Most Australian businesses asking about cyber security frameworks are really asking one question: where do I start, and what will it actually mean for my business?
The and both come up in that conversation. One is government-backed, technically specific, and free to self-assess. The other is certifiable, built from scratch for businesses under 200 staff, and costs as little as $95 a year to get started. They overlap in some areas and diverge sharply in others.
What is the Essential Eight?
The Essential Eight is a set of eight technical mitigation strategies published by the . The ASD developed it to help Australian organisations defend against the most common categories of cyber attack. The controls cover application control, patching, macro settings, user application hardening, restricting administrative privileges, operating system patching, , and backups.
The framework uses three maturity levels. ML1 is baseline protection against opportunistic attacks. ML2 is the current expectation across most Australian industries. ML3 is for organisations facing sophisticated adversaries, including government agencies, defence contractors, and critical infrastructure operators.
There is no certification. You assess your maturity, identify gaps, and work toward a target level. The ASD publishes the guidance free of charge.
What is SMB1001?
SMB1001 is a cyber security certification standard published annually by Dynamic Standards International and administered through CyberCert. It was built for businesses with fewer than 200 employees and gives them a tiered pathway to security maturity.
The standard has five tiers: Bronze, Silver, Gold, Platinum and Diamond. Bronze covers the basics, including antivirus, firewalls, multi-factor authentication and patching. Each tier builds on the last. Lower tiers rely on director self-attestation and start at around $95 per year. Platinum and Diamond require independent external audit.
Completing an SMB1001 tier gives you a certificate you can show clients, insurers and procurement teams. The Essential Eight does not produce one.
How they differ
Certification vs. framework
The Essential Eight is a . It tells you where you sit, but there is nothing to hand a client. SMB1001 is a certification scheme. Bronze through Diamond each produce a credential.
If you need to demonstrate compliance to a client, insurer or procurement process, that distinction matters more than the technical differences between the two.
Government vs. private sector recognition
The Essential Eight is referenced in government procurement policy and across regulated sectors including health, finance and defence. If your business contracts with government, or your clients operate in those sectors, the Essential Eight is what they recognise and expect.
SMB1001 is not government-mandated. It is privately published with growing commercial recognition. For businesses operating in the private sector, that tends to be enough.
Cost and entry point
The Essential Eight costs nothing to self-assess. Closing the gaps is another matter. Reaching ML1 requires real investment in patching, privilege management and multi-factor authentication. ML2 adds -resistant MFA and tighter application controls. The work takes months, sometimes longer.
SMB1001 Bronze starts at around $95 per year and is completed through director self-attestation. For businesses that need a starting point without a full technical overhaul upfront, it is the more accessible option.
Technical depth vs. breadth
The Essential Eight goes deep on eight specific technical controls. SMB1001 covers five domains across technology, access, backup, policy and training. It is broader, particularly at the governance and training end, but less technically prescriptive at lower tiers.
For businesses with limited IT capability, SMB1001 is easier to follow. For businesses with a capable IT function that needs to demonstrate rigorous technical controls, the Essential Eight is more specific.
When the Essential Eight is the right choice
If your business supplies to government, works in defence, or operates in a regulated sector like financial services or health, the Essential Eight is where to start. The ASD framework is what your clients and regulators recognise. ML2 is the general expectation across most professional service industries now, not ML1.
It is also the right choice if you have an in-house IT function or a managed service provider running your systems. The controls are technically specific and need someone with the capability to implement and maintain them properly.
When SMB1001 makes more sense
If you operate in the private sector, have fewer than 50 staff, and need a framework that is both accessible and commercially demonstrable, SMB1001 is the stronger fit.
Bronze and Silver are achievable without a dedicated IT function. The self-attestation model puts responsibility with the business owner, which works well for small businesses where the director is already close to their systems. The certification gives clients, insurers and procurement teams something to see.
It also suits businesses that are still building their security foundations. You can certify at Bronze now and step up as the business grows, rather than committing to a framework that assumes ML2 maturity before the basics are covered.
Can you do both?
For many businesses, yes. More importantly, the overlap is more useful than most people expect.
At SMB1001 Gold and above, the technical controls start to align closely with Essential Eight ML1. Businesses working toward Gold often find themselves near ML1 without having planned for it. At Platinum, the overlap with ML2 is more direct.
For businesses serving both government and private sector clients, a combined approach under a single security programme is practical. The frameworks share enough technical ground that you are not running two separate programmes. A well-structured plan can satisfy both.
Getting an independent view
If you are not sure which framework fits, or you want to know where you currently stand against either standard, an independent gap assessment is the clearest starting point. IronSights runs framework assessments and cyber audits for Australian businesses across both Essential Eight and SMB1001. The output is a plain-language report with a prioritised action plan, not a list of findings designed to sell you more services.
If you want a quick self-directed answer first, use our SMB1001 vs Essential Eight framework selector. Five questions. Instant result.
