SMB1001 - Tier 4 (Platinum)

Proactive Security & Assurance

Platinum is the next evolution beyond Gold, adding proactive risk management and assurance measures on top of the enterprise-grade baseline. This tier aligns with SMB1001:2025 Platinum (Level 4) requirements, which extend into areas of regular vulnerability scanning, comprehensive multifactor coverage, and risk transfer through insurance.

Service Description

The Platinum package is designed for organisations that not only want top-notch internal security, but also need to continuously validate their defences and cover any remaining gaps through external support (like insurance and third-party oversight)

The Platinum tier includes all Gold features and then incorporates additional controls to meet Level 4 standards, focusing on proactive security management and external assurance: Regular Vulnerability Scanning & Penetration Testing (External): We conduct regular scans of all public-facing systems to identify vulnerabilities (fulfilling control 1.7.0.0). This includes scheduled monthly external vulnerability scans of your websites, VPN gateways, cloud endpoints, etc. using enterprise-grade scanning tools. Any findings (open ports, outdated software, misconfigurations) are promptly remediated by our team in coordination with your IT staff. Essentially, we “attack” your systems before real attackers can, closing weaknesses proactively. Additionally, Platinum offers annual light penetration testing services – ethical hackers will attempt to breach your perimeter and report back any weaknesses. This exceeds the requirement for regular scanning and provides an extra layer of assurance that critical exposures are found and fixed.

Benefits

How it Works

Key Controls & Implemented Solutions

To fulfil the SMB1001 Tier4 (Platinum) requirements,
the CyberGrape Platinum package delivers the technologies and services, mapped to each requirement:

Comprehensive Multi-Factor Authentication Everywhere

By Platinum, multi-factor auth is non-negotiable on literally every access point. We ensure MFA is enforced wherever important data is stored (2.9.0.0) and for all remote access methods like VPN and RDP (controls 2.10.0.0 and 2.11.0.0). In practice, this means if you use VPN, it will require MFA; if admins use RDP to access servers, they must go through an MFA-protected jump host or VPN first. Any cloud application or database holding sensitive data must have MFA on accounts. We fine-tune these implementations using secure app-based authenticators or hardware tokens (no insecure SMS methods) in line with best practices. By removing any “MFA gaps”, we greatly reduce the risk of a
breach via stolen credentials on high-value systems. (Many breaches come from one account without MFA – Platinum ensures there are zero such single-factor accounts in your environment.)

Platinum addresses the nuanced control 2.8.0.0 which is about managing remote access cloud credentials. We help you implement strict Identity and Access Management (IAM) policies for cloud services: enforcing least privilege for
cloud admin roles, using centralised identity federation (linking cloud accounts to your primary corporate identity provider), and securing API keys or SSH keys in a vault. For example, AWS or Azure root account keys are secured offline; developers’ cloud keys are rotated regularly and stored securely (not left on laptops). We document all cloud accounts and ensure any remote access methods to cloud (like SSH into VMs) are locked down with keys/MFA and monitored. This closes a common gap where cloud platforms might otherwise be overlooked in on-prem security
programs.

Building on Gold’s backup strategy, Platinum requires a thoroughly robust backup regimen (control 3.1.1.0). We ensure your backup strategy is aligned to your asset register (so all critical assets are covered), with multiple backup locations and at least six months of retention. Importantly, annual disaster recovery testing is included – we perform a test restore of critical systems at least once per year to verify data can be recovered efficiently. We also implement backup integrity checks and offline backup copies (to protect against ransomware that tries to delete backups). This level of preparedness means that even in a worst-case incident, data loss is minimal, and recovery is assured.

: Recognising that even with best efforts incidents can occur, Platinum includes support for obtaining and maintaining a Cyber Insurance policy (fulfilling control 3.2.0.0). Our vCISO will help you navigate the cyber insurance process – from selecting appropriate coverage to ensuring you meet the insurer’s security prerequisites (many of which are naturally satisfied by being Platinum level). Should an incident happen, we assist with the data and reports needed for claims. Having insurance adds financial protection for response and recovery costs. We essentially integrate your insurance into your security program: treating it as a last-resort safety net, while ensuring you maximize any premium discounts by demonstrating your strong security posture (often insurers give better rates if you can prove regular vulnerability scans, employee training, etc., which Platinum provides).

At Platinum tier, the relationship is often closer. We designate a senior security advisor or technical account manager who meets with you quarterly to review reports, scan results, and any incidents. This is an enhancement of the vCISO
service – more face-time and strategic planning. It aligns with control 1.1.1.0 which emphasizes having a reliable specialist available for cybersecurity needs. In practice, you have an experienced security professional virtually “on retainer” who knows your environment intimately and can coordinate improvements or incident handling with minimal delay. The SLA for incident response is tightened (e.g. aiming for immediate acknowledgment and swift on-site support if needed). Essentially, Platinum means you have a partner deeply invested in your security success, akin to having an extension of your team.

We assist in maintaining not just SMB1001 compliance but also preparing for any other standards or client-required audits. For instance, if you need ISO 27001 down the track or have to answer supplier security questionnaires frequently, the Platinum service ensures all evidence (vulnerability scan reports, training records, policy
documents) are up-to-date and readily available. We also include annual security assurance reviews – a comprehensive audit of your security controls against the Platinum requirements, to identify any gaps or areas for improvement. This self-audit approach ensures that when external auditors or clients examine your security, there are no surprises. It’s a proactive check that your controls not only exist on paper but are effective and improving continuously.

CyberGrape will get your business SMB1001 (Tier 4) Cyber Certified.

For businesses with a low risk profile, the CyberGrape Proactive Security & Assurance (Level 4) package provides Comprehensive controls for high-risk, critical sectors.

Implementing this package positions your organisation to successfully achieve CyberCert SMB1001 Platinum Level 4 certification, demonstrating to clients, partners, and insurers that you meet recognised security standards. Certification also provides third-party assurance and a publicly verifiable record of your commitment to responsible cyber risk management.

Certification also provides third-party assurance and a publicly verifiable record of your commitment to responsible cyber risk management.

Schedule a discovery call

Don’t Wait for a Breach. Take Control of Your Cyber Risk Now.

Lock down your business with proactive, proven, certified cyber defence

Contact Us

Considering a different Tier of certification?

CyberGrape can support your business in other tiers of the SMB1001 certification

Bronze

Silver

Gold

Diamond