SMB1001 is the tiered cyber security certification built for small and medium businesses — five levels from Bronze to Diamond that let you prove your security maturity without the cost and complexity of enterprise frameworks. Here’s how it works, what each tier requires, and how to get certified.
Last reviewed June 2026 • Based on SMB1001:2025 • Reviewed by the Cloud Ready Solutions cyber security team
SMB1001 is a multi-tiered cyber security certification standard for small and medium businesses, maintained by Dynamic Standards International (DSI). The current version is SMB1001:2025. Instead of a single, all-or-nothing audit, it uses five progressive tiers so a business can start small, certify quickly, and build up real cyber maturity over time.
It exists because the established frameworks — ISO 27001, the Essential Eight — were built for large or government organisations. For a 15-person accounting firm or a regional manufacturer, they’re often too expensive, too complex, or both. SMB1001 gives those businesses an achievable path to demonstrate they take security seriously: to customers, to supply-chain partners, and to insurers.
Each tier builds on the one below it. You don’t skip levels — you climb them, adding controls as your business matures.
Cyber security essentials
The foundational tier. Covers the basic hygiene every business should have in place — the controls that stop the overwhelming majority of opportunistic attacks.
Controls shown are representative of SMB1001:2025. The standard is updated periodically — confirm the current requirements with CyberCert before certifying.
Three names you’ll hear constantly. Here’s how they actually differ for a small business.
| SMB1001 | Essential Eight | ISO 27001 | |
|---|---|---|---|
| Built for | Small & medium businesses | Government & larger orgs | Any size, enterprise-leaning |
| Structure | 5 progressive tiers | 3 maturity levels | Single certification |
| Entry effort | Low — start at Bronze | Moderate to high | High |
| Certifiable | Yes — issued via CyberCert | No (a framework, not a cert) | Yes — accredited auditor |
| Typical cost | From ~$95/yr (Bronze) | Implementation cost only | Tens of thousands |
| Best for SMBs | Yes — purpose-built | Partial — can be heavy | Usually overkill |
The short version: ISO 27001 is the gold standard for enterprises, the Essential Eight is the government baseline, and SMB1001 is the one actually designed for businesses that don’t have a dedicated security team. For most SMBs, it’s the sensible starting point.
Work through this before you certify. Free — no sign-up required.
Most businesses begin at Bronze or Silver. Pick the tier that matches the controls you already have — you can climb later.
Close the gaps for your chosen tier: MFA, backups, EDR, email authentication, awareness training. This is where your IT provider or MSP does the work.
Bronze, Silver and Gold use self-attestation by a business owner or director. Platinum and Diamond require an independent external audit.
Register on the CyberCert platform, complete the workbook for your tier, and receive your certificate and badge.
SMB1001 is a genuine revenue and retention play for MSPs: every tier maps to security services your clients need anyway. The trick is having a stack that covers the controls without bolting together six separate tools per client.
| SMB1001 control | Covered by |
|---|---|
| MFA, identity & access protection | Guardz (ITDR) |
| Managed antivirus & EDR | Guardz (SentinelOne EDR) |
| Email security & DMARC | Guardz email protection + Cibecs DMARC |
| Awareness training & phishing simulation | Guardz |
| Continuous monitoring & MDR | Guardz 24/7 MDR |
| Backup & recovery — SaaS (M365 / Google Workspace) | Keepit |
| Backup & recovery — VMs, servers & physical | NAKIVO |
| Backup & recovery — endpoints / devices | Cibecs |
Backup & recovery is required from Bronze (Level 1) — every single tier. It’s the one control no business escapes, and the gap most SMBs fail on. CRS covers the full picture: Keepit for SaaS data (Microsoft 365, Google Workspace, Entra ID), NAKIVO for virtual machines, servers and physical workloads, and Cibecs for endpoints — so whatever your client runs, the recovery control is covered.
Run a free external cyber risk scan on any client domain — a fast way to show where they sit against SMB1001 controls and open the certification conversation.
To issue certificates, MSPs join the CyberCert Partner Program (free to join). CRS supplies the security and backup tooling — Guardz, Keepit, NAKIVO and Cibecs — that satisfies the controls behind each tier.
SMB1001 is a multi-tiered cyber security certification standard built specifically for small and medium businesses. It is maintained by Dynamic Standards International (DSI), with the current version published as SMB1001:2025. Rather than a single pass/fail audit, it offers five progressive tiers — Bronze, Silver, Gold, Platinum and Diamond — so a business can certify at a level that matches its size, risk and budget, then move up over time.
This guide is provided for general information by Cloud Ready Solutions, an Australian IT distributor supporting MSPs across Australia and the Pacific Islands. It is not legal or compliance advice. Certification requirements and fees are set by Dynamic Standards International and CyberCert and may change. Last reviewed June 2026.