What’s New in SMB1001:2026? What Australian Businesses Should Know

Table of Contents

SMB1001:2026 matters because Australian businesses are being asked to prove cyber maturity before trust is fully granted. The request may appear during supplier approval, cyber insurance review, SaaS due diligence, or investor assessment.

The issue is that proof is often spread across tools, people, policies, inboxes, screenshots, and informal routines. For example, your buyer may ask whether MFA is enforced, backups are tested, endpoints are monitored, staff are trained, or email domains are protected.

That gap between activity and proof is where SMB1001 becomes useful. It gives smaller and growing organisations a staged way to organise controls, evidence, and certification readiness.

This article focuses on the SMB1001 2026 version and how it affects businesses preparing for certification or recertification.

What is SMB1001:2026

SMB1001:2026 is the 2026 version of the SMB1001 cybersecurity certification standard for Australia small and medium-sized businesses.

Dynamic Standards International describes SMB1001 as a multi-tiered certification pathway, and the 2026 version updates that pathway to reflect newer risks, buyer expectations, and control requirements.

Now, what changed in the 2026 version? And what do those changes mean for implementation, evidence, cost, and certification ownership?

The Six Changes in SMB1001:2026

what changed in the SMB1001 2026 update
What changed in the SMB1001 2026 update. Image generated using AI

The six changes in SMB1001:2026 focus on email authentication, endpoint detection, awareness training, AI use, Gold-tier controls, and cross-framework mapping.

In this section, we will see how each change affects certification readiness, implementation work, and the evidence your business may need to prepare.

Mandatory Email Authentication (SPF, DKIM, DMARC)

Email authentication matters in SMB1001:2026 because a business domain can be abused even when user accounts are reasonably protected. SMB1001:2026 places stronger emphasis on SPF, DKIM, and DMARC as part of updated email security expectations.

SPF helps define which mail servers can send email for your domain. DKIM helps verify that a message has not been altered in transit. DMARC helps tell receiving systems what to do when authentication checks fail.

The operational work starts with sender discovery. Microsoft 365, Google Workspace, CRM platforms, marketing tools, invoicing systems, support desks, and website forms may all send mail from the same domain.

However, what often gets missed is that DMARC is not just a DNS record. A safe rollout usually needs report review, sender alignment, staged policy changes, and coordination with teams that rely on email delivery.

Once the email domain is better controlled, the next area is the device layer where staff actually work.

EDR and MDR Controls Added

The SMB1001 2026 version brings Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) further into the certification conversation.

Compared with SMB1001:2025, the update gives more weight to whether a business can detect suspicious endpoint activity and respond to it in a managed way.

EDR helps detect suspicious activity on laptops, desktops, and servers. MDR adds managed monitoring and response support, usually through a security provider or specialist operations team.

The difference becomes clear when alerts appear. Someone still needs to review severity, reduce noise, confirm whether activity is suspicious, and coordinate response when an incident looks real.

For SaaS companies and digital businesses, staff devices often connect to production systems, customer platforms, cloud consoles, admin portals, code repositories, and privileged SaaS accounts. That makes endpoint visibility and response ownership important parts of SMB1001:2026 readiness.

Awareness Training Moved to Bronze

One significant SMB1001:2026 change is that awareness training appears earlier in the tier pathway. In SMB1001:2025, training could feel like something businesses addressed after basic technical controls.

In the 2026 version, staff awareness becomes part of the starting maturity conversation. That shift is practical for smaller businesses. Many incidents begin with ordinary actions, like:

  • Approving a fake invoice
  • Reusing a password
  • Mishandling a file
  • Ignoring an MFA prompt
  • Delaying a suspicious message report.

Bronze-level awareness is more clear and relevant because it covers phishing, business email compromise, password habits, MFA prompts, invoice fraud, data handling, device security, and reporting steps.

A growing business often feels this gap during onboarding. New people join, new tools appear, contractors gain access, and informal habits start to become operational risks. The same pattern now applies to AI use, where staff behaviour often moves faster than policy.

AI Acceptable-Use Policy

SMB1001:2026 adds a newer governance layer that SMB1001:2025 did not need to treat with the same urgency: acceptable use of AI. This reflects the 2026 operating shift, because staff may already be using AI tools before the business has defined safe use.

For example, your staff may use AI to draft client work, summarise documents, debug code, analyse data, or prepare internal notes.

The policy should explain approved tools, prohibited data, review steps, escalation points, and approval for new use cases. It should also cover customer confidentiality, intellectual property, and human review.

This does not need to become a long manual. The best version is usually short, specific, and easy to apply during normal work.

Expanded Gold Control Set (23 to 27 Controls)

The SMB1001:2026 Gold tier is moving from 23 to 27 controls, with added attention across areas such as incident response, vendor risk, training cadence, and configuration management.

The expanded Gold control set matters because Gold is often where SMB1001 starts to support more serious assurance conversations. That’s why Gold becomes more demanding in SMB1001:2026 because the control set is expanded from the SMB1001:2025 version.

Gold usually shows that the business has moved beyond basic cyber hygiene. It suggests the organisation can evidence more structured controls across people, process, and technology.

For Australian SMBs, that can help during customer and partner review. The business may need to answer detailed questions about access control, endpoint protection, email security, backup testing, incident response, policy ownership, and supplier risk.

The question is what already exists, what is partly configured, and what has no clear owner. Certification readiness often exposes that difference.

Once evidence becomes more structured, the next challenge is explaining it to buyers who use different frameworks.

New Cross-Framework Control Mappings

SMB1001:2026 gives cross-framework mappings a bigger role than SMB1001:2025, especially for businesses that answer buyer questions across different standards. The update makes it easier to connect SMB1001 controls with other cybersecurity frameworks and supplier questionnaire language.

For Australian businesses, this is useful because one customer may ask about Essential Eight, while another may ask about ISO 27001 alignment or its own supplier questionnaire.

The Australian Cyber Security Centre describes the Essential Eight as mitigation strategies designed to make it harder for adversaries to compromise systems. While the SMB1001 has a different role because it gives SMBs a staged certification pathway.

The benefit is reuse. SMB1001 and Essential 8 overlap in their controls, so whether you start with one or the other, the work you do counts towards both.

One organised evidence set can support several assurance conversations when controls are mapped clearly.

What the 2026 Changes Cost to Implement

Implementing SMB1001 2026 technical shift
Implementing SMB1001 2026. Image generated using AI

The cost of implementing SMB1001:2026 usually shows up in three areas: email authentication setup, EDR or MDR licensing and management, and the work required to reach your target tier.

The breakdown below shows how each area affects configuration effort, tool costs, evidence preparation, and implementation readiness.

Email Authentication Setup

The email authentication cost in SMB1001:2026 comes from turning SPF, DKIM, and DMARC into working certification evidence.

Compared with SMB1001:2025, the 2026 version makes email authentication a more visible part of readiness, so the work needs to be configured, checked, and documented properly.

The setup usually starts with sender discovery. Microsoft 365, Google Workspace, CRM platforms, invoicing tools, marketing platforms, support desks, and website forms may all send email from the same domain.

The cost can increase when the business has several domains, multiple third-party senders, old DNS records, or limited visibility over who sends email on its behalf. DMARC also needs review before stricter enforcement is applied, because legitimate email can fail if the rollout is rushed.

That is why the evidence should show both the configuration and the decision trail behind it:

  • A published DNS record
  • A clear record of authorised senders
  • Aligned mail systems
  • DMARC policy decisions
  • Evidence that the setup has been reviewed

EDR and MDR Licensing and Management

The EDR and MDR cost in SMB1001:2026 comes from stronger endpoint visibility, managed alert review, and response ownership.

Compared with SMB1001:2025, the 2026 version gives more weight to whether suspicious endpoint activity can be detected, reviewed, and escalated.

EDR licensing usually follows the number of laptops, desktops, and servers that need coverage. MDR adds another cost layer because alerts need triage, investigation, and response support.

The management work can be larger than the licence line item. Devices need to be enrolled, policies need to be tuned, false positives need to be reduced, and endpoint coverage needs to be checked across remote staff, contractors, and privileged users.

For a 15-person business, this may be a focused rollout. For a 90-person SaaS or digital business with remote staff, cloud platforms, and admin access, the work usually needs more coordination.

Implementation Timeline by Tier

The implementation timeline in SMB1001:2026 becomes a cost factor because higher tiers require more control depth and stronger evidence.

Compared with SMB1001:2025, the 2026 version can create extra preparation work for businesses targeting Silver, Gold, Platinum, or Diamond.

Bronze may be faster when basic controls already exist. Silver can take longer if email authentication, MFA, access control, and policy evidence need cleanup.

Gold usually needs more coordination because endpoint detection, AI acceptable use, incident response, training records, and supplier-related controls may need stronger ownership.

Target tierMain workTimeline pressure point
BronzeBasic cyber hygiene, awareness, backup, and core protectionUseful as a first certification step
SilverMFA, access control, email authentication, and policy basicsDepends on identity and email complexity
GoldEDR, stronger email controls, AI policy, incident response, and evidenceRequires coordinated ownership
PlatinumHigher assurance and stronger review expectationsNeeds stronger preparation
DiamondAdvanced maturity and deeper assuranceBetter suited to higher-risk supplier contexts

The dilemma is that evidence often slows the project more than tool deployment. A business may have the right tool but still need time to prepare records, screenshots, logs, reports, policies, review history, and ownership notes. This is why the timeline should be planned around certification readiness.

How SMB1001:2026 Recertification Works

SMB1001:2026 recertification works by checking whether your existing controls and evidence still match the current version of the standard.

The process usually starts with a version gap review, then moves into evidence refresh, control remediation, and readiness confirmation before renewal.

For businesses already certified under SMB1001:2025, the practical issue is whether the existing evidence still maps cleanly to the SMB1001:2026 version.

How Long Does SMB1001 Certification Last

SMB1001 certification is generally treated as valid for one year, with recertification used to confirm that controls still align with the current version of the standard.

You should still confirm the exact renewal period with its certification authority or provider, especially when moving from SMB1001:2025 to SMB1001:2026. To keep that evidence usable between reviews, your business should maintain a regular checklist that covers:

  • Access permission reviews
  • Endpoint coverage checks
  • Backup evidence tests
  • Policy version updates
  • Awareness training records
  • Email authentication reviews
  • Incident response ownership confirmation

This keeps the certification file current while the business changes. Staff join, devices change, SaaS tools expand, suppliers shift, and AI use may grow between review cycles.

How to Recertify When the Standard Updates

Recertifying after an update means mapping your existing certification evidence against the new control expectations before you renew. For SMB1001:2026, that means checking whether your SMB1001:2025 evidence still supports the updated requirements.

That mapping should turn the update into clear action categories so the business can see what can stay, what needs stronger proof, and what must be fixed before renewal:

Evidence statusMeaningNext action
Still validThe existing control and evidence still match the 2026 expectationKeep it, then refresh the record if needed
Needs strengtheningThe control exists, but the evidence is thin or outdatedAdd proof, review notes, screenshots, reports, or logs
Needs remediationThe control is missing, incomplete, or no longer suitableAssign an owner, fix the gap, then document the result

This makes the update manageable because each gap becomes a specific task. Some tasks may be simple policy updates. Others may require configuration work, monitoring changes, endpoint coverage review, or managed security support.

Self-Certification vs Managed Certification Under 2026

SMB1001 2026, self certification vs managed service
SMB1001 2026, self certification vs managed service. Image generated using AI

Self-certification means your business owns the control work and evidence preparation internally, while managed certification means a cybersecurity provider helps assess gaps, implement controls, prepare evidence, and maintain readiness.

Use the breakdown below to decide which path fits your SMB1001:2026 certification plan.

Choose self-certification if

  • You are targeting Bronze or Silver because lower tiers may be more manageable when basic controls are already in place.
  • A technical owner can manage the process because someone inside the business needs to gather evidence, review controls, and track gaps.
  • Your environment is simple because fewer domains, devices, SaaS tools, and privileged users make evidence easier to organise.
  • Certification is mainly an internal maturity goal because there may be less external pressure from customers, insurers, or partners.
  • Evidence is already well maintained because policies, access reviews, backup records, and training records need to be easy to find.

💡 Pro tip: Self-certification still needs discipline. The business must be able to explain each control, show evidence, and keep that evidence current between certification cycles.

Choose managed certification if:

  • You are targeting Gold or higher because higher tiers usually need stronger control depth, documentation, and review.
  • Customer or insurer scrutiny is increasing because external assurance requests often need cleaner evidence and faster response.
  • Security ownership is split across teams because an MSSP can help coordinate controls, evidence, and remediation.
  • EDR, MDR, email authentication, or AI policy work is incomplete because these areas may need technical setup, monitoring, and policy support.
  • Your team cannot maintain evidence continuously because certification readiness should not become a last-minute task before review.

In the end, the decision comes down to ownership. Self-certification can work when evidence is already controlled internally. Managed certification becomes more practical when the business needs a cybersecurity partner to keep controls, monitoring, and evidence ready for review.

Do Australian Small Businesses Need SMB1001:2026 Certification

SMB1001_2026 as the mandate for provable security
SMB1001 2026 as the mandate for provable security, source: Australian Signals Directorate’s 2024–25 Annual Cyber Threat Report. Image generated using AI

Australian small and mid-market businesses should consider SMB1001:2026 certification when they need a clear way to prove cyber maturity.

Businesses that already hold SMB1001:2025 certification should prepare for 2026 requirements before the next review. Businesses starting from no certification can use SMB1001:2026 as a practical entry point.

The Australian Signals Directorate’s 2024–25 Annual Cyber Threat Report urges businesses to implement four key defences. This operational shift is backed by Austrade’s 2030 Cyber Security Strategy, which outlines a $586.9 million national investment to make provable cyber capability a baseline requirement for business viability in Australia

However, the decision depends on risk, customer expectations, and the level of evidence the business needs to provide. A SaaS company handling customer data, a digital business working with larger clients, or a supplier entering procurement review may need more structured security evidence.

The Australian context also supports earlier action. The Australian Signals Directorate’s Annual Cyber Threat Report 2024–25 described ransomware and data breaches as increasing in frequency. Austrade’s summary of Australia’s strategy to become a global cyber leader by 2030 also frames cyber capability as a national business priority.

For many SMBs, certification becomes useful when customers, insurers, partners, or internal leaders ask for proof. SMB1001 gives the business a structured way to answer with evidence.

Get SMB1001 Certified With RedScale

SMB1001:2026 certification becomes harder when controls, evidence, and security ownership are spread across different people, tools, and records.

Redscale offers SMB1001 Certification Support, a service that helps Australian startups, SaaS companies, digital businesses, and mid-market organisations assess their target tier, close control gaps, prepare certification evidence, and maintain readiness for recertification.

As an Australian cybersecurity specialist and MSSP brand formed by Interscale, RedScale supports the practical work behind certification, including email authentication, endpoint visibility, access reviews, policy records, staff awareness, and ongoing security management.

Book a discussion with RedScale to assess your SMB1001:2026 readiness and choose the certification pathway that fits your risk, timeline, and internal capacity.

FAQ

Writer

Danoe Santoso

Danu Santuso is a writer for Redscale, focused on creating clear and practical cybersecurity content for Australian businesses.

Expert Reviewer

Handy

As Managing Director of Redscale, Handy brings extensive expertise in IT strategy, cybersecurity, and digital transformation, supporting organizations in building resilient, secure, and scalable technology environments.