which framework is the right starting point for your business. SMB1001 Bronze if you have done little formal compliance work. Essential 8 ML1 if you supply to government. Privacy Act review if you have strong technical controls but have not reviewed your policies recently.

Plan the work as a sequence, not parallel projects. Doing all three at once leads to incomplete coverage. Doing them in sequence builds momentum and lets each phase inform the next.

Book a compliance gap assessment with us. Contact us on 1300 EPIC IT. We will map your current position against all three frameworks and recommend the right starting point.

Frequently asked questions

Does Essential 8 certification mean I am Privacy Act compliant?

Not entirely. Essential 8 covers the technical cybersecurity controls that map to “reasonable steps” under APP 11.1 of the Privacy Act, but it does not cover Privacy Act-specific obligations like collection notices, consent practices, retention limits, data subject access rights, and breach notification processes. Essential 8 plus a Privacy Act-specific review gives you near-full coverage.

Does SMB1001 certification mean I am Privacy Act compliant?

Largely yes for the technical and process controls, but not for the legal obligations under the Privacy Act that go beyond cybersecurity. SMB1001 Gold covers most of the “reasonable steps” expectations under APP 11.1, plus third-party confidentiality obligations that support APP 8 and an incident response plan that supports breach response under Part IIIC. Privacy Act obligations around collection, consent, retention, and access rights still need separate attention.

Should I do Essential 8 or SMB1001 first?

For most Perth SMBs, SMB1001 first. It is broader, more accessible at the lower tiers, and produces a recognised certification quickly. If you supply to Australian government, Essential 8 is required so it becomes the priority. The two frameworks share roughly 70% of substantive controls so the second one is materially easier than the first.

How long does it take to comply with all three frameworks?

For an AU SMB starting from limited formal compliance, the realistic timeline is 6-12 months to reach SMB1001 Gold or Essential 8 ML1 with Privacy Act policies and processes in place. Businesses already running well-managed IT often complete this in 4-6 months because most technical controls are already deployed. Maintenance after the initial programme is ongoing but lower effort.

What is the most common compliance gap AU SMBs miss?

Privacy Act-specific policy and process work. Most businesses focus on the technical cybersecurity controls (where the frameworks are clearest) and neglect the policy work around collection notices, consent practices, retention schedules, and data subject access procedures. The OAIC’s enforcement focus on these areas in 2026 makes this gap more material than it has been in past years.

Need a multi-framework compliance gap assessment?

Our Perth-based team will map your position against Privacy Act, Essential 8, and SMB1001 in one engagement, with a unified plan to close the gaps.

Book a Gap Assessment

About the Author
Written by Greg Markowski, Founding Director of Epic IT, a CRN Fast50-recognised Microsoft Solutions Partner managing IT and cybersecurity for Perth businesses since 2003. Greg holds a Degree in Computer Science and a Diploma in Computer Systems Engineering from Edith Cowan University, and is ITIL certified.

Further Reading

Previous

Privacy Act 2026 enforcement: what AU SMBs need to know before the regulator arrives

Return to News
Back to News
Next

NIST Cyber AI Profile explained: what NIST IR 8596 means for Australian businesses