SMB1001 - Tier 5 (Diamond)
Ultimate Cyber Resilience

Service Description
The Diamond tier encompasses everything in Platinum and adds the final layer of elite controls required for Level 5 compliance.
It is a comprehensive programme for organisations that demand the absolute best in cybersecurity – typically those with zero tolerance for data breaches, operating in high-risk or highly regulated environments, or aiming to be industry leaders in security. With Diamond, every aspect of your cybersecurity is not only managed and monitored, but also regularly tested and enhanced. This includes stringent data encryption, application whitelisting, adversary simulation (pen testing and social engineering exercises), and rigorous third-party risk management. In essence, Diamond leaves nothing to chance: it’s about anticipating threats, verifying that controls work, and preparing for worst-case scenarios so that your business remains resilient come what may.
Benefits
- Everything in Bronze
- everything in silver
- everything in gold
- everything in platinum
- Regulatory and Industry Leadership
- Resilience Against Advanced Threats
- Continuous Improvement & Vigilance
- Trust and Reputation at the Highest Level
- Complete Peace of Mind
- Certified Security
How it Works
Key Controls & Implemented Solutions
To fulfil the SMB1001 Tier 5 (Diamond) requirements,
the CyberGrape Diamond package delivers the technologies and services, mapped to each requirement:
Data Encryption at Rest
At Diamond level, we ensure all your important digital data is encrypted when stored, fulfilling control 1.8.0.0. This includes deploying full-disk encryption (e.g. Microsoft BitLocker or Apple FileVault) on all laptops, workstations, and servers holding sensitive information, as well as enabling encryption for databases and cloud storage buckets.
Should a device be lost or stolen, or if an attacker somehow bypasses other defences, the data remains unreadable without the encryption keys. We manage the encryption keys securely (often integrated with your identity management or a hardware security module) to balance security with ease of access for authorised users. The goal is that if an adversary does get in, they cannot access or exfiltrate clear data – it’s protected by strong cryptography at rest.
Application Control (Allowlisting)
To meet control 1.9.0.0, we implement strict application allowlisting on all user devices and servers. This means only approved, trusted applications can execute, and everything else is blocked by default. We use either the operating system’s built-in mechanisms (like Applocker or Windows Defender Application Control) or third-party
allowlisting software. Our team works with you to build and maintain the list of approved applications, using cryptographic hash and publisher rules to ensure legitimacy. This control is extremely powerful: even if malware slips past other defences, it cannot run on the system if it’s not on the allowed list. Implementing application control significantly reduces the threat from unknown or zero-day malware. We periodically review the approved list with you to update it as needed, ensuring security doesn’t hinder business when new tools are required.
Disable Untrusted Macros
Diamond requires hardening against a common malware vector by disabling untrusted Microsoft Office macros across the organisation (control 1.10.0.0). We enforce Group Policies or O365 configuration such that Office applications (Word, Excel, etc.) do not run macros from documents downloaded from the internet or unknown sources. Macros are a known route for malware (like many ransomware infections), so by disabling them or allowing
only digitally signed macros, we remove a whole class of threat. This policy is rolled out to all systems, including personal devices if they access company files. It’s a simple but high-impact safeguard: your staff can still use Office normally, but those sneaky macro viruses are effectively neutralised.
Comprehensive Security Testing (Red Team Exercises)
Diamond fulfils control 1.11.0.0 by conducting penetration testing, vulnerability assessments, and social engineering tests at least annually. We step up from Platinum’s scanning to full-blown simulated attacks. Our security experts (or partnered ethical hackers) perform a deep penetration test on your environment, attempting to bypass all the layers of defence. This includes network penetration, web application testing and cloud security assessments.
We also test the human factor
running social engineering exercises such as targeted phishing campaigns, vishing (phone scams), or even on-site intrusion attempts (with permission). These tests evaluate not just technology, but also whether employees follow procedures (e.g. not letting tailgaters into the office, reporting suspicious emails, etc.). After each annual exercise, we provide a detailed report and work with you to remediate any weaknesses found. The value here is enormous – you get to fix vulnerabilities under controlled conditions rather than learning of them the hard way. Each test makes your security posture that much stronger, and continuous annual testing ensures you keep up with evolving threats.
Digital Trust Program for Suppliers
Recognising that your security is only as strong as your weakest key supplier, Diamond introduces a Digital Trust programme for supply chain security (control 4.9.0.0). We help you establish security requirements and agreements with critical suppliers – those whose compromise could impact you. This involves creating a Digital Trust Agreement for each such supplier that sets minimum cybersecurity hygiene standards (often mirroring many SMB1001 controls) that the supplier must adhere to. For instance, you might require your supplier to have ISO 27001 certification or, if not, to implement specific controls like MFA, regular patching, and breach notification clauses. We assist in drafting these agreements and can provide a framework drawn from industry best practices. Additionally, as part of this program, we offer continuous supplier risk monitoring: using tools like Black Kite or similar, we can monitor the external cyber risk posture of your key suppliers (scanning for leaked credentials, poor security on their domains, etc.) and alert you to potential issues. This way, you maintain visibility into your supply chain’s security and can work with suppliers to improve it. By having a formal supplier security program, you significantly reduce the risk of a breach originating from a third-party partner, and you demonstrate due diligence which is crucial for regulatory compliance in many sectors.
Enhanced Personnel Security (Background Checks):
Diamond also covers the human element internally. For all employees or contractors with administrative or sensitive access, we implement a police vetting / background check process (control 4.10.0.0). This means before someone
is granted admin privileges or hired into a role like IT administrator, they undergo a criminal background check. The aim is to screen out individuals who might pose an insider threat or have a history of fraudulent activity. While this is more of an HR process, we include guidance on how to conduct vetting and can connect you with vetting services. We ensure this check is done for relevant personnel and documented. This adds an extra layer of trust that the people managing your critical systems are reliable.
Continuous Security Awareness & Culture
Building on Gold’s training, Diamond requires an ongoing security awareness campaign (enhancing 5.1.1.0). This is not a once-a-year training but a continuous programme that includes frequent phishing simulations, workshops,
newsletters, and annual refreshers of policies with staff. We partner with you to roll out a calendar of awareness activities – for example, cybersecurity quizzes, internal phishing contests, updated e-learning modules on new threats, etc. By Diamond tier, cybersecurity is ingrained in daily business processes. Employees know how to spot sophisticated scams, and they remain alert both online and in terms of physical security (e.g. questioning unknown visitors, safeguarding their keycards). Metrics like reporting rates of phishing and training completion are tracked and improvements targeted. The result is a mature security culture where every individual feels responsible for safeguarding the organisation.
Incident Response Readiness Drills
Finally, Diamond ensures that not only do you have an incident response plan (from Gold) but that this plan is put into practice through regular drills. We fulfil control 5.2.0.0 by conducting annual incident response training exercises. This could be in the form of a tabletop exercise (walking through a hypothetical breach scenario with your leadership and IT teams) or full-scale live simulations (a “red team vs blue team” exercise where our team simulates an attack and your incident response team has to react). We can engage external specialists to facilitate these if needed, ensuring an unbiased and challenging scenario. These exercises validate that your team (and our team supporting you) know their roles during a crisis and that the incident response plan is effective and up-to-date. After each drill, we provide a debrief and update the plan with lessons learned. By doing this, if a real incident occurs, everyone knows what to do instinctively, drastically reducing confusion and response time. Essentially, Diamond makes sure that if “game day” comes, your incident response is as sharp as a well-rehearsed fire drill – everyone has practiced and is read

CyberGrape will get your business SMB1001 (Tier 5) Cyber Certified.
For businesses with a low risk profile, the CyberGrape Ultimate Cyber Resilience (Level 5) package provides the most comprehensive controls for highest assurance.
Implementing this package positions your organisation to successfully achieve CyberCert Diamond SMB1001 certification, demonstrating to clients, partners, and insurers that you meet recognised security standards. Certification also provides third-party assurance and a publicly verifiable record of your commitment to responsible cyber risk management.
Certification also provides third-party assurance and a publicly verifiable record of your commitment to responsible cyber risk management.
Schedule a discovery call
Don’t Wait for a Breach. Take Control of Your Cyber Risk Now.
Lock down your business with proactive, proven, certified cyber defence
Contact Us