SMB1001 certification in Australia: the tiers, the costs, and what the certificate actually proves
Australia's small-business cybersecurity certification, tier by tier: what Bronze through Diamond require, what each costs, the self-attested vs audited split, and what to check before a director signs.
SMB1001 is the cybersecurity certification standard most Australian small businesses will actually encounter — usually when a larger customer, a tender or an insurer asks for proof of cyber hygiene. Published by Dynamic Standards International and updated annually, it has 5 tiers, and the split that matters runs through the middle:
- Bronze, Silver and Gold — a company director self-attests that the controls are in place; certification fees run from roughly $75 to a few hundred dollars a year
- Platinum and Diamond — an independent auditor verifies the controls; expect thousands per year once the audit is counted
The 2026 edition pushed real technical substance into the self-attested tiers: an SPF record at Silver; DKIM, an enforced DMARC policy, EDR on every device and mandatory cyber insurance at Gold. A director signing a Gold attestation is signing off on exactly the kind of DNS and email configuration most small businesses have never checked.
Most Australian small businesses meet SMB1001 the same way: a larger customer, a tender document, or an insurance renewal asks whether you hold a cybersecurity certification, and a quick search reveals that the familiar names — ISO 27001, the Essential Eight — were never built for a business your size. SMB1001 was. This guide covers who runs it, what each of the 5 tiers actually requires, what it costs, and — because the certificate is only as good as what sits behind it — what it does and does not prove.
Who publishes SMB1001, and why it exists
SMB1001 is published by Dynamic Standards International (DSI), the company formerly known as Cyber Security Certification Australia, with certification issued through its CyberCert platform. It launched in late 2023 and is deliberately a dynamic standard: a new edition ships each year, and certified businesses recertify annually against the current one. SMB1001:2026 has been certifiable since January 2026.
The reason it exists is the gap every other standard leaves open. ISO 27001 assumes an organisation that can fund an external audit program. The Essential Eight assumes a managed Windows network and IT staff to run it. SMB1001 starts from the other end — a business of 1 to 50 staff with no IT department — and builds upward in tiers. The 2026 edition also publishes control mappings to the Essential Eight, UK Cyber Essentials, US CMMC and ISO 27001, which matters when an enterprise security questionnaire asks where you sit against frameworks you have never adopted.
The 5 tiers — and the line through the middle
The tier names read like a frequent-flyer program, but the structural fact that matters is the verification split: Bronze, Silver and Gold are self-attested — a company director signs that the controls are in place, and nobody checks. Platinum and Diamond are independently audited.
Bronze — the floor
The entry tier covers the absolute basics: a firewall, anti-malware protection, backups, and a defined technical support arrangement. It is achievable in an afternoon for most businesses, and that is the point — it is a first rung, not a destination.
Silver — accounts, updates and SPF
Silver adds the controls that close off the most common failure modes: multi-factor authentication, individual user accounts (no shared logins), software update discipline, basic staff security training and documented plans. The 2026 edition added a technical control worth noticing: a valid SPF record in DNS listing every service authorised to send email as your domain.
Gold — where the substance lives
Gold is the realistic target for most certifying businesses, and the 2026 edition expanded it from 23 to 27 controls. The additions are not paperwork: endpoint detection and response (EDR) on every workstation, laptop and server; DKIM signing on outbound email; a DMARC policy enforced at quarantine or reject — explicitly not p=none; mandatory cyber insurance; a written incident response plan; and a written policy on responsible use of AI. A director signing a Gold attestation is signing off on exactly the kind of DNS and email configuration most small businesses have never looked at.
Platinum — the first audited tier
Platinum is where external verification begins: an Independent Verification Organisation audits the controls rather than taking the director's word. It also adds regular vulnerability scanning of internet-facing systems and formal requirements around encryption of data at rest.
Diamond — the full program
Diamond adds penetration testing, rehearsed incident response drills and a systematic supplier due-diligence program. At this tier the requirements start to resemble a scaled-down enterprise security function — appropriate for the small businesses that genuinely need one.
What it costs
Indicative pricing at the time of writing: Bronze runs roughly $75–100 a year and Silver $150–300. Gold's certification fee sits in the hundreds per year, but the real Gold budget is implementation — EDR licences for every device, a cyber insurance policy, and the email authentication work. The audited tiers are a different bracket: expect $3,000–8,000 for the independent audit alone at typical small-business size, before implementation. Everything recertifies annually against the current edition.
For context, ISO 27001 certification typically runs to tens of thousands of dollars. SMB1001's entire reason for existing is a certificate that does not cost more than the IT it certifies.
SMB1001 vs the Essential Eight and ISO 27001
The comparison confuses people because they are different kinds of thing. The Essential Eight is a framework you measure yourself against — nobody issues small businesses an Essential Eight certificate, and its maturity model assumes managed corporate networks. ISO 27001 is a certifiable standard, but one priced and shaped for organisations with compliance budgets. SMB1001 is the only one of the three that is both certifiable and sized for a small business.
The practical rule: if a government or enterprise contract names the Essential Eight or ISO 27001, that is what they want and no substitute will do. The clearest example is defence: DISP membership requires the Essential Eight at Maturity Level 2, and SMB1001 does not appear in its requirements at all. If a customer simply asks for evidence that you take security seriously, SMB1001 is the certificate designed for that conversation — and the 2026 control mappings let you show how it translates. The ACSC Small Business Cyber Security Guide remains the best free starting document regardless of which path you take; SMB1001's lower tiers and the guide cover substantially the same ground.
What the certificate proves — and what it doesn't
An SMB1001 certificate at Bronze, Silver or Gold proves that a company director has personally attested the controls are in place. That is not nothing — director attestations carry legal weight, and the standard gives the director a concrete, current checklist rather than a vague assurance. But it is not an inspection. Nobody has verified the EDR is actually running or the DMARC policy actually enforces. If a supplier shows you an SMB1001 certificate, the first question worth asking is which tier — only Platinum and Diamond involve someone checking.
It is also worth being clear about adoption: SMB1001 is not named in the Cyber Security Act 2024 or related legislation, and we could find no documented insurer discount schemes tied to it. Its current value is supply-chain and tender signalling, plus the genuine usefulness of the checklist itself — not regulatory compliance.
The attestation model has one practical consequence we see directly in the data. 40% of Australian small business domains publish DMARC without an enforcing policy — monitoring without enforcement.* That exact configuration fails SMB1001:2026 Gold's enforcement requirement. A director who signs a Gold attestation without checking the domain's actual DNS records may be attesting to a control that is not in place — which is why verifying the public-facing basics comes before the signature, not after. Our pillar on what cybersecurity a small business actually needs covers those basics in full.
Where scanning fits — and where we stop
The overlap between SMB1001's technical controls and an outside-in scan is direct. Silver's SPF record, Gold's DKIM signing and enforced DMARC policy are precisely what our Email category checks read from your DNS, continuously — including the p= policy detail that separates a passing control from a cosmetic one. Platinum's "regular vulnerability scanning of internet-facing systems" describes the product category we operate in.
And the boundary: we are not a certifying body. We do not issue SMB1001 certificates, conduct audits, or implement controls — CyberCert and its partner network do that. What a scan gives you is the evidence layer: an outside check that the controls you are about to attest to are actually visible from the internet, before a director signs. Where customers need formal certification or assessment work, we refer to partners and take no fee for it, per our partner & referral disclosures.