Framework selector
SMB1001 or Essential Eight: which one fits?
Two credible frameworks. Neither is universally better. Answer five questions to find out which one matches your industry, client base, and what you are actually trying to achieve.
5 questions
About 2 minutes
No signup required
Instant result
Built for Australia
SMB1001 and Essential Eight
Framework selector
Private or govt sector
ASD / ACSC
What is the Essential Eight?
The Essential Eight is a set of eight technical controls developed by the Australian Signals Directorate to help organisations reduce their exposure to common cyber threats. It uses three maturity levels, ML1 through ML3, with ML2 now the expected baseline across most Australian industries. Free to self-assess and government-backed, it is widely recognised in defence and public sector supply chains. There is no certification, just a maturity level you work toward and maintain.
Dynamic Standards International
What is SMB1001?
SMB1001 is a certifiable cyber security standard built specifically for small and medium businesses. Published annually by Dynamic Standards International and administered through CyberCert, it runs five tiers from Bronze to Diamond, covering technology, access control, backup, policy and training. Lower tiers start at around $95 per year and rely on director self-attestation. Higher tiers require independent audit. Unlike the Essential Eight, SMB1001 gives you a certificate you can show clients, insurers and procurement teams.
How they compare
| Essential Eight | SMB1001 | |
|---|---|---|
| Publisher | Australian Signals Directorate | Dynamic Standards International |
| Certification | No | Yes — Bronze to Diamond |
| Self-assessment | Yes, free | Yes, lower tiers |
| Entry cost | Free | From ~$95/year |
| External audit | No | Required at Platinum + Diamond |
| Primary audience | Govt suppliers, regulated industries | Private sector SMBs |
| Govt recognition | Mandated in some sectors | Not legislated |
| Update frequency | Irregular | Annual |
| Covers governance + training | Partially | Yes, from lower tiers |
5 questions
The assessment
Pick the answer that best describes your business for each question. Your result appears once all five are answered.
Who are your main clients or stakeholders?
Does your business need to demonstrate cyber security to win or keep contracts?
What is your in-house technical capability?
What is your primary goal for adopting a framework?
Would a cyber security certificate help your business commercially?
Common questions
Asked by businesses like yours.
Not answered here? Get in touch and we will point you in the right direction.
Is SMB1001 recognised by the Australian Government?
Not in the same way as the Essential Eight. The Essential Eight is published and maintained by the ASD and referenced in government procurement and sector-specific security policies. SMB1001 is not legislated or government-mandated, though it carries growing recognition with insurers and private sector procurement teams.
Does completing the Essential Eight give you a certificate?
No. The Essential Eight is a self-assessment framework. It produces a maturity level, not a certificate. If you need a certifiable credential to show clients or insurers, SMB1001 is the more appropriate option.
What does the Essential Eight cost to implement?
The self-assessment is free. Implementation costs depend on your current state and target maturity level. Reaching ML1 typically takes three to six months and moderate investment in technology and process. ML2 takes longer and requires more rigorous controls, particularly around multi-factor authentication and patching.
Can a business pursue both frameworks at the same time?
Yes. At higher tiers, SMB1001 incorporates many of the same technical controls the Essential Eight requires. Businesses working toward SMB1001 Gold or above often find themselves close to ML1 or ML2 as a byproduct. For businesses with a mixed client base, running both under a single programme is a practical approach.
What Essential Eight maturity level should most Australian businesses aim for?
ML2 is now the general expectation across most industries. If you are in health, finance, defence or government supply chains, ML2 should be your target. ML3 is for critical infrastructure and organisations handling the most sensitive data. Smaller businesses with lower risk profiles may find ML1 a reasonable starting point, though that position is narrowing.
Work out where you stand
Want a second opinion
on your result?
IronSights works with Australian SMBs to close the gap between where they are and where a framework requires them to be. Whether that is a gap assessment, a path to SMB1001 certification, or ongoing managed security, reach out and we will work through it with you.