What Are the SMB1001 Requirements? Every Tier Explained Before You Certify

Table of Contents

SMB1001 requires your business to prove that core cybersecurity controls exist, run properly, and hold up when someone asks for evidence.

In practice that means showing real proof across five areas, which are how you manage devices, control access, handle backups, govern security, and train staff. Each tier raises how much you have to prove.

The hard part is knowing what each tier actually asks for. So when you decide to get certified, at the end, what you find is a list of tier names and control categories that never quite tells you what to prove.

So today, in this article, we will break down what each tier asks for, what evidence you need to show, and how to tell which tier your business should aim for.

We will cover the five tiers from Bronze to Diamond, the five control domains behind them, what preparation tends to cost, and how to get ready before you certify.

What does SMB1001 require?

SMB1001 requires a business to prove that core cybersecurity controls are in place, owned, maintained and supported by evidence. In practical terms, SMB1001 is about installed tools and asks whether technology, access, backups, governance and staff controls are managed over time.

The Five Control Domains

The five control domains explain the main areas your business needs to manage before SMB1001 certification becomes credible. The exact depth depends on the tier, but the broad control areas usually include:

  • Technology Management: devices, patching, endpoint security, configuration and system visibility.
  • Access Management: MFA, passwords, user accounts, privileged access and access reviews.
  • Backup and Recovery: backup coverage, retention, recovery confidence and restore testing.
  • Policies and Governance: ownership, security policies, incident response and management accountability.
  • Education and Awareness: staff training, phishing awareness, reporting behaviour and security habits.

For certification planning, each domain should be translated into proof the business can retrieve. Evidence may include endpoint reports, MFA status, access logs, restore records, policy approvals, training records, remediation tickets and incident response documents.

Annual Renewal and the 2026 Edition

SMB1001 ceritication as continous maintenance cycle
SMB1001 ceritication as continous maintenance cycle. Image generated using AI

SMB1001 annual renewal checks whether your certified controls still match the current 2026 version and still operate in the business. So, SMB1001 should be treated as a control-maintenance cycle, not a one-time certification task.

For Australian businesses, this means reviewing the evidence behind each control. MFA coverage, backup scope, access records, endpoint protection, staff training and incident response documents should still reflect the way the business works today.

Simply because the ASD Annual Cyber Threat Report 2024–25 notes that cybercrime continues to challenge Australia’s economic and social prosperity, with ransomware attacks and data breaches increasing in frequency.

The SMB1001 2026 edition makes this review more important for businesses certified under an earlier version. Before renewal, the business should check whether its existing evidence still maps to the current SMB1001 requirements and close any gaps before making customer-facing certification claims.

This is why SMB1001 cost should not be treated as a software-only line item. The 2023 ASIC press release on organisational cyber vigilance is useful context here because it reinforces that cyber resilience is an organisational issue, not only a technology issue.

Requirements by Certification Tier

The SMB1001 maturity matrix
The SMB1001 maturity matrix. Image generated using AI

SMB1001 requirements change by certification tier, with each level asking for stronger controls, clearer ownership and better evidence.

The tier breakdown below explains what a business should expect at Bronze, Silver, Gold, Platinum and Diamond.

SMB1001 Bronze Requirements

SMB1001 Bronze requirements focus on basic cybersecurity hygiene that a small business can explain and maintain., which commonly involves:

  • Endpoint protection on business devices.
  • Regular software and operating system updates.
  • Basic firewall or network protection.
  • Safer password practices.
  • Basic backup discipline.
  • General cyber hygiene across everyday systems.
  • Clear internal ownership of basic security tasks.

SMB1001 Bronze is the entry point. It suits businesses that need a recognised baseline before supplier onboarding, insurance review or early customer assurance. The goal is to prove that the fundamentals are not being left to chance.

At this tier, the main risk is assuming a tool is working because it was installed once. Useful Bronze evidence may include device protection status, update records, backup confirmation, basic network settings and a simple owner list for core controls.

The evidence does not need to be complex, but it does need an owner. What often gets missed at Bronze is the record of who checks each control and how often.

SMB1001 Silver Requirements

SMB1001 Silver requirements strengthen access control, email security, operational processes and basic governance through:

  • Multi-factor authentication for key systems
  • Password manager adoption
  • Secure remote access controls
  • Basic cybersecurity policies
  • Email security controls
  • Invoice fraud prevention checks
  • Stronger evidence for insurer or customer questions
  • More consistent user account management

Silver is often where cybersecurity starts becoming more visible inside the business. Staff may need to use MFA, follow password management rules and apply safer processes for payment or account changes.

The main pressure at this tier is behavioural: MFA, password rules and payment checks need to become normal business habits. To prove those habits are actually in place, the business should keep evidence such as:

  • MFA reports.
  • Password manager adoption records.
  • Email authentication settings.
  • Remote access rules.
  • Policy documents.
  • Payment-change verification procedures.

Silver fits when informal security habits are no longer enough to answer customer or insurer questions. One customer asks for MFA proof. Another asks about backups. Soon, the business needs a repeatable answer.

SMB1001 Gold Requirements

SMB1001 Gold requirements strengthen governance, recovery, access review, training and control maintenance through:

  • Formal cybersecurity policies
  • A current digital asset register
  • Staff cybersecurity awareness training
  • Incident response planning
  • Access review evidence
  • Vulnerability remediation processes
  • Backup and recovery evidence
  • Customer-data protection controls
  • Clear ownership of security controls
  • Stronger reporting for internal leaders

Gold fits when a business needs stronger security proof for customer, insurer or partner questions. 

But, please note, at this Gold tier, many businesses discover a capacity gap: the team may close a security gap once, then struggle to maintain evidence every month.

That’s why Gold is often where SMB1001 starts to feel like a structured security programme. The business is no longer only showing that controls exist. It also needs to show that controls are reviewed, recorded and owned over time.

The main pressure at this tier is evidence maintenance: access reviews, vulnerability fixes, staff training and backup recovery checks need to become part of normal operations.

To prove that control maintenance is actually happening, the business should keep evidence such as:

  • Access review records
  • Vulnerability remediation tickets
  • Staff training reports
  • Backup restore test results
  • Endpoint coverage reports
  • Incident response review notes
  • Approved security policies

SMB1001 Platinum Requirements

SMB1001 Platinum requirements strengthen validation, recovery testing, access governance, remediation oversight and supplier risk management through:

  • Documented access review cadence
  • Formal control validation
  • Tracked vulnerability remediation
  • Tested backup and recovery processes
  • Reviewed incident response procedures
  • Supplier or third-party risk records
  • Stronger evidence review before renewal
  • Clearer documentation of security ownership

Platinum fits when a business needs higher-assurance security proof for enterprise customers, sensitive data environments, supplier reviews or stronger internal governance.

That higher-assurance need changes the quality of evidence required. At this tier, many businesses discover an assurance gap: controls may already exist, and the evidence still needs to be cleaner, more consistent and easier to validate.

This is why Platinum starts to feel like a formal assurance process. The business now needs to show that access reviews, recovery tests, remediation decisions and incident response checks are documented with enough clarity for review.

The main pressure at this tier is validation, so the business needs scheduled ownership for:

  • Security reviews
  • Restore testing
  • Vulnerability remediation
  • Supplier checks
  • Incident response exercises

To prove that stronger assurance is actually in place, the business should keep evidence such as:

  • Access review sign-offs
  • Backup restore test results
  • Vulnerability remediation registers
  • Supplier security review records
  • Incident response tabletop notes
  • Control review reports
  • Security meeting records
  • Renewal evidence packs

SMB1001 Diamond Requirements

SMB1001 Diamond requirements strengthen continuous control monitoring, leadership oversight, incident readiness, third-party risk management and evidence renewal through:

  • Mature security governance
  • Recurring control reviews
  • Independent validation expectations
  • Ongoing control monitoring
  • Tested incident response capability
  • Recurring evidence refresh before renewal
  • Management review of unresolved security risks
  • Documented response to monitoring findings

Diamond fits when a business needs the highest level of SMB1001 assurance for sensitive data, regulated customer expectations, enterprise relationships or more demanding supplier reviews.

At this level, the requirement is no longer only about proving that controls are documented. The business needs to show that control review, monitoring, remediation and leadership oversight are part of the operating rhythm.

That makes Diamond a maturity target for businesses that can sustain the work after certification. Security findings need owners. Remediation needs follow-through. Evidence needs to be refreshed before it becomes stale.

The main pressure at this tier is continuity, so the business needs a recurring process for:

  • Control reviews
  • Monitoring summaries
  • Remediation tracking
  • Supplier-risk review
  • Incident response testing
  • Leadership security updates

To prove that Diamond-level control maintenance is actually working, the business should keep evidence such as:

  • Control review packs
  • Leadership security updates
  • Supplier-risk review records
  • Tested incident-response outcomes
  • Remediation trend reports
  • Monitoring summaries
  • Evidence refresh records
  • Management review notes

Which SMB1001 Tier Does a Small Business Need?

Australia small businesses need SMB1001 Bronze, Silver or Gold as their first practical target because these tiers match the usual path from basic cyber hygiene to stronger security evidence. Let’s break down each SMB1001 tier in the table below.

Business situationPractical SMB1001 tier direction
The business needs a recognised security baselineBronze
Customers or insurers ask for basic control proofSilver
The business handles customer data and needs stronger evidenceGold
Enterprise customers expect cleaner validationPlatinum
The business needs mature control monitoring and leadership oversightDiamond

For example, a startup may use Bronze or Silver to establish trust early. A SaaS company handling customer data may move toward Gold sooner because buyers ask deeper questions about access, data protection, incident response and recovery.

Of course, the tier decision should be based on what the business can prove and maintain. A well-maintained Silver or Gold position is stronger than a higher tier supported by rushed evidence.

Which Tiers Are Self-Assessed and Which Need an Audit?

SMB1001 Bronze, Silver and Gold usually carry a lighter evidence burden, while Platinum and Diamond should be approached as audit-ready or higher-assurance tiers. The table below breaks down what that means for each tier:

SMB1001 tierPractical assurance planning viewBuyer implication
BronzeLighter evidence burdenBasic control proof should be available.
SilverLighter evidence burden with stronger coverageAccess, email and policy evidence matter more.
GoldStronger evidence disciplineGovernance and control maintenance must be credible.
PlatinumAudit-ready or higher-assurance pathwayEvidence should be clean, current and review-ready.
DiamondHighest-assurance pathwayControls should be mature, monitored and maintained.

Businesses should still confirm the current SMB1001 assurance pathway before budgeting or making customer-facing claims. Lighter-assurance tiers still require honest evidence, while higher tiers need cleaner records, clearer ownership and more disciplined preparation.

How Much Does SMB1001 Certification Cost?

As of June 2026, the DSI lists SMB1001 certification pricing from about A$135 to A$1,413, depending on the licence option selected.

That range is the visible certification price. The full business cost can be higher because certification still needs to be supported by working controls, clean evidence and remediation before the business can confidently make customer-facing claims.

The limitation of a low visible price is that it can make SMB1001 look simpler than the preparation work behind it. 

A business with MFA, endpoint protection, backup testing, access records and policies already in place will have a different cost profile from a business with shared accounts, unmanaged devices, weak documentation or untested recovery processes.

The preparation cost usually comes from the gap between the listed certification price and the controls the business still needs to prove.

Cost areaWhat drives the cost
Gap assessmentCurrent maturity, target tier and system complexity
Email authenticationDomains, third-party senders, DNS access and DMARC monitoring
Endpoint securityDevice count, EDR needs, remote users and operating systems
Backup and recoveryData volume, SaaS platforms, retention and restore testing
Access managementMFA coverage, privileged accounts and offboarding process
GovernancePolicies, incident response, ownership and asset register maturity
Evidence preparationRecords, logs, screenshots, review notes and audit readiness
Ongoing maintenanceReviews, remediation, reporting and renewal preparation

How Australian Businesses Can Prepare for SMB1001 Certification

The practical pathway to SMB1001 certification_web
The pathway to SMB1001 certification. Image generated using AI

Australian businesses can prepare for SMB1001 certification by treating it as a readiness process: check the controls, close the gaps, assign owners, and collect evidence before choosing a tier.

This aligns with the Austrade summary of Australia’s 2023–2030 Cyber Security Strategy, which highlights stronger businesses, safer technology and better cyber resilience.

The sections below break that preparation into three buyer decisions.

What to Have in Place Before You Certify

Before certifying, a business should have the core controls, evidence records and internal ownership needed to show:

  • A current list of devices, users and key systems.
  • MFA enabled for priority accounts.
  • Endpoint protection across business devices.
  • Backup coverage for critical systems.
  • Restore testing or recovery confidence.
  • A password management process.
  • Joiner, mover and leaver access controls.
  • Basic cybersecurity policies.
  • Staff security awareness training.
  • Incident response contacts and escalation steps.
  • Evidence of reviews, updates and remediation.

For each item, the business should be able to show proof, not only confirm that the control exists. This preparation makes certification easier to manage and gives leadership a clearer view of current maturity.

Common Gaps to Close Before Certifying

Common gaps before SMB1001 certification usually appear in access control, evidence, backup testing, policy adoption, alert ownership and remediation tracking, so businesses should check for:

  • Shared administrator accounts.
  • MFA missing from important SaaS tools.
  • No current asset register.
  • Backups that have not been restore-tested.
  • Policies stored but not used.
  • Incomplete staff awareness records.
  • Weak offboarding processes.
  • No named incident response owner.
  • No clear owner for security alerts.
  • Vulnerability findings not tracked to closure.
  • Partial email authentication.
  • Remote devices outside normal control coverage.

Many businesses have parts of the answer already. The problem is that controls may be informal, incomplete or undocumented.

Self-Certification vs Managed Certification

Self-certification suits businesses with enough internal ownership, while managed certification suits businesses that need help closing gaps and maintaining evidence. The table below shows which path usually fits each business situation:

PathwayBest suited forMain riskPractical division of labour
Self-certificationBusinesses with strong internal ownershipEvidence may decayInternal team manages controls, records and renewal.
Managed certificationBusinesses without dedicated cyber capacityScope must be clearMSSP supports uplift, remediation and evidence.
Hybrid modelIT support with limited cyber specialisationRoles may blurInternal IT supports systems while MSSP leads security maturity.

For many 10–100 person businesses, the hybrid model works best when internal leaders own decisions and the MSSP manages security maturity.

Get SMB1001 Certified With RedScale

For Australian SMBs, the real challenge starts after the first readiness check. Access controls, backups, policies, staff awareness, remediation records, and ownership all have to keep working in daily operations, not just on the day you certify.

RedScale offers the SMB1001 Certification Support solution to help Australian businesses keep all of that running. We assess your current maturity, close the practical security gaps, and prepare the evidence you need for certification.

As an MSSP, RedScale focuses on cybersecurity maturity, control operation, remediation and assurance evidence. This helps your business keep its controls reviewable when a customer, insurer or partner asks for proof again later.

Contact RedScale to plan your SMB1001 certification pathway with practical SMB pricing options.

FAQ

Writer

Danoe Santoso

Danu Santuso is a writer for Redscale, focused on creating clear and practical cybersecurity content for Australian businesses.

Expert Reviewer

Handy

As Managing Director of Redscale, Handy brings extensive expertise in IT strategy, cybersecurity, and digital transformation, supporting organizations in building resilient, secure, and scalable technology environments.