Is Bronze the right starting point for my business?

If you haven't formally assessed your security before, Bronze is the place to start. It's designed for businesses with fewer than 20 staff or under $1M revenue, but any organisation can begin here. CyberGrape will assess your current posture first and confirm the right tier.

How long does Bronze certification take?

Most businesses complete Bronze in two to four weeks. If you already have some controls in place, it can be faster. CyberGrape handles the assessment, evidence gathering, and submission, so you stay focused on running your business.

Is Bronze self-attested or does it require an audit?

Bronze is self-attested through an accredited Dynamic Standard Certifier (DSC). No independent auditor is required. CyberGrape guides you through the entire process and ensures everything is documented correctly before submission.

What happens after I get Bronze certified?

Certification lasts 12 months. Before it expires, you can recertify at Bronze or step up to Silver. CyberGrape keeps your controls monitored so renewal isn't a scramble. Most clients use Bronze as the foundation to build toward Gold within six to twelve months.

SMB1001 CertificationBronze

Level 1 · Bronze · 7 Controls · Self-attested

Every secure business starts somewhere.

Bronze is the foundation. Seven controls that cover the basics every business needs: a firewall, antivirus, patching, strong passwords, a backup, and staff who know what to watch for. If your security hasn't been formally assessed before, this is where you begin.

Controls7

AttestationSelf-attested

Valid for12 months

Typical timeline2–4 weeks

What does Bronze actually mean?

Bronze is SMB1001 Level 1. It's the globally recognised starting point for small businesses that want to demonstrate they've taken cybersecurity seriously: without the complexity and cost of enterprise-grade frameworks.

It covers the controls that stop the most common attacks: phishing, ransomware, and credential theft. Not because they're the only threats, but because they're the ones most likely to hit a business your size.

Certification is self-attested through an accredited certifier. CyberGrape handles every step: from the initial gap assessment through to evidence documentation and submission. You get the certificate. We do the work.

Who it's for

Businesses starting their security journey. Typically fewer than 20 staff or under $1M annual revenue: though any organisation can certify at Bronze.

What it proves

That you've implemented baseline protections across technology, access control, backup, and staff awareness. Sufficient for many supplier and insurer requirements at the foundational level.

What comes next

Silver adds 10 more controls covering formal policies, MFA and password management. Most businesses use Bronze as a 3-to-6 month stepping stone.

The 7 Bronze controls, explained plainly

These aren't bureaucratic checkboxes. Each control addresses a real risk. Here's what each one requires and why it matters.

1.1.0.0Technology

Engage a technical support specialist

Have a trusted IT professional or MSP you can call on. They don't need to be full-time, but they need to be reliable. This is the person who helps you implement the rest of the controls.

1.2.0.1Technology

Install and configure a firewall

A firewall is the gate between your network and the internet. It needs to be installed, configured correctly, and have its default password changed. Every device should have its firewall switched on.

1.3.0.1Technology

Install antivirus on all devices

Every computer, laptop, and phone used for work needs up-to-date antivirus software. For mobile devices, this means using only official app stores and keeping built-in security protections active.

1.4.0.0Technology

Automatic software updates and patches

Outdated software is one of the most common ways attackers get in. Set everything: operating systems, apps, browsers: to update automatically. If something can't auto-update, patch it manually at least every three months.

2.1.0.1Access

Strong password hygiene

Every device and account needs a strong, unique passphrase. Default passwords must be changed immediately. If a breach happens, passwords need to be updated within 30 days. If you use password expiry, rotate them at least once a year.

3.1.0.1Backup

Backup and recovery strategy

You need at least one offline backup of your critical data: email, files, client records: stored separately from your main network. If ransomware hits, this is what saves you. Test that backups actually restore.

5.1.0.0Training

Cybersecurity awareness training

Every staff member needs to understand the threats they face, what they're responsible for, and what to do if they suspect something's wrong. Keep a record of who has completed training.

Controls sourced from SMB1001:2026, published by Dynamic Standards International (DSI). Full standard available at dsi.org.

How CyberGrape gets you to Bronze

Most businesses trying to self-certify spend weeks figuring out what evidence is required, how to document it, and whether they've actually met each control. We've done this hundreds of times. You get the outcome without the headache.

Gap assessment

We review your current security posture against all 7 Bronze controls and tell you exactly where you stand.

Remediation support

For any control not yet met, we implement the fix: firewall configuration, antivirus deployment, backup setup, password policies, training.

Evidence package

We document everything the certifier needs: screenshots, configuration records, policy acknowledgements, training logs.

Submission and certificate

We manage the certifier engagement and submission. You receive your Bronze certificate, valid for 12 months.

What Bronze certification delivers

A recognised certificate you can show clients, insurers, and procurement teams
Documented evidence for every control: ready for audits or contract requirements
A clear security baseline to build on as you grow
Staff who understand basic cyber threats and their responsibilities
An offline backup strategy that protects you from ransomware
12 months of certification validity, managed through the CyberGrape platform

Common questions about Bronze

Explore the full certification pathway

Bronze is the beginning. See what comes next.