SMB1001 Compliance shouldn't feel like a second job. Here's how we fixed that.

July 13, 2026

Ask most business owners about SMB1001 or ISO 27001 and you'll get the same reaction: a sigh, followed by a mental image of spreadsheets nobody has opened since March. Compliance work has a habit of turning into a pile of documents that live in someone's inbox, get updated once a year under deadline pressure, and never quite prove what an auditor, insurer or customer actually wants to see.

We built CyberGrape GRC because that shouldn't be how this works. It's our own platform, not a rebadged tool bought off the shelf, and it exists for one reason: to give small and medium businesses a single place to manage risk, prove compliance and get certified, without needing a compliance team to run it.

Here's a proper look at what it does.

One home for everything security and compliance related

Log in and you land on a single dashboard that answers the question every leadership team asks: how secure are we right now, and what needs attention today? It's not a wall of numbers. It's the posture score and the priority list, ready the moment you open the platform.

From there, everything connects. If your business runs on Microsoft Entra ID or Google Workspace, the platform pulls in your users, groups, devices and MFA status directly, so you can see who has access and whether it's locked down properly, without exporting a single spreadsheet.

Every managed tool, one view

If CyberGrape runs your security stack, this is where it all surfaces: phishing training results, backup status, email authentication, network monitoring, endpoint protection, password hygiene and more, all pulled from the tools actually doing the work (CrowdStrike, Arctic Wolf, Bitdefender, NinjaOne, Bitwarden and others). You see what you're paying for and where you stand, in one place, instead of juggling a dozen logins.

Know your risk, including the risk sitting outside your walls

The platform includes a built-in risk register with a heat map, a scenario library for assessments, and AI-assisted mapping that shows you where existing controls already cover a risk, and where they don't. It's the difference between guessing at your exposure and actually seeing it laid out.

Then there's supply chain risk, which is where a lot of businesses get caught out. Attackers don't always come through your front door. They come through a supplier with weaker defences. Our supply chain module gives you a live risk score on every vendor through Black Kite, an AI-powered assessment engine that scores each supplier's responses as they come in, and a custom questionnaire builder if you'd rather ask your providers something specific. Whichever route you take, it goes out as a magic-link questionnaire, so there's no supplier login to set up and no awkward back-and-forth chasing a reply. Your weakest link might not be you, but you can still see it coming.

Certification, without the document chase

This is the part most people ask about first, so let's be specific.

The platform runs a dedicated SMB1001 module covering all five certification tiers, from Bronze through to Diamond. It tracks every control you need, links the evidence to prove it, and shows you exactly what stands between you and the next tier, with tasks assigned to close each gap. Once you're assessed, the platform keeps assuring those controls on an ongoing basis, so your certification reflects reality rather than a snapshot from six months ago.

The same evidence hub also drives ISO 27001, with all 93 Annex A controls, a full Statement of Applicability, and the wider management system requirements (context, objectives, audits, management review) that a real ISO certification needs. If your business deals with government or regulated sectors, the NZISM module covers the New Zealand Information Security Manual in full, including dispensation requests and audit findings.

Here's the part that actually saves you time: evidence is entered once, stored in the platform's Evidence Hub, and mapped across every framework it applies to. Answer a control for SMB1001 and the platform already knows if it counts toward ISO 27001 too. You're not redoing the same work for every standard your customers, insurers or regulators ask for, and you're not hunting through email threads and shared drives when an auditor asks for proof.

That evidence hub also underpins two registers auditors and regulators specifically ask to see. A Police Vetting register keeps a record of personnel screening and vetting checks, which is exactly what the personnel security controls in ISO 27001 and SMB1001 expect a business to demonstrate. A Visitor Register logs physical access to your premises, mapping straight to the physical security requirements in the same standards. Both feed the same evidence hub as everything else, so they're proof you can produce in seconds rather than a folder you have to go looking for.

On top of that, a Legislation Monitor keeps watch on changes to relevant legislation, including privacy law, and flags what's changed so you're not relying on someone stumbling across a headline to know your obligations have shifted.

When something goes wrong, everyone already knows what to do

Most businesses don't have an incident response plan until they need one, and by then it's too late to write it properly. Our IRP Builder walks you through a guided, AI-assisted process that produces a full incident response plan and the tasks that sit under it, built in minutes rather than commissioned as a separate project. When something does go wrong, your team already knows who does what, instead of figuring it out under pressure.

Policies that write themselves a first draft

Security policies get a full lifecycle here too: version history, an approval workflow, AI-suggested edits, and automatic reminders before anything lapses. You're not starting from a blank page, and you're not the one remembering when a policy needs reviewing.

A prioritised list, not a scattered one

Every gap the platform finds, whether from a risk assessment, a compliance control or a policy review, becomes a tracked action in one place, with evidence attached the moment it's closed. It's the single to-do list that replaces the sticky notes and the "we'll get to it" folder.

Reports your board will actually read

When it's time to show leadership, an insurer or a customer where things stand, the platform generates board-ready reports in plain English, backed by the technical detail underneath if anyone wants to dig in. No late nights formatting slides before a board meeting.

Built for MSPs too

If you're an MSP managing security for a book of clients rather than a single business, the platform is built with that in mind. Each client sits in their own isolated tenant with their own evidence, controls and reporting, while you get a consistent way to run compliance across every one of them without stitching together separate tools per client.

And when you're ready to prove it publicly

Once your certification and controls are in good shape, you can publish a public trust page that shows customers and prospects you take security seriously, turning months of compliance work into something your sales team can actually use.

Software plus a team, so certification is guaranteed

The platform gets you organised. Pair it with CyberGrape's security services and it becomes a guarantee. Our CSO-as-a-Service team works alongside your business inside the platform itself, closing gaps, reviewing evidence and guiding you through each tier, so the path from where you are today to a certified SMB1001 outcome is managed end to end rather than left for your team to figure out alone. You get the software to track the work and the people to make sure it actually gets done and gets you across the line.

Why it matters

None of this is about ticking a box for its own sake. A recognised certification like SMB1001 or ISO 27001 opens doors: it wins contracts that require it, it satisfies insurers asking harder questions than they used to, and it gives your customers a reason to trust you over a competitor who can't show the same. The platform's job is to get you there without turning your team into part-time compliance officers to do it.

If you're weighing up where your business stands on cyber risk, or you've been putting off SMB1001 or ISO 27001 because it looks like months of admin, it's worth a proper conversation. Book a free discovery call and we'll show you exactly where you'd start.


CyberGrape helps small and medium businesses across Australia get cyber security and compliance sorted, without the enterprise price tag or the jargon.