Cybersecurity certification doesn’t have to be complex or overwhelming.
Understanding SMB1001:
- What is SMB1001 and why it was created specifically for organisations like yours
- The five certification levels (Bronze to Diamond) and what each means for your organisation
- How SMB1001 aligns with international standards like CIS, Essential Eight, UK Cyber Essentials and NZ Critical Controls
- Why clients, insurers, and regulators are increasingly asking about cybersecurity certification
SMB1001 certification isn’t just about ticking compliance boxes—it’s about demonstrating to clients, partners, and insurers that your organisation takes security seriously. With cyber threats evolving rapidly and certification increasingly becoming a competitive differentiator, understanding where you stand is the first step toward strategic improvement.
Webinar Summary
Development and Rationale Behind SMB 1001: Peter, CEO of Dynamic Standards International, detailed the origins and motivations for creating the SMB 1001 cybersecurity framework, highlighting the inadequacies of existing standards for small and medium businesses and the need for a practical, multi-tiered approach.
Peter’s Professional Background: Peter described their career as a technology entrepreneur, focusing on software development and technology efficiency since 1999, and explained how their experience running a managed services provider (MSP) in Brisbane led to the establishment of Cybermetrics, a cybersecurity incubator.
Identifying Gaps in Existing Frameworks: Peter explained that prior to SMB 1001, government frameworks such as Australia’s Essential Eight were overly technical and not aligned with the real-world risks faced by SMBs, often neglecting the human element and business-wide risk management.
The Role of People in Cybersecurity: Peter emphasized that, despite technical controls, people remained the primary target for cyberattacks, particularly through social engineering, and that existing frameworks failed to address this adequately.
Need for Practical Guidance: Peter recounted feedback from SMBs and MSPs requesting a clear, actionable list of cybersecurity best practices, leading to the design of SMB 1001 as a journey-based, multi-level framework that allows organizations to start at an appropriate level and progress over time.
Structure and Levels of the SMB 1001 Framework: Bill and Peter explained the multi-tiered structure of SMB 1001, detailing the requirements and progression from Bronze to Diamond levels, and how each level addresses increasing cybersecurity maturity for SMBs.
- Bronze Level Overview: Bill described the Bronze level as the entry point, requiring seven basic controls such as engaging a technical specialist, installing firewalls and antivirus, patching systems, ensuring strong passwords, implementing backups, and conducting cybersecurity training.
- Silver Level Requirements: The Silver level adds controls including TLS certificates, regular server updates, individual employee accounts, password managers, MFA on email, anti-spoofing, confidentiality agreements, invoice fraud prevention, and visitor registers, with a focus on demonstrating good practices to clients and insurers.
- Gold Level and Advanced Controls: At the Gold level, organizations must implement endpoint detection and response (EDR), MFA across all business applications, restrict RDP to VPN, maintain cyber insurance, establish cybersecurity policies, incident response plans, secure document destruction, digital asset registers, and AI use policies.
- Platinum and Diamond Levels: Bill noted that Platinum and Diamond levels require external audits and align with international standards such as ISO 27001, with Diamond representing the highest maturity and closest alignment to global frameworks.
- Invoice Fraud Prevention: SMB 1001 introduces a specific policy to prevent invoice fraud, a prevalent financial crime targeting professional sectors, especially law firms, by combining procedural controls with technical measures like MFA.
- Director Attestation Requirement: Certification requires a director or owner to personally attest to the organization’s compliance, increasing executive awareness and accountability for cybersecurity.
- Agility and Responsiveness: Peter emphasized that SMB 1001 is updated annually to remain agile and responsive to new threats and technology changes, unlike some government frameworks that have remained static.
Implementation Guidance and Practical Benefits for SMBs: Bill and Peter provided practical advice on implementing SMB 1001, including the use of online tools, the importance of people and process controls, and the benefits of certification for client assurance, board reporting, and insurance..
Certification as Assurance: Certification provides tangible assurance to boards, clients, and partners, allowing organizations to demonstrate their cybersecurity posture and respond confidently to due diligence inquiries.
Simplified Requirements and Clear Guidance: The framework offers clear, step-by-step instructions for controls such as antivirus deployment and mobile device security, making implementation accessible for SMBs with limited resources.
Incident Response Planning and Training Initiatives: Bill and Peter discussed the importance of incident response planning, the role of training, and upcoming changes to Kinetics’ phishing and security awareness programs, emphasizing preparedness and continuous improvement.
Adoption and Recognition of SMB 1001: Peter and Bill noted the growing adoption of SMB 1001 by professional organizations, insurers, and supply chains, and discussed efforts to increase representation and awareness, particularly in New Zealand.