SMB1001: What Australian Small Businesses Need to Know About the New Cyber Standard

Australia's cyber security landscape for small businesses has just become a lot more structured. SMB1001 — a new certification standard built specifically for small and medium businesses — is gaining recognition as the practical alternative to standards that were designed for enterprise organisations. If you're a small business owner trying to understand what it is, whether you need it, and how to achieve it, this guide covers everything you need to know.

The Problem SMB1001 Solves

For years, the main cyber security certifications available in Australia were either too complex, too expensive, or too large-organisation-focused for small businesses to realistically pursue. Standards like ISO 27001 require extensive documentation, formal audits, and ongoing compliance programs that demand significant resources. The Essential Eight, while practical, is a control list rather than a certifiable standard — there's no official badge you can point to.

Small businesses were left in a gap: they needed to demonstrate cyber security capability to clients, insurers, and government — but had no practical way to do so. SMB1001 was designed to fill that gap.

What Is SMB1001?

SMB1001 is a tiered cyber security standard developed by the Council of Small Business Organisations Australia (COSBOA) with input from the cyber security industry. It provides a structured, scalable framework that small businesses can use to assess, certify, and continuously improve their cyber security posture.

The standard is structured around tiers, allowing businesses to start at a foundational level and progressively build toward higher maturity — rather than facing an all-or-nothing compliance requirement.

The SMB1001 Tiers

SMB1001 defines multiple tiers of certification, broadly structured as follows:

Tier 1: Foundation

The entry level focuses on basic cyber hygiene that every business should have in place. This includes:

• Strong password practices and MFA on key accounts
• Software updates and patching on a defined schedule
• Basic data backup processes
• A written acceptable use policy
• Understanding of what data the business holds and how it's protected

Tier 2: Managed

The second tier builds on foundation controls with greater consistency, documentation, and staff awareness. Businesses at this tier:

• Have documented cyber security policies reviewed annually
• Have completed staff security awareness training
• Have implemented endpoint protection across all business devices
• Have a documented incident response process
• Have considered supply chain risks and third-party access

Tier 3: Advanced

The advanced tier aligns closely with Essential Eight Maturity Level 2 and above. It includes more rigorous controls such as application control, privileged access management, vulnerability scanning, and log monitoring.

How Certification Works

SMB1001 certification is verified through an accredited assessor — a cyber security professional or organisation approved to conduct SMB1001 assessments. The assessment process involves:

1. Self-assessment: The business completes an assessment against the relevant tier's requirements, gathering evidence of controls in place.
2. Documentation review: The assessor reviews policies, procedures, and technical evidence.
3. Technical verification: Depending on the tier, the assessor may verify technical controls directly (e.g., confirming MFA is enabled, reviewing backup logs).
4. Certification decision: If the business meets the requirements, it receives certification for the applicable tier.

Certification is time-limited and requires renewal — typically annually — to ensure businesses maintain their posture rather than achieving certification once and letting controls lapse.

Who Should Pursue SMB1001 Certification?

SMB1001 is relevant for any Australian small or medium business, but is particularly valuable if you:

• Supply goods or services to government agencies or large enterprises that assess supplier security
• Hold sensitive customer data and want to demonstrate compliance with Privacy Act obligations
• Are seeking cyber insurance and want to demonstrate security maturity to underwriters
• Operate in a regulated sector (healthcare, finance, legal) where client security expectations are high
• Want a structured pathway to improve your cyber posture over time

How SMB1001 Aligns With Australian Regulations

SMB1001 was designed to align with Australia's broader cyber security regulatory environment, including:

• The ACSC's Essential Eight: Many SMB1001 controls map directly to Essential Eight requirements, meaning work toward one supports the other.
• Privacy Act 1988 and the NDB scheme: SMB1001's data handling and incident response requirements help businesses meet their obligations under the Privacy Act's "reasonable steps" test.
• The Cyber Security Act 2024: While this Act primarily targets larger entities and critical infrastructure, SMB1001 demonstrates the kind of security governance the Act signals as an expectation for the broader economy.

Preparing for SMB1001

If you're considering SMB1001 certification, the best starting point is a gap assessment against the tier you're targeting. This tells you which controls you already have in place and which need to be implemented or documented before you engage an accredited assessor.

Common areas where small businesses need to do work before a Tier 1 assessment include:

• Enabling MFA on email and cloud accounts (often quick to implement)
• Documenting a basic acceptable use and data handling policy
• Setting up automated software updates and verifying backup processes
• Creating a simple incident response checklist

The free cyber risk assessment at flagged.com.au is a practical way to benchmark your current position against the kinds of controls SMB1001 requires, helping you understand what to prioritise before you invest in a formal assessment.

Key Takeaways

• SMB1001 is a tiered Australian cyber security certification standard built specifically for small and medium businesses by COSBOA.
• It provides a certifiable, scalable framework — unlike the Essential Eight, which is a control list without formal certification.
• The three tiers progress from foundational controls through managed practices to advanced security postures.
• Certification requires an accredited assessor and must be renewed annually.
• It aligns with the Essential Eight, the Privacy Act, and the Cyber Security Act 2024 — making it a useful anchor for overall compliance.