SMB1001: 2023 is a multi-tiered cyber security certification standard developed by Cyber Security Certification Australia (CSCAU) specifically for Small and Medium-sized Businesses (SMB). It is an Australian standard that guides SMBs in developing their cyber security capability and hygiene. 

Small and Medium-sized Businesses (SMBs) in any sector that need to improve their cyber security hygiene and provide assurance to their customers or supply chain partners against cyber threats. It is essential for SMBs seeking to demonstrate credible cyber hygiene. 

Certification supports the development of mature cyber security hygiene. It provides a credible certification demonstrating a strong suite of security measures, offers a pathway toward adopting international standards like ISO 27001, and is often a competitive advantage in supply chains. 

The standard has five tiers (Levels 1-5), each building upon the previous one. Measures are organised into five key categories: 
1. Technology Management 
2. Access Management 
3. Backup and Recovery  
4. Policies, Processes and Plans, and  
5. Education and Training. 

1. Choose Your Target Level: Select the appropriate level (1-5) based on your business needs.  
2. Readiness/Consulting (Optional): Implement all required measures and documentation for your target level (our Readiness Service).  
3. Internal Audit: Conduct internal conformance check (our Readiness Service).   
4. External Audit only for Platinum (Level 4) & Diamond (Level 5): Engage an Authorised External Auditor (us) for verification and attestation. 
5. Certification: Receive your official SMB1001 certificate. 

No. As an authorised Certifier for the SMB1001 standard, we must act in an impartial way at all times. Providing both consulting (Readiness) and final verification (Audit) would constitute a conflict of interest, invalidating the certification. 
Which service should we choose first? 
If you are starting out or targeting a higher level (Level 3-5), the Readiness Service is essential. It ensures that the necessary controls and documentation are in place before you pay for the final, high-stakes audit. 

The certification is valid for one (1) year. The audit time varies by the tier and complexity, but independent verification for Levels 4 and 5 requires a formal third-party assessment lasting a 3-5 days, plus reporting time. 

This depends on your organistion's starting maturity and the target tier (Level 1 is much faster than Level 5). Implementing the measures and documentation usually takes between 3 to 9 months. 

If you are starting out or targeting a higher level (Level 3-5), the Readiness Service is essential. It ensures that the necessary controls and documentation are in place before you pay for the final, high-stakes audit.