Your clients want proof.
SMB1001 is how you give it to them.
SMB1001 is the global cybersecurity certification standard built specifically for small and medium businesses. Five tiers. Thirty-nine controls. A clear, structured path from basic hygiene to independently verified security maturity.
Published by Dynamic Standards International. Updated annually. Recognised by governments, insurers, and enterprise procurement teams across Australia and globally.
Bronze
Silver
Gold
Platinum
DiamondMost cyber standards were built for enterprises with large teams and large budgets.
ISO 27001 requires a fully implemented information security management system. CMMC was designed for US defence contractors. Neither was built with an SMB's constraints in mind.
SMB1001 was. It was developed by Dynamic Standards International specifically to give small and medium businesses a structured, achievable path to certified security maturity: without the overhead of enterprise frameworks.
Because cyber threats don't wait for the next standards review cycle, SMB1001 is updated annually. The controls you're certifying against today reflect the threat landscape of today.
Built for SMBs
Designed around the resources, structures, and risk profiles of businesses with 5 to 500 staff: not enterprise frameworks retrofitted downward.
Updated annually
The 2026 edition introduced EDR, email authentication, and AI policy requirements: controls that didn't exist in meaningful form two years ago.
Globally recognised
Published in Australia. Adopted internationally. Increasingly required by procurement teams, insurers, and enterprise supply chains across Australia, New Zealand, and the UK.
A pathway, not a destination
The five-tier structure means you start where your business is today and build from there: without losing any work done at lower tiers.
Five tiers. One cumulative pathway.
Each tier builds on the last. You don't lose previous work: you build on it. Higher tiers inherit all lower-tier controls and extend them to a higher maturity standard.
Bronze
Establishes the seven controls that stop the most common attacks: a firewall, antivirus, automatic patching, strong passwords, an offline backup, and basic security awareness training.
Silver
Adds MFA on email, a password manager, email anti-spoofing (SPF), server patching, individual user accounts, and formal policies for invoice fraud and visitor management.
Gold
Introduces EDR, full MFA across all applications, DKIM and DMARC email authentication, a cybersecurity policy, incident response plan, AI use policy, cyber insurance, and an ongoing security awareness programme.
Platinum
First tier requiring third-party audit. Adds vulnerability scanning on all internet-facing assets, phishing-resistant MFA, cloud credential management, MSP SLA requirements, and a formally tested backup restoration plan.
Diamond
The highest SMB1001 tier. Adds encryption at rest, application control, annual penetration testing, 24/7 MDR, supplier digital trust programme, police vetting for privileged staff, and live incident response exercises.
Standard published by Dynamic Standards International (DSI). Controls from SMB1001:2026 v1.0. dsi.org
What each tier includes
A side-by-side view of the key requirements across all five tiers.
| Requirement | Bronze | Silver | Goldpopular | Platinum | Diamond |
|---|---|---|---|---|---|
| Total controls | 7 | 17 | 27 | 32 | 39 |
| Attestation | Self-attested | Self-attested | Self-attested | Independent audit | Independent audit |
| Typical timeline | 2–4 weeks | 2–4 weeks | 4–8 weeks | 2–3 months | 3–6 months |
| Certification valid | 12 months | 12 months | 12 months | 12 months | 12 months |
| Firewall & antivirus | |||||
| Automatic patching | |||||
| MFA on email | – | Phishing-resistant only | Phishing-resistant only | ||
| Password manager | – | Privileged users | All staff | All staff | All staff |
| Email anti-spoofing (SPF) | – | ||||
| DKIM + DMARC | – | – |
Establishes the seven controls that stop the most common attacks: a firewall, antivirus, automatic patching, strong passwords, an offline backup, and basic security awareness training.
Full breakdownAdds MFA on email, a password manager, email anti-spoofing (SPF), server patching, individual user accounts, and formal policies for invoice fraud and visitor management.
Full breakdownIntroduces EDR, full MFA across all applications, DKIM and DMARC email authentication, a cybersecurity policy, incident response plan, AI use policy, cyber insurance, and an ongoing security awareness programme.
Full breakdownFirst tier requiring third-party audit. Adds vulnerability scanning on all internet-facing assets, phishing-resistant MFA, cloud credential management, MSP SLA requirements, and a formally tested backup restoration plan.
Full breakdownThe highest SMB1001 tier. Adds encryption at rest, application control, annual penetration testing, 24/7 MDR, supplier digital trust programme, police vetting for privileged staff, and live incident response exercises.
Full breakdownWhat certification actually does for your business
SMB1001 isn't a compliance exercise. It's a commercial and operational asset.
Win more contracts
Procurement teams, government agencies, and enterprise clients are writing SMB1001 into supplier requirements. A certificate answers that question immediately: without filling out a different security questionnaire for every client.
Reduce cyber insurance premiums
Insurers assess your controls before underwriting. Gold certification demonstrates EDR, MFA, an incident response plan, and documented policies: precisely what underwriters want to see. Certified businesses present a measurably lower risk profile.
Protect your supply chain position
If a supplier in your chain is breached, the damage flows upward. SMB1001 certification tells your clients and partners you are not their weakest link. At Diamond, you govern your own suppliers with the same rigour.
Build security maturity that lasts
Certification isn't a snapshot. Controls are maintained continuously, and renewal every 12 months keeps your posture current as the threat landscape evolves. SMB1001 is a dynamic standard: it updates annually.
Satisfy regulatory requirements
Certain industries and jurisdictions are moving toward mandatory baseline security requirements for SMBs. SMB1001 certification provides a recognised, documented posture that satisfies most current and emerging regulatory expectations.
Prepare for ISO 27001
Diamond certification is intentionally designed as a pathway to ISO/IEC 27001. Completing Diamond provides most of the controls, evidence, and documentation ISO 27001 requires: making the jump to full ISMS certification significantly shorter.
We don't just advise. We do the work.
Most businesses attempting SMB1001 certification on their own spend weeks working out what evidence is required, whether their existing controls actually meet the standard, and how to present everything to a certifier.
CyberGrape manages the entire programme. From the initial gap assessment through remediation, policy documentation, evidence compilation, and certifier coordination: we handle it. You get the certificate.
For Platinum and Diamond, we manage the independent audit engagement too. You walk into the assessment confident everything is in order. We've done the preparation.
We assess, remediate, document evidence, and submit. You stay focused on the business.
We run the full programme and coordinate the independent audit on your behalf.
The CyberGrape platform keeps you certified
- Continuous control monitoring: gaps flagged before they become problems
- Evidence collected automatically from your integrated tools
- AI gap analysis grounded in real data, not assumptions
- Renewal is a review, not a project
Frequently asked questions
Explore each tier in detail
Every tier has its own page: controls explained in plain English, CyberGrape's process, and answers to the most common questions.