IronSights

Certification · SMB1001

SMB1001 certification, Bronze to Diamond.

SMB1001 is the tiered cyber security certification built for Australian small and medium businesses. We close your gaps and take you through certification at the tier your customers and insurer expect.

One fixed-fee engagement: gap review, control uplift, certification, and the annual renewal handled, by an Australian team that holds ISO 27001 itself.

Australian team, no offshoring
ISO 27001 certified practice
Fixed-fee path to certification

The standard

A certification sized for SMBs.

SMB1001 is published by Dynamic Standards International and revised annually. Where ISO 27001 asks for a management system most small businesses can't staff, SMB1001 asks for concrete controls scaled across five tiers, so a five-person firm and a two-hundred-person firm can both certify honestly.

Certification produces a dated certificate and badge you can put in front of customers, insurers, and procurement teams. It is the thing an Essential Eight assessment alone can't give you, because the Essential Eight has no certificate.

Not sure it's the right framework?

Take our free five-question selector to see whether SMB1001 or the Essential Eight fits your business, or read the full written comparison.

The five tiers

Certify where you are. Step up when you're ready.

Bronze

Self-attested

The entry tier. Foundational controls a business of any size can reach quickly, and a credible first badge to show customers.

Silver

Self-attested

Builds on Bronze with stronger identity, backup, and training requirements. A common landing point for small professional firms.

Gold

Self-attested

The tier most SMBs with client data should target. Broad control coverage that satisfies most supply-chain questionnaires.

Platinum

Externally audited

Independently verified. For businesses whose customers or regulators want certification backed by an external audit.

Diamond

Externally audited

The highest tier. Approaches the rigour of ISO 27001 at a fraction of the overhead, for SMBs competing on trust.

Why certify

What the certificate buys you.

Win and keep contracts

Supply-chain security questionnaires are now routine in Australian procurement. A current SMB1001 certificate answers most of them in one line.

Satisfy your insurer

Cyber insurers reward demonstrable controls. Certification gives your broker something concrete to take to underwriters.

A standard sized for SMBs

Unlike ISO 27001, SMB1001 was written for businesses of 5–200 staff. You certify at the tier that fits, then step up as you grow.

Recognised and growing

Backed by Dynamic Standards International and promoted across Australian industry bodies, including law societies recommending it to member practices.

How it works

From tier selection to certificate.

  1. Tier selection

    A short call to work out which tier your contracts, insurer, and risk profile require, not just the one that's easiest to sell.

  2. Gap review

    We assess your current controls against your target tier and give you a fixed-fee plan for whatever is missing.

  3. Uplift

    Our engineers implement the gaps with your IT team: identity, backups, patching, training, and the policies to match.

  4. Certification

    We take you through attestation (or the external audit at Platinum and Diamond) and you receive your certificate and badge.

  5. Stay certified

    SMB1001 recertifies annually. We keep your controls current so renewal is a formality, not a project.

Common questions

SMB1001, answered straight.

Not answered here? Get in touch and we'll point you in the right direction.

  1. What is SMB1001?

    SMB1001 is a multi-tiered cyber security certification standard published by Dynamic Standards International, designed specifically for small and medium businesses. It has five tiers (Bronze, Silver, Gold, Platinum, and Diamond), each adding progressively stronger controls, so a business can certify at a level that matches its size and risk and step up over time.

  2. How much does SMB1001 certification cost?

    The certification itself starts from roughly $95 per year at the entry tier, rising with tier level. The real cost is closing any control gaps before you certify, which depends on where you are today. Our gap review gives you a fixed-fee number for your target tier before you commit to anything.

  3. How long does it take to get certified?

    A business with reasonable IT hygiene can reach Bronze or Silver in a few weeks. Gold typically takes one to three months depending on gaps. Platinum and Diamond add an external audit, so allow a quarter. The tier-selection call gives you a realistic timeline for your situation.

  4. Which tier does my business need?

    It depends on who is asking. If a customer questionnaire or insurer just wants evidence of baseline hygiene, Bronze or Silver may be enough. If you hold sensitive client data (legal, financial, health), Gold is the sensible target. If certification is a competitive differentiator in your tenders, Platinum or Diamond's external audit carries the most weight.

  5. SMB1001 or the Essential Eight: which should we do?

    They solve different problems. The Essential Eight is the Australian government's mitigation framework: free, self-assessed, and referenced in government supply chains, but it produces no certificate. SMB1001 produces an actual certification you can show customers and insurers. Many businesses do both: Essential Eight as the control baseline, SMB1001 as the credential.

  6. Is SMB1001 recognised by the Australian Government?

    It is not government-mandated the way the Essential Eight is referenced in some sectors. Its recognition comes from industry: insurers, procurement teams, and professional bodies. For government-adjacent work, we usually pair an SMB1001 certification with an Essential Eight maturity assessment so both audiences are covered.

First step

Find your tier with a gap review.

Tell us about your business. We'll recommend a target tier, show you the gaps, and give you a fixed-fee path to the certificate. No obligation.