SMB1001:The Multi-Tiered Standard for Australian Cyber Hygiene

Step 1: Gap Analysis & Planning
We assess your current IT environment against the chosen SMB1001 level and create a clear, prioritised roadmap to close all identified compliance gaps.

Step 2: Implementation & Remediation
Our technical experts deploy the required controls: (e.g., setting up MFA, configuring firewalls, deploying password managers, and ensuring data backups are verified).


Step 3: Policy & Documentation
We develop required policies and procedures documentation (e.g., Cyber Policy, Incident Response Plan, etc.)

Step 4: Self-Attestation (L1-L3)
We prepare the final compliance document, ensuring Director can confidently sign the Self-Attestation letter to complete the certification.


Audit Preparation (L4-L5): We act as your audit liaison, preparing all necessary evidence, control descriptions, and documentation for the independent auditor.


Step 5: Certification & Renewal
We submit your required documentation to the certifying body and help you use your new badge. We then establish an annual review to ensure your compliance is maintained.

SMB1001:2023 is a multi-tiered cyber security certification standard developed by Cyber Security Certification Australia (CSCAU) specifically for Small and Medium-sized Businesses (SMB). It is an Australian standard that guides SMBs in developing their cyber security capability and hygiene.

Small and Medium-sized Businesses (SMBs) in any sector that need to improve their cyber security hygiene and provide assurance to their customers or supply chain partners against cyber threats. It is essential for SMBs seeking to demonstrate credible cyber hygiene.

Certification supports the development of mature cyber security hygiene. It provides a credible certification demonstrating a strong suite of security measures, offers a pathway toward adopting international standards like ISO 27001, and is often a competitive advantage in supply chains. 

The standard has five tiers (Levels 1-5), each building upon the previous one. Measures are organised into five key categories: 
1. Technology Management 
2. Access Management 
3. Backup and Recovery  
4. Policies, Processes and Plans, and  
5. Education and Training. 

1. Choose Your Target Level: Select the appropriate level (1-5) based on your business needs.  
2. Readiness/Consulting (Optional): Implement all required measures and documentation for your target level (our Readiness Service).  
3. Internal Audit: Conduct internal conformance check (our Readiness Service).   
4. External Audit only for Platinum (Level 4) & Diamond (Level 5): Engage an Authorised External Auditor (us) for verification and attestation. 
5. Certification: Receive your official SMB1001 certificate. 

No. As an authorised Certifier for the SMB1001 standard, we must act in an impartial way at all times. Providing both consulting (Readiness) and final verification (Audit) would constitute a conflict of interest, invalidating the certification. 
Which service should we choose first? 
If you are starting out or targeting a higher level (Level 3-5), the Readiness Service is essential. It ensures that the necessary controls and documentation are in place before you pay for the final, high-stakes audit. 

If you are starting out or targeting a higher level (Level 3-5), the Readiness Service is essential. It ensures that the necessary controls and documentation are in place before you pay for the final, high-stakes audit.

The certification is valid for one (1) year. The audit time varies by the tier and complexity, but independent verification for Levels 4 and 5 requires a formal third-party assessment lasting a 3-5 days, plus reporting time. 

This depends on your organistion's starting maturity and the target tier (Level 1 is much faster than Level 5). Implementing the measures and documentation usually takes between 3 to 9 months.