SMB1001 in 2026: What the Cyber Certificate Actually Proves, and What It Doesn't

This is an IT operator’s read of the SMB1001 standard and how it sits in the Australian market in 2026. It isn’t legal or compliance advice. Whether a particular cyber certification satisfies a regulator’s expectation, an insurer’s renewal questionnaire or a customer’s procurement gate is your compliance officer’s or broker’s call. We implement cyber controls; they sign off on whether the certificate clears the bar. We are not a CyberCert partner and don’t currently sell SMB1001 certification.

If you run a 25-person Australian business and an MSP has pitched you SMB1001 in the last six months, the offer is for a certificate that costs $95 to $5,995 per year and proves, depending on the tier, one of two things. At Bronze, Silver or Gold (the three cheaper tiers), it proves that a company director signed an attestation document saying the controls listed in the standard are in place. At Platinum or Diamond, it proves that an external auditor verified the same. Three of the five tiers are self-attested, and most certificates being issued in the Australian market sit in those three tiers. Whether that proves enough to be worth paying for depends entirely on what you’re trying to do with the certificate.

SMB1001 is published by Dynamic Standards International (DSI), a private Australian standards body that traded as Cyber Security Certification Australia (CSCAU) until 2023, with certification operated through a sister entity called CyberCert. The framework launched in late 2023, updated to a 2025 edition in September 2024, and is now on its 2026 edition (certifiable since January). Annual revision is the framework’s flagship marketing point, and on that specific claim the framework delivers: three editions in three years is a faster cadence than ASD’s Essential Eight maturity model and considerably faster than ISO 27001’s five-to-ten year revision cycle.

The Steering Committee that governs the standard includes credible academic and policy figures, including Professor Ryan Ko (a well-known Australian cyber academic) and former ACT health minister the Hon Meegan Fitzharris. There is genuine expertise behind the framework, and worth saying so up front. What follows in this article is a critical read, but it’s a read. We have an opinion on where SMB1001 sits in the Australian market, and we’ll make our case. Other practitioners will land in different places, and that’s fair.

What does an SMB1001 certificate actually prove?

For Bronze, Silver and Gold, it proves that a company director has personally attested that the controls in the standard are in place. No external auditor has verified the controls; the director’s word is what the certificate rests on.

That word does have legal weight. Knowingly false attestation by a company director is not without consequence under the Corporations Act, and the framework leans on this as its accountability mechanism. Whether that’s sufficient assurance for the parties you want to convince (an insurer, a customer’s procurement panel, a regulator) depends entirely on those parties’ policies. They may accept director attestation. They may not.

For Platinum and Diamond, an external audit has occurred. These tiers are priced higher (AU $3,595 and $5,995 per year respectively) and require materially more operational work to clear. They are also rare in the certificate population we observe in the market.

Recipients of an SMB1001 certificate, without tier disclosure, can’t tell which of the two things they’re being shown. A reader who treats every SMB1001 certificate as evidence of audited security posture is treating Bronze attestation the same as Diamond audit. The framework doesn’t make this distinction visually clear in its marketing.

Has anyone in Australia actually agreed SMB1001 counts?

In primary legislation as of April 2026, no.

CSCAU made a substantive submission to the Department of Home Affairs in February 2024 in response to the Cyber Security Legislative Reforms Consultation Paper. The four recommendations in that submission asked Government to add SMB1001 to section 10 of the Security of Critical Infrastructure (CIRMP) Rules, to extend Secure-by-Design standards beyond IoT to multiple supply chains, to adopt SMB-appropriate prescriptive standards over time, and to encourage Government and large organisations to mandate SMB1001 in procurement contracts as a “ticket to trade” mechanism.

Two pieces of legislation flowed from that consultation. The Cyber Security Act 2024 received Royal Assent on 29 November 2024 and does not name SMB1001, CSCAU, DSI or CyberCert anywhere in its text. Its “security standards” provisions cover IoT consumer devices, not SMB management practices. The Security of Critical Infrastructure Amendment (2025 Measures No. 1) Rules 2025 commenced on 4 April 2025 and brought data storage systems and telecommunications assets explicitly into CIRMP scope. No public reporting of those amendments mentions SMB1001 being added to LIN 23/006, and trade-press coverage of the changes from major Australian law firms (Bird & Bird, Pinsent Masons, LK Lawyers, Corrs) describes the amendments without reference to the framework.

Our reading: the lobbying ask was focused, well-argued and well-staffed. It also did not land in either piece of legislation. SMB1001 in 2026 remains a private market certification offering, not an Australian Government recognised standard.

Does SMB1001 get you a cyber insurance discount?

Many MSP marketing pages claim it does. We were unable to find documented evidence that it does.

In researching this article we looked for Australian cyber insurers publishing SMB1001 as a documented premium-discount input or accepting the certificate in lieu of specific renewal-questionnaire sections. The MSP claim of “many cyber insurers now recognise SMB1001” is widespread; the corresponding insurer-side policy document is not. If your broker is telling you SMB1001 will move your premium, the question to ask is which named insurer’s published underwriting guidance recognises the certificate, and what the expected discount is. If they can’t point at the policy, they’re repeating folklore.

This may change. The framework is being aggressively distributed through MSP partner channels (a high-profile Acronis-CyberCert partnership was announced in October 2025), and insurer recognition tends to follow market penetration eventually. As of April 2026, the recognition isn’t there yet at a level we can verify.

Are the controls inside SMB1001 actually any good?

Mostly yes. With three specific concerns we’d want resolved before recommending the certificate as substantive evidence of cyber posture.

The 2026 control set covers the right ground for SMB cyber risk: MFA, patching, backups, EDR/MDR, awareness training, email authentication (SPF, DKIM, DMARC), and an AI acceptable-use policy. The selection of controls is broadly sound and addresses the threat surface a 10-to-30 staff Australian business actually faces.

The first concern is that the published Bronze tier still mandates routine password changes. NIST SP 800-63B Revision 4, which has been the global identity-authentication baseline since August 2025 (and whose predecessor was formally withdrawn the same month), explicitly tells organisations to stop forcing scheduled password rotation. ISO 27001, SOC 2, PCI-DSS and HIPAA all align to NIST 800-63B. For a framework whose marketing differentiator is annual revision pace, shipping the 2026 edition with this control unrevised is hard to defend. The framework also creates an internal contradiction: Bronze requires routine rotation, Silver adds a password manager, and a password manager makes scheduled rotation operationally pointless.

The second concern is that MFA on RDP, MFA on VPN, and MFA on stored data only appear at Level 4 (Platinum). RDP without MFA is one of the most common ransomware initial-access vectors and has been for years. A SMB1001 Gold-certified business may be running RDP with a password and no second factor while still holding the certificate. Gold (22 controls, $395 per year) is the realistic mass-market tier; the controls that most reduce ransomware risk sit a tier above it.

The third concern is that SMB1001’s claim of alignment with the Essential Eight is partial at best. Application control and disabling untrusted Microsoft Office macros (both ML1 strategies in E8) only appear at SMB1001 Level 5. Cybersecurity awareness training only appears at Level 3. A SMB1001 Gold certificate covers a meaningful chunk of E8 ML1, but is not equivalent to it. This matters because the parties most likely to ask for cyber evidence in the Australian market (insurers, sector regulators, larger corporate customers) are speaking the Essential Eight or ISO 27001 dialect, not SMB1001’s.

So who is SMB1001 actually useful for?

Two distinct cases, and they’re often confused.

As an internal control checklist, the framework is genuinely useful for a 10-to-30 staff business that hasn’t yet structured its cyber posture. Walking through Bronze, Silver and Gold gives an owner-operator a reasonable list of “the things to actually have in place” and creates a forcing function (the director attestation) for treating the list seriously. The same applies to bringing a new MSP relationship up to a documented baseline.

As an external credential to wave at insurers, customers or regulators, the case is much weaker. The framework isn’t named in legislation. Insurer recognition appears to be MSP folklore rather than published underwriting policy. The bottom three tiers are self-attested, which means a recipient who hasn’t read carefully cannot tell whether your certificate represents director attestation or external audit. The parties you most want to convince are usually fluent in Essential Eight and ISO 27001 instead.

A reasonable summary, in our view: SMB1001 is fine as a self-improvement tool, weak as a badge in 2026.

What CCP does about SMB1001

We don’t sell SMB1001 certification. We aren’t a CyberCert partner. We may revisit that position as the market evolves and if the framework picks up the kind of independent recognition we’ve described as missing here. If we do, this article will be updated and the disclosure at the top will change.

What we do for the same client cohort is implement the underlying controls. The cyber baseline our clients sit on (the CSBO that comes with our Managed IT Complete plans) covers MFA, patching, backups, awareness training, EDR, email authentication, password management and admin separation. Those are the same controls SMB1001 lists in its first three tiers. A client on our standard stack who runs the SMB1001 self-attestation checklist will find that most of the work has already been done; the remainder is documentation and policy text rather than technical implementation.

If you’re weighing SMB1001 against pursuing Essential Eight ML1 properly, we’d suggest the Essential Eight self-assessment first. It’s free, it takes ten minutes, it gives you a maturity estimate in the language Australian institutions actually speak, and the answers tell you whether the work to clear an SMB1001 tier is already largely done. If after that you still want a certificate to hand to a specific party, the conversation about which one (SMB1001, ISO 27001, or evidence-based E8 ML1 assertion) is much easier with that picture in hand.

For the longer comparison across all three frameworks, see our framework selection guide.

Primary sources

• CSCAU 2024 submission to the Department of Home Affairs, including Annex A controls table. Department of Home Affairs. Accessed April 2026.
• Cyber Security Act 2024 (Cth). Federal Register of Legislation. Accessed April 2026.
• NIST SP 800-63B Revision 4 (Digital Identity Guidelines). National Institute of Standards and Technology. Published August 2025.
• ACSC Essential Eight Maturity Model. Australian Cyber Security Centre.
• ISO/IEC 27001:2022. International Organization for Standardization.