SMB1001 vs Essential Eight: which to start with
The Essential Eight is what to do; SMB1001 is how to prove you did it. Start with the Essential Eight basics, certify with SMB1001 when someone asks for proof.
The Essential Eight and SMB1001 answer different questions, and a small business uses them in sequence rather than choosing between them:
- Essential Eight — the ACSC’s 8 technical mitigation strategies (MFA, backups, patching, and more); free public guidance you act on to become genuinely harder to breach, with no certificate attached.
- SMB1001 — a 5-tier certification standard built for small business; you pay a fee and get assessed so you can show a customer, tender or insurer evidence, and its lower tiers map onto Essential-Eight-style controls.
- Doing vs proving — the Essential Eight makes you safer; SMB1001 demonstrates it to a third party who will not take your word.
- The sequence — implement the Essential Eight because it costs only effort, then certify to the SMB1001 tier a requester needs.
The work makes you safe; the certificate proves it — do the work first, certify when someone asks.
The Essential Eight and SMB1001 are not rivals — they answer different questions. The Essential Eight is what to do: 8 technical actions the ACSC recommends to make a business harder to breach. SMB1001 is how to prove you have done it: a certification standard, 5 tiers, built for small business. A small business almost always starts with the Essential Eight ideas because someone should harden the basics regardless — and certifies with SMB1001 only when a customer, tender or insurer actually asks for evidence. If you want to be safer, you want one. If you need to show a third party you are safer, you want the other. Most owners eventually want both, in that order. The plain-English version of the whole decision lives at SMB1001 vs Essential Eight.
What each one is
The Essential Eight is a set of 8 mitigation strategies published by the ACSC. They are technical controls: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. Each one has three maturity levels — the higher the level, the more disciplined and complete the control. It is guidance, not a certificate. Nobody hands you a badge for doing it. You do it because each of the 8 closes off a category of attack that has demonstrably cost Australian organisations money. The short version of what it covers is at what the Essential Eight is.
SMB1001 is a certification standard — a published scheme you get assessed against and certified to, with a mark you can show. Its defining feature is that it was designed for small business from the start, with 5 tiers (Bronze, Silver, Gold, Platinum, Diamond) that scale from a sole trader to a 200-person firm. The lower tiers cover the same ground as the Essential Eight — multi-factor authentication, backups, updates, passwords — but packaged as graded, evidenced requirements rather than a maturity model written for organisations with IT departments. The lowest tiers are self-attested by a director; the upper tiers require independent verification. The full tier-by-tier breakdown is at what SMB1001 is, and we walk each tier in depth in SMB1001 certification, tier by tier.
So the headline distinction: the Essential Eight is a to-do list from the national cyber agency; SMB1001 is a proof-of-work scheme you can wave at someone who needs assurance.
The real difference: doing vs proving
Here is the trap. An owner reads about both, sees overlapping words — MFA, backups, patching — and concludes they are two competing checklists, then stalls trying to pick the "right" one. They are not competing, because they sit at different points in the same story.
Doing is the Essential Eight. You can implement every one of the 8 mitigations this quarter, at every maturity level, and have not a single piece of paper to show for it. That is completely fine if nobody is asking. The controls work whether or not anyone certifies them — turning on MFA stops credential-stuffing attacks the same way regardless of your certification status. The Essential Eight makes you safer. It does nothing to demonstrate that you are safer.
Proving is SMB1001. Certification exists for the moment a third party will not take your word for it: a larger customer running a supplier-risk process, a government tender with a security clause, a cyber-insurance underwriter pricing your policy, a partner who got burned once and now asks everyone. At that point "we have good security, trust us" is worth nothing and a certificate is worth a contract. SMB1001 turns the work you have already done into evidence in a form those parties recognise.
The clean test: if the question is am I actually harder to breach?, you are in Essential Eight territory. If the question is can I show someone that I am?, you are in SMB1001 territory. Plenty of businesses need both answers — they just need them in sequence, because you cannot honestly certify controls you have not implemented.
Cost and effort compared
The Essential Eight has no fee. It is free public guidance, and most of the 8 are configuration changes on systems you already own — turning on MFA, enabling automatic updates, setting up a backup that survives the office and that you have restored from at least once. The cost is staff time and the discipline to keep it current, not a line item. At small-business scale, getting the basics of all 8 to a sensible level is a project measured in days of attention, not a budget. Where it gets expensive is chasing the higher maturity levels, which were written with larger, more complex environments in mind — most small businesses do not need to live up there.
SMB1001 has a real fee, because someone is issuing a certification. The point of the standard is that the entry tiers are priced like a software subscription rather than an enterprise audit — that is the whole reason it exists instead of pushing small businesses at ISO 27001. Cost rises with the tier: lower tiers are self-attested and cheap; higher tiers require independent assessment and cost accordingly. The effort splits in two — first the work to genuinely meet the tier's requirements (which is the Essential-Eight-style hardening), then the separate effort of gathering evidence and going through certification. We break the numbers down at how much SMB1001 costs.
The honest framing: the Essential Eight costs effort, SMB1001 costs effort plus a fee. You are paying the fee for the certificate, not for the security — the security came from the work, which you would have done anyway.
Which to start with
The decision is simpler than the two documents make it look. It comes down to one question: is anyone actually asking you for proof right now?
Nobody is asking — start with the Essential Eight basics. This is most small businesses. No tender, no insurer demand, no customer questionnaire on the desk. Then there is no reason to pay for a certificate yet, and every reason to spend that energy on the controls themselves. Work the lower-numbered, higher-impact mitigations first: multi-factor authentication, regular tested backups, prompt patching. You get the actual safety benefit immediately and at no cost, and you have laid the exact groundwork a future certification would require. Pair this with the wider picture in what cybersecurity a small business actually needs — the Essential Eight is the technical core, but it is not the whole job at 1–30 staff.
Someone is asking for proof — go for SMB1001. A customer wants evidence, a tender has a security clause, an insurer wants to see a standard, a partner sent a questionnaire. Now certification is the product designed for your situation. Pick the tier the requester needs — do not over-buy — and certify to it. Because the lower tiers map onto Essential-Eight-style controls, the hardening you do to pass is the same hardening that makes you genuinely safer, so the fee buys you both the evidence and the substance at once.
The one warning: SMB1001's entry tiers are self-attested by a director, which means you can certify without anyone independently checking the controls are real. That is convenient and it is also a quiet liability if the attestation is optimistic. Before you sign anything attesting your basics are in place, confirm the outside-visible half actually is — run your domain through our scan and check the public surface against the Australian small business baseline so your director's signature is backed by reality, not hope.
How they fit together
The cleanest way to hold both in your head: the Essential Eight is the work, SMB1001 is the receipt. They are layers, not alternatives.
In practice the path runs in one direction. You implement Essential-Eight-style controls because they make you safer and cost nothing but attention. Later, when a third party needs assurance, you certify to the SMB1001 tier they are asking for — and because your controls already exist, certification is mostly an evidence-gathering exercise rather than a scramble to build security from scratch under deadline. The lower SMB1001 tiers were deliberately mapped onto controls like the Essential Eight precisely so this hand-off is smooth: the doing and the proving reinforce each other instead of being two separate bills.
There is one place the two standards diverge for a specific audience. If you supply, or want to supply, the defence sector, the relevant proof framework is the Defence Industry Security Program, not SMB1001 — and the two are scoped very differently. SMB1001 does not by itself grant DISP membership, though the underlying hygiene overlaps. We cover whether does SMB1001 count for DISP and what the DISP levels are, and the full membership path at DISP membership for small business. For everyone not chasing defence contracts, the simple sequence holds: do the Essential Eight, certify with SMB1001 when someone asks, and let the work you did once serve both purposes.