Level 2 · Silver · 17 Controls · Self-attestedSecurity stops being reactive at Silver.
Silver builds on Bronze with 10 additional controls. You're adding MFA, a password manager, email anti-spoofing, server patching, formal policies, and access controls. The difference between Bronze and Silver is the difference between having protections and having documented, repeatable security practices.
What Silver adds to Bronze
Bronze gets the technical basics in place. Silver formalises them. At this level, you're putting structure around how access is controlled, how email is authenticated, how invoices are verified, and how your servers are maintained.
The 10 new controls at Silver address the most common vectors attackers use against businesses that have basic protections but haven't formalised their practices: compromised email accounts, invoice fraud, shared logins, and unpatched servers.
Silver is also where you start building the policy infrastructure that Gold, Platinum, and Diamond build on. It's a meaningful step forward: not just a checkbox.
Who it's for
Businesses that have basic hygiene in place and want to formalise their security practices. Typically 10 to 50 staff, or any business that has completed Bronze and is ready to build on it.
What it proves
That you have operational security practices: not just tools. MFA on email, documented access controls, formal policies for invoice handling and visitor management.
What comes next
Gold adds 10 more controls including EDR, full MFA across all applications, an incident response plan, a cybersecurity policy, and cyber insurance.
The 10 new Silver controls, explained plainly
Silver includes all 7 Bronze controls. These are the 10 that are new at this level. Each one addresses a real gap that attackers exploit.
TLS certificates on public websites
Every public-facing website your business operates needs a valid SSL/TLS certificate from a trusted authority. This encrypts data in transit and is now a baseline expectation from browsers, search engines, and customers.
Servers updated and patched
Servers: whether on-premises, cloud-hosted, or managed by a third party: need a documented patching schedule. Critical patches must be applied within 14 days of release. The schedule can't run longer than 6 months.
No admin privileges for standard accounts
Staff who don't need to install software shouldn't have admin rights. This limits the damage an attacker can do if they compromise a standard employee account. Applies to both local and domain accounts.
Individual user accounts for all employees
Every employee must have their own login. No shared accounts, no shared passwords. This makes it possible to trace activity, revoke access when someone leaves, and hold individuals accountable.
Password manager system
Privileged users must use a centralised, enterprise-grade password manager with MFA, role-based access control, and audit logging. This is the infrastructure that makes strong, unique passwords actually workable across a team.
MFA on all employee email accounts
Email is the single most attacked entry point for SMBs. Multi-factor authentication on every email account: including admin accounts: means a stolen password alone isn't enough to get in.
Email authentication and anti-spoofing (SPF)
Configure Sender Policy Framework (SPF) on every domain you use to send email. This prevents attackers from sending emails that appear to come from your domain: a common tactic in invoice fraud and phishing attacks.
Confidentiality agreements
All staff, contractors, and third parties must be bound by confidentiality obligations before accessing organisational data or systems. This can be a signed NDA or a confidentiality clause in their contract.
Invoice fraud policy and procedures
Invoice fraud: where attackers redirect payments to their own accounts: is one of the most financially damaging cyber crimes for SMBs. Silver requires a documented policy with dual-verification for bank account changes and sign-off thresholds for large transactions.
Visitor register
A written or digital register logging all visitors and contractors who enter staff-only areas. Records name, organisation, contact details, signature, and check-in/out times. Must be retained for at least six months.
Controls sourced from SMB1001:2026, published by Dynamic Standards International (DSI). Full standard available at dsi.org.
How CyberGrape gets you to Silver
Silver is where security practices need to be documented, not just operational. That means policies, access control records, training logs, and evidence of MFA deployment. CyberGrape builds all of that for you.
Gap assessment from your current posture
If you have Bronze, we assess the 10 new Silver controls. If you're starting fresh, we assess all 17. Either way, you know exactly where the gaps are before any work begins.
Implementation of missing controls
MFA deployment, password manager configuration, SPF record setup, server patching schedules, invoice fraud policy drafting: we handle what's not yet in place.
Policy documentation
The three new Silver policies: confidentiality agreements, invoice fraud procedures, and visitor registers: are drafted, reviewed, and signed off by your team.
Evidence package and submission
We compile the evidence the certifier requires and manage the submission process. You receive your Silver certificate, valid for 12 months.
What Silver certification delivers
- MFA protecting every employee email account: your most targeted asset
- Email anti-spoofing (SPF) that stops attackers impersonating your domain
- A password manager with audit logging and role-based access
- Documented policies for invoice fraud, confidentiality, and visitor management
- Server patching schedules that close vulnerabilities before they're exploited
- Individual user accounts: no shared logins, full accountability
- A recognised certificate valid for 12 months
Common questions about Silver
Explore the full certification pathway
Silver is level two. Gold is where most businesses land for procurement and compliance purposes.