SMB1001 requires your business to prove that core cybersecurity controls exist, run properly, and hold up when someone asks for evidence.
In practice that means showing real proof across five areas, which are how you manage devices, control access, handle backups, govern security, and train staff. Each tier raises how much you have to prove.
The hard part is knowing what each tier actually asks for. So when you decide to get certified, at the end, what you find is a list of tier names and control categories that never quite tells you what to prove.
So today, in this article, we will break down what each tier asks for, what evidence you need to show, and how to tell which tier your business should aim for.
We will cover the five tiers from Bronze to Diamond, the five control domains behind them, what preparation tends to cost, and how to get ready before you certify.
What does SMB1001 require?
SMB1001 requires a business to prove that core cybersecurity controls are in place, owned, maintained and supported by evidence. In practical terms, SMB1001 is about installed tools and asks whether technology, access, backups, governance and staff controls are managed over time.
The Five Control Domains
The five control domains explain the main areas your business needs to manage before SMB1001 certification becomes credible. The exact depth depends on the tier, but the broad control areas usually include:
- Technology Management: devices, patching, endpoint security, configuration and system visibility.
- Access Management: MFA, passwords, user accounts, privileged access and access reviews.
- Backup and Recovery: backup coverage, retention, recovery confidence and restore testing.
- Policies and Governance: ownership, security policies, incident response and management accountability.
- Education and Awareness: staff training, phishing awareness, reporting behaviour and security habits.
For certification planning, each domain should be translated into proof the business can retrieve. Evidence may include endpoint reports, MFA status, access logs, restore records, policy approvals, training records, remediation tickets and incident response documents.
Annual Renewal and the 2026 Edition

SMB1001 annual renewal checks whether your certified controls still match the current 2026 version and still operate in the business. So, SMB1001 should be treated as a control-maintenance cycle, not a one-time certification task.
For Australian businesses, this means reviewing the evidence behind each control. MFA coverage, backup scope, access records, endpoint protection, staff training and incident response documents should still reflect the way the business works today.
Simply because the ASD Annual Cyber Threat Report 2024–25 notes that cybercrime continues to challenge Australia’s economic and social prosperity, with ransomware attacks and data breaches increasing in frequency.
The SMB1001 2026 edition makes this review more important for businesses certified under an earlier version. Before renewal, the business should check whether its existing evidence still maps to the current SMB1001 requirements and close any gaps before making customer-facing certification claims.
This is why SMB1001 cost should not be treated as a software-only line item. The 2023 ASIC press release on organisational cyber vigilance is useful context here because it reinforces that cyber resilience is an organisational issue, not only a technology issue.
Requirements by Certification Tier

SMB1001 requirements change by certification tier, with each level asking for stronger controls, clearer ownership and better evidence.
The tier breakdown below explains what a business should expect at Bronze, Silver, Gold, Platinum and Diamond.
SMB1001 Bronze Requirements
SMB1001 Bronze requirements focus on basic cybersecurity hygiene that a small business can explain and maintain., which commonly involves:
- Endpoint protection on business devices.
- Regular software and operating system updates.
- Basic firewall or network protection.
- Safer password practices.
- Basic backup discipline.
- General cyber hygiene across everyday systems.
- Clear internal ownership of basic security tasks.
SMB1001 Bronze is the entry point. It suits businesses that need a recognised baseline before supplier onboarding, insurance review or early customer assurance. The goal is to prove that the fundamentals are not being left to chance.
At this tier, the main risk is assuming a tool is working because it was installed once. Useful Bronze evidence may include device protection status, update records, backup confirmation, basic network settings and a simple owner list for core controls.
The evidence does not need to be complex, but it does need an owner. What often gets missed at Bronze is the record of who checks each control and how often.
SMB1001 Silver Requirements
SMB1001 Silver requirements strengthen access control, email security, operational processes and basic governance through:
- Multi-factor authentication for key systems
- Password manager adoption
- Secure remote access controls
- Basic cybersecurity policies
- Email security controls
- Invoice fraud prevention checks
- Stronger evidence for insurer or customer questions
- More consistent user account management
Silver is often where cybersecurity starts becoming more visible inside the business. Staff may need to use MFA, follow password management rules and apply safer processes for payment or account changes.
The main pressure at this tier is behavioural: MFA, password rules and payment checks need to become normal business habits. To prove those habits are actually in place, the business should keep evidence such as:
- MFA reports.
- Password manager adoption records.
- Email authentication settings.
- Remote access rules.
- Policy documents.
- Payment-change verification procedures.
Silver fits when informal security habits are no longer enough to answer customer or insurer questions. One customer asks for MFA proof. Another asks about backups. Soon, the business needs a repeatable answer.
SMB1001 Gold Requirements
SMB1001 Gold requirements strengthen governance, recovery, access review, training and control maintenance through:
- Formal cybersecurity policies
- A current digital asset register
- Staff cybersecurity awareness training
- Incident response planning
- Access review evidence
- Vulnerability remediation processes
- Backup and recovery evidence
- Customer-data protection controls
- Clear ownership of security controls
- Stronger reporting for internal leaders
Gold fits when a business needs stronger security proof for customer, insurer or partner questions.
But, please note, at this Gold tier, many businesses discover a capacity gap: the team may close a security gap once, then struggle to maintain evidence every month.
That’s why Gold is often where SMB1001 starts to feel like a structured security programme. The business is no longer only showing that controls exist. It also needs to show that controls are reviewed, recorded and owned over time.
The main pressure at this tier is evidence maintenance: access reviews, vulnerability fixes, staff training and backup recovery checks need to become part of normal operations.
To prove that control maintenance is actually happening, the business should keep evidence such as:
- Access review records
- Vulnerability remediation tickets
- Staff training reports
- Backup restore test results
- Endpoint coverage reports
- Incident response review notes
- Approved security policies
SMB1001 Platinum Requirements
SMB1001 Platinum requirements strengthen validation, recovery testing, access governance, remediation oversight and supplier risk management through:
- Documented access review cadence
- Formal control validation
- Tracked vulnerability remediation
- Tested backup and recovery processes
- Reviewed incident response procedures
- Supplier or third-party risk records
- Stronger evidence review before renewal
- Clearer documentation of security ownership
Platinum fits when a business needs higher-assurance security proof for enterprise customers, sensitive data environments, supplier reviews or stronger internal governance.
That higher-assurance need changes the quality of evidence required. At this tier, many businesses discover an assurance gap: controls may already exist, and the evidence still needs to be cleaner, more consistent and easier to validate.
This is why Platinum starts to feel like a formal assurance process. The business now needs to show that access reviews, recovery tests, remediation decisions and incident response checks are documented with enough clarity for review.
The main pressure at this tier is validation, so the business needs scheduled ownership for:
- Security reviews
- Restore testing
- Vulnerability remediation
- Supplier checks
- Incident response exercises
To prove that stronger assurance is actually in place, the business should keep evidence such as:
- Access review sign-offs
- Backup restore test results
- Vulnerability remediation registers
- Supplier security review records
- Incident response tabletop notes
- Control review reports
- Security meeting records
- Renewal evidence packs
SMB1001 Diamond Requirements
SMB1001 Diamond requirements strengthen continuous control monitoring, leadership oversight, incident readiness, third-party risk management and evidence renewal through:
- Mature security governance
- Recurring control reviews
- Independent validation expectations
- Ongoing control monitoring
- Tested incident response capability
- Recurring evidence refresh before renewal
- Management review of unresolved security risks
- Documented response to monitoring findings
Diamond fits when a business needs the highest level of SMB1001 assurance for sensitive data, regulated customer expectations, enterprise relationships or more demanding supplier reviews.
At this level, the requirement is no longer only about proving that controls are documented. The business needs to show that control review, monitoring, remediation and leadership oversight are part of the operating rhythm.
That makes Diamond a maturity target for businesses that can sustain the work after certification. Security findings need owners. Remediation needs follow-through. Evidence needs to be refreshed before it becomes stale.
The main pressure at this tier is continuity, so the business needs a recurring process for:
- Control reviews
- Monitoring summaries
- Remediation tracking
- Supplier-risk review
- Incident response testing
- Leadership security updates
To prove that Diamond-level control maintenance is actually working, the business should keep evidence such as:
- Control review packs
- Leadership security updates
- Supplier-risk review records
- Tested incident-response outcomes
- Remediation trend reports
- Monitoring summaries
- Evidence refresh records
- Management review notes
Which SMB1001 Tier Does a Small Business Need?
Australia small businesses need SMB1001 Bronze, Silver or Gold as their first practical target because these tiers match the usual path from basic cyber hygiene to stronger security evidence. Let’s break down each SMB1001 tier in the table below.
| Business situation | Practical SMB1001 tier direction |
| The business needs a recognised security baseline | Bronze |
| Customers or insurers ask for basic control proof | Silver |
| The business handles customer data and needs stronger evidence | Gold |
| Enterprise customers expect cleaner validation | Platinum |
| The business needs mature control monitoring and leadership oversight | Diamond |
For example, a startup may use Bronze or Silver to establish trust early. A SaaS company handling customer data may move toward Gold sooner because buyers ask deeper questions about access, data protection, incident response and recovery.
Of course, the tier decision should be based on what the business can prove and maintain. A well-maintained Silver or Gold position is stronger than a higher tier supported by rushed evidence.
Which Tiers Are Self-Assessed and Which Need an Audit?
SMB1001 Bronze, Silver and Gold usually carry a lighter evidence burden, while Platinum and Diamond should be approached as audit-ready or higher-assurance tiers. The table below breaks down what that means for each tier:
| SMB1001 tier | Practical assurance planning view | Buyer implication |
| Bronze | Lighter evidence burden | Basic control proof should be available. |
| Silver | Lighter evidence burden with stronger coverage | Access, email and policy evidence matter more. |
| Gold | Stronger evidence discipline | Governance and control maintenance must be credible. |
| Platinum | Audit-ready or higher-assurance pathway | Evidence should be clean, current and review-ready. |
| Diamond | Highest-assurance pathway | Controls should be mature, monitored and maintained. |
Businesses should still confirm the current SMB1001 assurance pathway before budgeting or making customer-facing claims. Lighter-assurance tiers still require honest evidence, while higher tiers need cleaner records, clearer ownership and more disciplined preparation.
How Much Does SMB1001 Certification Cost?
As of June 2026, the DSI lists SMB1001 certification pricing from about A$135 to A$1,413, depending on the licence option selected.
That range is the visible certification price. The full business cost can be higher because certification still needs to be supported by working controls, clean evidence and remediation before the business can confidently make customer-facing claims.
The limitation of a low visible price is that it can make SMB1001 look simpler than the preparation work behind it.
A business with MFA, endpoint protection, backup testing, access records and policies already in place will have a different cost profile from a business with shared accounts, unmanaged devices, weak documentation or untested recovery processes.
The preparation cost usually comes from the gap between the listed certification price and the controls the business still needs to prove.
| Cost area | What drives the cost |
| Gap assessment | Current maturity, target tier and system complexity |
| Email authentication | Domains, third-party senders, DNS access and DMARC monitoring |
| Endpoint security | Device count, EDR needs, remote users and operating systems |
| Backup and recovery | Data volume, SaaS platforms, retention and restore testing |
| Access management | MFA coverage, privileged accounts and offboarding process |
| Governance | Policies, incident response, ownership and asset register maturity |
| Evidence preparation | Records, logs, screenshots, review notes and audit readiness |
| Ongoing maintenance | Reviews, remediation, reporting and renewal preparation |
How Australian Businesses Can Prepare for SMB1001 Certification

Australian businesses can prepare for SMB1001 certification by treating it as a readiness process: check the controls, close the gaps, assign owners, and collect evidence before choosing a tier.
This aligns with the Austrade summary of Australia’s 2023–2030 Cyber Security Strategy, which highlights stronger businesses, safer technology and better cyber resilience.
The sections below break that preparation into three buyer decisions.
What to Have in Place Before You Certify
Before certifying, a business should have the core controls, evidence records and internal ownership needed to show:
- A current list of devices, users and key systems.
- MFA enabled for priority accounts.
- Endpoint protection across business devices.
- Backup coverage for critical systems.
- Restore testing or recovery confidence.
- A password management process.
- Joiner, mover and leaver access controls.
- Basic cybersecurity policies.
- Staff security awareness training.
- Incident response contacts and escalation steps.
- Evidence of reviews, updates and remediation.
For each item, the business should be able to show proof, not only confirm that the control exists. This preparation makes certification easier to manage and gives leadership a clearer view of current maturity.
Common Gaps to Close Before Certifying
Common gaps before SMB1001 certification usually appear in access control, evidence, backup testing, policy adoption, alert ownership and remediation tracking, so businesses should check for:
- Shared administrator accounts.
- MFA missing from important SaaS tools.
- No current asset register.
- Backups that have not been restore-tested.
- Policies stored but not used.
- Incomplete staff awareness records.
- Weak offboarding processes.
- No named incident response owner.
- No clear owner for security alerts.
- Vulnerability findings not tracked to closure.
- Partial email authentication.
- Remote devices outside normal control coverage.
Many businesses have parts of the answer already. The problem is that controls may be informal, incomplete or undocumented.
Self-Certification vs Managed Certification
Self-certification suits businesses with enough internal ownership, while managed certification suits businesses that need help closing gaps and maintaining evidence. The table below shows which path usually fits each business situation:
| Pathway | Best suited for | Main risk | Practical division of labour |
| Self-certification | Businesses with strong internal ownership | Evidence may decay | Internal team manages controls, records and renewal. |
| Managed certification | Businesses without dedicated cyber capacity | Scope must be clear | MSSP supports uplift, remediation and evidence. |
| Hybrid model | IT support with limited cyber specialisation | Roles may blur | Internal IT supports systems while MSSP leads security maturity. |
For many 10–100 person businesses, the hybrid model works best when internal leaders own decisions and the MSSP manages security maturity.
Get SMB1001 Certified With RedScale
For Australian SMBs, the real challenge starts after the first readiness check. Access controls, backups, policies, staff awareness, remediation records, and ownership all have to keep working in daily operations, not just on the day you certify.
RedScale offers the SMB1001 Certification Support solution to help Australian businesses keep all of that running. We assess your current maturity, close the practical security gaps, and prepare the evidence you need for certification.
As an MSSP, RedScale focuses on cybersecurity maturity, control operation, remediation and assurance evidence. This helps your business keep its controls reviewable when a customer, insurer or partner asks for proof again later.
Contact RedScale to plan your SMB1001 certification pathway with practical SMB pricing options.
FAQ
What are the Minimum Requirements to Get SMB1001 Certified?
The minimum requirements to get Bronze SMB1001 certified is to show controls across devices, updates, passwords, backups, network protection and everyday security ownership. Higher tiers add stronger access control, policies, awareness, recovery evidence, governance and validation.
Why do Australian Small Businesses Need SMB1001 Certification?
Australian small businesses need SMB1001 certification because customers, insurers, partners and procurement teams increasingly ask for credible cybersecurity proof. SMB1001 gives structure to basic security controls, evidence records and ownership before larger compliance demands appear
How to Meet the SMB1001 Requirements?
To meet the SMB1001 requirements, businesses can implement cybersecurity controls across the five certification tiers, from Bronze to Diamond. The process usually starts with basic cyber hygiene such as endpoint protection, backups, access control and security ownership, then moves towards stronger evidence around incident response, remediation, recovery testing and supplier governance.
Can a Business Self-certify SMB1001, or Does It Need an External Audit?
A business can self-certify some SMB1001 pathways, but higher-assurance tiers may require stronger validation or external review. For planning purposes, lower tiers usually carry a lighter evidence burden, while higher tiers should be treated as more evidence-heavy and review-ready. That’s why the business should confirm the current SMB1001 assurance pathway and only attest to controls it can prove with current evidence.
How Does RedScale Help a Business Meet SMB1001 Requirements?
RedScale helps a business meet SMB1001 requirements by assessing maturity, identifying gaps, supporting remediation and helping maintain practical cybersecurity controls. As an MSSP, RedScale can support access security, vulnerability management, endpoint security, staff awareness, governance, evidence readiness and certification planning.






