Why is Gold the most common target for Australian SMBs?

Gold is the level where security becomes provable, not just claimed. It includes an incident response plan, EDR, cyber insurance, a cybersecurity policy, and full MFA across all applications: the controls that insurers, procurement teams, and supply chain managers are increasingly asking to see. Bronze and Silver build toward it; Gold is where most businesses need to land.

Can I go straight to Gold without doing Bronze and Silver first?

Yes. Gold is cumulative: it includes all 27 controls, but there's no requirement to certify at lower tiers first. If your business already has mature security in place, we'll assess your posture and take you straight to Gold. Many businesses with 30 to 100 staff find Gold is the right starting point.

How does Gold help with procurement and contracts?

Tenders, government contracts, and enterprise supplier requirements are increasingly asking for evidence of cyber maturity. Gold certification is a recognised, independently issued credential that answers that question directly: without you having to fill out a lengthy security questionnaire for every client.

What's the difference between Gold and Platinum?

Gold is self-attested. Platinum requires an independent assessment by an accredited certifier. Platinum also adds vulnerability scanning, phishing-resistant MFA, cloud credential management, and a more rigorous backup strategy. Most businesses should target Gold first, then assess whether the additional 5 Platinum controls are required for their situation.

How long does Gold certification take with CyberGrape?

Four to eight weeks, depending on your current posture. If you already have Bronze or Silver, the gap is smaller. CyberGrape manages the full journey: gap assessment, remediation, policy drafting, evidence documentation, and certifier submission.

SMB1001 CertificationGold

Level 3 · Gold · 27 Controls · Self-attestedMost popular

The tier that wins contracts, satisfies insurers, and proves you're serious.

Gold is the most sought-after SMB1001 tier. At this level you have EDR, full MFA across all applications, email authentication, a formal cybersecurity policy, an incident response plan, cyber insurance, and an ongoing security awareness programme. It's where security maturity becomes demonstrable.

Total controls27

New at Gold10 controls

AttestationSelf-attested

Valid for12 months

Typical timeline4–8 weeks

Procurement and contracts

Tenders, government suppliers, and enterprise clients are increasingly asking for evidence of cyber maturity. Gold certification is the answer to that question: a recognised credential that doesn't require you to fill out a different questionnaire for every client.

Cyber insurance

Insurers are scrutinising security posture more carefully than they did two years ago. Gold certification: particularly the EDR, MFA, and incident response controls: directly addresses the underwriting questions most insurers ask.

Real incident readiness

Gold isn't just about compliance. The incident response plan, EDR deployment, and security awareness programme mean that when something happens (and it will), your business can respond, contain, and recover without it becoming a catastrophe.

The 10 new Gold controls, explained plainly

Gold includes all 17 Silver controls (and all 7 Bronze controls beneath them). These are the 10 that are introduced at Level 3, and they're the controls that make the biggest difference to your security posture.

1.12.0.0TechnologyNew at Gold

Endpoint Detection and Response (EDR)

Antivirus catches known threats. EDR catches behaviour that looks malicious even when the threat is new. It monitors all workstations, laptops and servers continuously, flags anomalies, and can isolate a device automatically when something suspicious happens.

2.4.1.1AccessNew at Gold

Password manager: extended to all users

At Gold, the password manager requirement extends to all staff who manage more than one credential. The system must support audit logging, role-based access, MFA, and staff education on credential hygiene.

2.6.0.0AccessNew at Gold

MFA on all business applications and social media

MFA on email was required at Silver. Gold extends this to every cloud-hosted business application and social media account. Any account associated with your business is a potential entry point: this control closes that door.

2.7.0.1AccessNew at Gold

RDP only over VPN

Remote Desktop Protocol should never be exposed directly to the internet. If your team uses RDP, it must only be accessible through a centrally managed VPN or application proxy. Not applicable if you don't use RDP.

2.12.1.0AccessNew at Gold

Email authentication, DKIM and DMARC added

Bronze added SPF. Gold extends this to DKIM (cryptographic email signing) and DMARC (which tells receiving mail servers what to do with unauthenticated messages). Together, these three protocols make it very difficult to spoof your domain.

3.2.0.0BackupNew at Gold

Business or cyber insurance

A policy that covers cyber incidents: ransomware recovery, incident response costs, business interruption, and notification expenses. This is the financial safety net that lets you survive a serious incident without it destroying the business.

4.4.0.0PoliciesNew at Gold

Cybersecurity policy

A formal document defining your security requirements, staff responsibilities, and acceptable use. Every employee reads and signs it. This is the foundation of a security culture: it makes expectations explicit and creates accountability.

4.5.0.0PoliciesNew at Gold

Incident response plan

A documented plan for what to do when something goes wrong. Who to call, what steps to follow, how to communicate with customers and law enforcement, and how to contain and recover from the incident. Having this before you need it is everything.

4.6.0.0PoliciesNew at Gold

Secure physical document destruction

Sensitive paper documents: contracts, financial records, HR files: must be shredded or disposed of through a secure destruction service. Physical data exposure is a real risk that digital security can't address.

4.7.0.0PoliciesNew at Gold

Secure device disposal

Old computers, hard drives, USBs, and media must be wiped beyond recovery before disposal, resale, or donation. If the device contained sensitive data and the storage isn't properly destroyed, it can become a breach.

4.8.0.0PoliciesNew at Gold

Digital asset register

A maintained inventory of where your sensitive and critical data lives: which servers, cloud services, drives, and devices hold what. You can't protect what you haven't catalogued, and you can't recover what you don't know exists.

4.11.0.0PoliciesNew at Gold

AI use policy

A policy governing how AI tools are used within your organisation: what's acceptable, what data employees can feed into AI systems, how risks are managed, and how compliance with privacy regulations is maintained. AI usage without a policy is a growing and underappreciated risk.

5.1.1.0TrainingNew at Gold

Ongoing cybersecurity awareness campaign

At Bronze, basic training was required. Gold extends this to a continuous awareness programme: phishing simulation, vishing awareness, email safety, invoice fraud, physical security, and an annual policy review. Security culture is built over time, not in a single session.

Controls sourced from SMB1001:2026, published by Dynamic Standards International (DSI). Full standard available at dsi.org.

How CyberGrape gets you to Gold

Gold isn't just more controls. It's a fundamentally different posture: one that requires policy drafting, technology deployment, and evidence that stands up to scrutiny. CyberGrape manages every part of that journey.

Current posture assessment

We map your existing security against all 27 Gold controls. You get a clear gap report: what's in place, what's missing, what needs to be updated from Bronze or Silver versions.

Technology deployment

EDR on all endpoints, full MFA rollout including app-by-app configuration, DKIM/DMARC email authentication setup, password manager extension across the business: we implement it all.

Policy suite development

Cybersecurity policy, incident response plan, AI use policy, digital asset register, device disposal procedures, physical document destruction process: drafted to your business context and signed off by your team.

Evidence package and submission

Every control needs documented evidence. We build the evidence package, manage the certifier engagement, and see the submission through to your Gold certificate.

Ongoing management

Your CyberGrape Platform subscription keeps controls monitored continuously. Renewal at 12 months is a review, not a scramble.

What Gold certification delivers

The controls, the certificate, and the posture that procurement teams and insurers are looking for.

EDR monitoring all endpoints continuously: detecting threats that antivirus misses
MFA across every business application and social media account
Full email authentication (SPF + DKIM + DMARC): stops domain spoofing
A signed cybersecurity policy, understood by every employee
An incident response plan ready before you need it
Cyber insurance providing financial protection when an incident occurs
An AI use policy that keeps your business and customer data protected
A digital asset register that maps where sensitive data lives
Ongoing security awareness training for all staff
A recognised Gold certificate, valid for 12 months

Common questions about Gold

Explore the full certification pathway

Gold is where most SMBs land. Platinum and Diamond are for organisations building toward full governance maturity.