Level 5 · Diamond · 39 Controls · Independent auditThe highest SMB1001 tier. For organisations where security maturity is non-negotiable.
Diamond adds 7 controls to Platinum's 32: bringing the total to 39. Encryption at rest, application control, annual penetration testing including social engineering, a 24/7 managed detection and response service, a supplier digital trust programme, police vetting for privileged staff, and live incident response exercises. It requires independent certification. Nothing is self-attested at this level.
Proactive threat testing
Annual penetration testing and social engineering assessments mean you're finding your vulnerabilities before attackers do: not after. External specialists probe your infrastructure and your people. The results drive remediation, not just reports.
24/7 managed detection
MDR means a security operations team is watching your environment around the clock. Alerts are investigated by humans, not just flagged by software. Threats are contained before they spread. Response timeframes are contractually guaranteed.
Supply chain security
Your suppliers can be the way in. Diamond's digital trust programme ensures every supplier in your ecosystem meets minimum cyber hygiene standards, and is contractually required to tell you immediately if they're compromised.
What Diamond means beyond the controls
Diamond is SMB1001's highest tier. At this level, security isn't a project: it's an ongoing programme with continuous monitoring, annual testing, and supplier governance that extends your posture beyond your own four walls.
Independent certification at Diamond means an accredited DSC has assessed 39 controls across your entire organisation. Not a sample. Not a self-assessment. A full, external review.
For organisations bidding on major government contracts, operating in regulated industries, or sitting at the top of a supply chain where downstream partners are required to meet security standards, Diamond is the credential that closes the conversation.
Who it's for
Organisations with mature, comprehensive security programmes. Regulated industries. Significant supply chain participants. Businesses bidding on government contracts requiring maximum assurance. Typically 100+ staff but relevant to any organisation with a high-risk profile.
What it proves
That your security posture has been independently verified at the highest SMB1001 level. Encryption is in place. Penetration testing has been conducted. MDR is running. Your suppliers are governed. Your people have been tested.
How it relates to ISO 27001
Diamond is intentionally designed as a stepping stone to ISO 27001. Completing Diamond gives you most of the foundational controls and documentation that ISO 27001 requires: making the path to full ISO certification significantly shorter.
The new Diamond controls, explained plainly
Diamond includes all 32 Platinum controls. These are the controls introduced or significantly upgraded at Level 5: the ones that complete the picture.
Encryption of important data at rest
All critical, confidential, sensitive, and personally identifiable data must be encrypted where it is stored: on servers, workstations, laptops, external drives, and cloud services. For personal devices used for work, no data should be stored locally if avoidable; where it is, the device itself must be encrypted.
Application control
Only approved applications are permitted to run on workstations and laptops. This is enforced using cryptographic hash rules, publisher certificate rules, or path rules: not just an honour system. The approved application list must be defined, reviewed, and maintained. This is one of the most effective controls against malware.
Disable untrusted Microsoft Office macros
Macros in Office documents are a common malware delivery mechanism. All untrusted macros must be disabled across all workstations, laptops, and servers. 'Enable all macros' must never be selected.
Annual penetration, vulnerability and social engineering testing
An external specialist must conduct a full penetration test and vulnerability assessment at least once per year. The engagement must also include social engineering testing: assessing how susceptible your staff are to phishing, vishing, and physical security bypass attempts.
EDR with Managed Detection and Response (MDR) service
Diamond upgrades EDR to include a Managed Detection and Response service. An external MDR provider monitors your environment continuously, investigates alerts, and provides contained and remediation guidance for confirmed threats: backed by a formal SLA covering detection, triage, and response timeframes.
Phishing-resistant MFA on all business apps and social media
At Platinum, phishing-resistant MFA was required for email. Diamond extends this standard to all cloud business applications and social media accounts: authenticator apps, hardware tokens, or U2F devices only. SMS and email codes are not acceptable.
Enhanced incident response plan: with breach notification procedures
Diamond requires a more comprehensive incident response plan than Gold. It must include communication templates and playbooks for customers, staff, investors, media, and authorities. It must also include guidance for identifying whether data exposure has occurred and the subsequent notification obligations under applicable data breach laws.
Enhanced digital asset register: with personal data mapping
The Diamond asset register goes beyond listing where data is stored. It must identify all digital assets containing personal data, map who and which external providers have access to each, and be audited annually to confirm it remains current and accurate.
Digital trust programme with suppliers
A formal, risk-based programme governing your suppliers' cyber hygiene. Suppliers without ISO 27001 (or equivalent) must meet minimum cyber hygiene requirements aligned to SMB1001. All suppliers must contractually notify you of any cyber incident. You review the scope of any certifications they hold to ensure relevance.
Police vetting for privileged access staff
All employees and contractors with administrative privileges or regular after-hours access to your premises must undergo police vetting checks. This includes cleaning contractors and maintenance staff with physical access outside business hours.
Incident response plan testing: red team, blue team, or purple team
The incident response plan must be tested in a live exercise at least once per year: not just reviewed. Red team, blue team, or purple team exercises with your incident response staff, ideally facilitated by an external specialist. This is how you find out if the plan actually works before a real incident forces the question.
Controls sourced from SMB1001:2026, published by Dynamic Standards International (DSI). Full standard available at dsi.org.
How CyberGrape manages your Diamond programme
Diamond requires coordinating multiple specialist engagements: penetration testing, MDR deployment, supplier programme management, an expanded audit: alongside everything Platinum already demands. CyberGrape takes on the programme management so you have a single point of accountability.
Programme scoping from your Platinum baseline
We assess your posture against all 39 Diamond controls, build a remediation roadmap, and sequence the engagements: penetration testing, MDR deployment, supplier programme: in the right order.
Technical implementation
Encryption configuration across all relevant systems, application control deployment, macro policy enforcement, MDR service onboarding through Arctic Wolf or CrowdStrike: we implement or coordinate every technical requirement.
Penetration testing and social engineering
We engage Blacklock, our CREST-accredited pentesting partner, to conduct the annual penetration test and social engineering assessment. Results are reviewed, remediation is tracked, and findings are packaged as evidence for the audit.
Supplier digital trust programme
We help you build and operate the supplier programme: risk-tiering your suppliers, defining minimum requirements, drafting the contractual notification obligations, and reviewing any certifications they hold.
Incident response exercise
We design and facilitate the annual incident response plan test: tabletop exercises, red/blue team scenarios, or purple team engagements depending on your team's maturity. Findings are documented as evidence.
Independent audit coordination and ongoing management
We manage the DSC engagement, prepare the full evidence package, and brief the auditor. Ongoing programme management keeps all 39 controls current for annual renewal.
What Diamond certification delivers
The highest independently verifiable security posture available under SMB1001, and a foundation for ISO 27001.
- All 32 Platinum controls, independently verified
- Encryption at rest across all systems storing sensitive data
- Application control: only approved software can run
- Annual penetration test and social engineering assessment
- 24/7 MDR with contractual response time guarantees
- Phishing-resistant MFA on every business application
- Supplier digital trust programme with contractual incident notification
- Enhanced incident response plan with breach notification procedures
- Police vetting for all staff with administrative or physical access
- Annual live incident response exercise
- A Diamond certificate: the highest SMB1001 credential, independently audited
Common questions about Diamond
Explore the full certification pathway
Diamond is the summit. Every tier below it builds toward it. Most businesses land at Gold or Platinum.