What makes Platinum different from Gold: beyond the extra controls?

The biggest difference is the attestation model. Gold is self-attested. Platinum requires an independent assessment by a DSI-accredited Dynamic Standard Certifier. That means an external auditor reviews your evidence and verifies your controls: not just you. The controls themselves also add depth: phishing-resistant MFA (not just any MFA), vulnerability scanning on a documented schedule, and a formally tested backup restoration plan.

Who typically needs Platinum?

Organisations with 100 or more staff, those handling sensitive data (healthcare, legal, financial), businesses operating in supply chains that require higher assurance, and those whose cyber insurance or contractual requirements specifically ask for independently verified certification. Some businesses also pursue Platinum because they want the rigour of an external audit rather than self-attestation.

How does CyberGrape manage the independent audit?

CyberGrape prepares everything: gap analysis, remediation, evidence documentation, and the full evidence package. We then coordinate with the accredited certifier and manage the audit engagement on your behalf. You participate in the audit; we make sure you walk in ready and that there are no surprises.

How long does Platinum certification take?

Two to three months is typical, including the independent assessment. If you already hold Gold certification, the gap is smaller and the timeline can be shorter. CyberGrape manages the programme end-to-end.

Can CyberGrape be the certifier for Platinum?

No. Independence is a requirement at Level 4 and 5. The certifier must be a separate organisation accredited by DSI as a Dynamic Standard Certifier. CyberGrape prepares you for the audit and manages the engagement, but the certification assessment is conducted by the independent DSC.

SMB1001 CertificationPlatinum

Level 4 · Platinum · 32 Controls · Independent audit

When self-attestation isn't enough, Platinum is the answer.

Platinum is the first tier that requires independent verification by an accredited certifier: not just your own attestation. It adds vulnerability scanning, phishing-resistant MFA, cloud credential management, and a formally tested backup strategy. For organisations handling sensitive data or operating in regulated supply chains, this is where certification carries real weight.

Total controls32

New at Platinum5 controls

AttestationIndependent audit

Valid for12 months

Typical timeline2–3 months

What independent certification actually means

At Bronze, Silver, and Gold, you self-attest through a certifier: you confirm the controls are in place, supported by evidence you've compiled. Platinum changes that. An independent Dynamic Standard Certifier (DSC), accredited by DSI, conducts their own assessment of your evidence and controls before certification is issued.

That independence is what gives Platinum its weight. When you present a Platinum certificate to a major client, insurer, or procurement panel, they know an external auditor reviewed your controls: not just you.

CyberGrape prepares everything and manages the certifier relationship. You focus on running the business. We make sure the audit goes smoothly.

Who it's for

Organisations with 100 or more staff, those handling sensitive or regulated data, businesses in supply chains that require higher assurance, and any organisation that wants externally verified certification rather than self-attestation.

What it proves

That your security posture has been independently verified. Vulnerability scanning is running on a documented schedule. Your MFA is phishing-resistant. Your cloud credentials are managed. Your backups have been tested.

What comes next

Diamond (Level 5) adds encryption at rest, application control, penetration testing, a managed detection and response service, and a supplier digital trust programme. For most organisations, Platinum is the right destination.

The new Platinum controls, explained plainly

Platinum includes all 27 Gold controls. These are the controls introduced or significantly upgraded at Level 4. Some existing Gold controls are also updated to a higher maturity standard at Platinum.

1.1.1.0TechnologyNew / upgraded at Platinum

MSP Service Level Agreement: incident response

Your IT provider or MSP must have a documented SLA that guarantees key incident response staff are available within 8 working hours when something goes wrong. Vague support arrangements aren't enough at this level.

1.7.0.1TechnologyNew / upgraded at Platinum

Regular vulnerability scanning of internet-facing assets

Every public-facing resource: web servers, VPN portals, APIs: must be scanned regularly for known vulnerabilities. High-risk assets weekly, medium-risk monthly, low-risk quarterly. If an external provider manages these, you need written confirmation they're scanning.

2.5.1.0AccessNew / upgraded at Platinum

Phishing-resistant MFA on email: stronger methods required

At Gold, MFA on email was required. Platinum upgrades the method: only authenticator apps, hardware devices, or U2F tokens are acceptable. SMS, voice, and email codes are specifically excluded: they're too easy to intercept or redirect.

2.8.0.0AccessNew / upgraded at Platinum

Cloud credential and IAM management

Cloud access must be configured to minimise privileges across all accounts, including admin accounts. SSH keys and other remote access credentials must be stored securely: not on individual user devices. Where possible, cloud identity should be federated with your organisation's identity system.

2.9.0.0AccessNew / upgraded at Platinum

MFA where important digital data is stored

Any system or service storing critical, sensitive, or operational data needs MFA on all accounts: not just email. This closes a common gap where MFA is applied to email but not to the cloud storage, CRM, or document platform that holds your most valuable information.

2.10.0.0AccessNew / upgraded at Platinum

MFA on VPN connections

VPN access: both from the internet and from the corporate network: must be protected by MFA. Not applicable if your organisation doesn't use VPN.

2.11.0.0AccessNew / upgraded at Platinum

MFA on RDP connections

Remote Desktop Protocol connections must be protected by MFA. Both internet-facing and internal RDP connections are in scope. Not applicable if your organisation doesn't use RDP.

3.1.1.1BackupNew / upgraded at Platinum

Enhanced backup and recovery strategy

Platinum significantly extends the backup requirements from Gold. Backups must run at least weekly (ideally daily), retain at least 6 months of history, be aligned to your digital asset register, and include a tested restoration plan validated at least once per year. A register of where backups are stored and who can access them is also required.

Controls sourced from SMB1001:2026, published by Dynamic Standards International (DSI). Full standard available at dsi.org.

How CyberGrape manages your Platinum programme

Platinum is a programme, not a point-in-time exercise. It requires ongoing management of vulnerability scanning, evidence maintenance, and an audit relationship with an independent certifier. CyberGrape takes all of that on.

Programme scoping and gap assessment

We assess your posture against all 32 Platinum controls, identify gaps from your current Gold position (or from scratch), and build a remediation roadmap with timelines and ownership.

Technical implementation

Vulnerability scanning deployment and scheduling, phishing-resistant MFA rollout, cloud IAM review and hardening, MSP SLA review and documentation: we implement or coordinate every technical requirement.

Evidence and documentation

Scan reports, backup restoration test records, MFA configuration evidence, IAM access reviews, SLA documentation: we build the complete evidence package required for independent assessment.

Audit coordination

We select and engage an accredited DSC on your behalf, prepare the submission package, brief the auditor, and manage the assessment process. You attend the audit confident everything is in order.

Continuous programme management

Platinum controls require ongoing maintenance: monthly scans, quarterly evidence reviews, annual backup tests. CyberGrape keeps the programme running so renewal at 12 months is business-as-usual.

What Platinum certification delivers

Independently verified. Externally credible. Built for organisations where security posture is a competitive and compliance requirement.

Independent certification: an accredited auditor has verified your controls
Vulnerability scanning on all internet-facing assets, on a documented schedule
Phishing-resistant MFA: authenticator apps and hardware tokens only, no SMS
Cloud IAM hardened to least-privilege across all accounts including admin
MFA on VPN, RDP, and every system where important data is stored
Backup strategy tested, with documented restoration results
MSP SLA guaranteeing incident response availability within 8 working hours
A certificate that carries weight with major clients and insurers

Common questions about Platinum

Explore the full certification pathway

Platinum is independently audited. Diamond adds encryption, penetration testing, and supplier governance.