Is SMB1001 a recognised Australian Government standard?

No. As of April 2026, SMB1001 is not named in the Cyber Security Act 2024 and not added to the Security of Critical Infrastructure (CIRMP) Rules. CSCAU made a 2024 submission to Home Affairs asking Government to add SMB1001 to LIN 23/006 s10 of the SOCI Act CIRMP Rules; the SOCI 2025 Measures No. 1 Rules amendments (commenced 4 April 2025) made changes for data storage and telecommunications, but did not add SMB1001. SMB1001 remains a private market certification offering, not an Australian Government standard.

Does SMB1001 actually get you a cyber insurance discount?

We don't have evidence that it does. MSP marketing material commonly claims insurer recognition, but in researching this guide we could not find a single named Australian cyber insurer that publishes SMB1001 as a documented premium-discount input or accepts the certificate in lieu of specific questionnaire sections. If your broker tells you SMB1001 will move your premium, ask them to point at the published policy. Essential Eight ML1 evidence and ISO 27001 certification both have documented insurer recognition; SMB1001's recognition appears to be MSP folklore rather than insurer policy in 2026.

Are the controls inside SMB1001 actually any good?

Mostly yes, with one visible problem. The 2026 control set covers the right ground for SMB cyber risk: MFA, patching, backups, EDR, awareness training, email authentication, an AI-use policy. But the published Bronze tier still mandates routine password changes, which contradicts NIST SP 800-63B Revision 4 (the current global baseline; previous version was formally withdrawn August 2025). For a framework whose main marketing point is annual revision pace, missing this on the visible Bronze tier is hard to defend.

Why does CCP keep recommending Essential Eight first?

Because in 2026 it's the language insurers, regulators, larger customers and incident responders all speak. The Essential Eight isn't perfect (it's narrowly technical and ignores governance, training and policy), but it's the lingua franca our clients are being asked about. If you need a credential, ISO 27001 is the international one; if you need a control framework, the Essential Eight is the one Australia's institutions are already aligned on. SMB1001's controls overlap with both, but neither group has standardised on it.

Can a SMB1001 Gold certificate substitute for Essential Eight ML1?

No. Gold (Level 3) is 22 controls and is self-attested. Essential Eight ML1 includes application control and disabling untrusted Office macros; both of those only appear in SMB1001 at Level 5 (Diamond). Gold also doesn't require MFA on RDP or VPN; those wait until Level 4. Treat SMB1001 Gold and E8 ML1 as overlapping but not equivalent. If you've done the E8 ML1 work, you've done most of SMB1001 Silver and a lot of Gold; the reverse isn't as true.

Where does ISO 27001 fit for a 30-person business?

Usually nowhere, unless a paying customer or regulator is the reason. ISO 27001 is a serious commitment: an ISMS to design, implement and maintain, plus a three-year certification cycle with annual surveillance audits, plus first-audit cost typically in the AU $15,000 to $50,000 range. For a 30-person business with no specific external driver, the same money buys you considerably better cyber posture spent on E8 ML1 controls and an external pen test.

Plain-English framework guide

Essential Eight, SMB1001, ISO 27001: which cyber framework fits your business?

Three frameworks dominate cyber conversations in Australian SMBs. They look comparable in MSP marketing and they're not. This is what each one actually is, what it actually costs, what audit (if any) actually means, and how to pick the one that fits your size and your obligations.

Where CCP sits

We are not a CyberCert partner and we don't currently sell SMB1001 certification. Our day-to-day work for clients implements controls drawn from Essential Eight and ISO 27001; we don't run an ASD-accredited E8 audit and we don't run ISO 27001 audits. This guide is an IT operator's read of the three frameworks, not legal advice or a compliance opinion.

The three frameworks at a glance

What each framework actually is, in one paragraph each.

Essential Eight

Eight technical mitigation strategies published by the Australian Signals Directorate's ACSC. Originally designed for federal-government environments, then adapted into a four-tier maturity model (ML0 to ML3) the rest of the country can use. Self-assessed against ACSC's published criteria; no certificate, no audit, no annual fee.

SMB1001

Five-tier (Bronze, Silver, Gold, Platinum, Diamond) certification standard published by Dynamic Standards International (formerly CSCAU) and operated through CyberCert. Aimed explicitly at SMBs. Bronze through Gold are self-attested by a company director; Platinum and Diamond require third-party audit. First published 2023, currently on its 2026 edition.

ISO 27001

ISO/IEC 27001

International information-security management system standard, published by ISO and IEC, in force globally since 2005 and most recently revised in 2022. No tiers; you either hold the certificate or you don't. Always audited by accredited third-party certification bodies on a three-year cycle with annual surveillance audits in between.

Headline comparison

The seven dimensions that actually matter when you pick.

If you only have time for one section of this page, read this table.

Dimension	Essential Eight	SMB1001	ISO 27001
Who runs it	Australian Signals Directorate (ACSC). Sovereign cyber authority.	Dynamic Standards International (DSI), formerly CSCAU. Private Australian standards body. Sister entity CyberCert operates certification.	ISO and IEC, the international standards bodies. Audits by independently accredited certification bodies (e.g. JAS-ANZ in Australia).
How you prove it	Self-assessment against ACSC criteria. No certificate. Often used as evidence inside cyber-insurance renewals and supplier-security questionnaires.	Bronze, Silver and Gold: self-attested by a company director. Platinum and Diamond: third-party audit. Annual recertification for all tiers.	Third-party audit by an accredited certification body. Three-year certificate cycle, annual surveillance audits. No self-attest pathway.
Tier or maturity model	Four maturity levels: ML0 (partial or missing), ML1, ML2, ML3. Overall maturity is the floor of your eight control scores, not the average.	Five tiers from Bronze to Diamond. Each tier adds controls on top of the previous. 6 controls at Bronze, 35 at Diamond.	Single binary state (certified or not), but the certificate covers a defined Statement of Applicability that scopes which controls are in play for your organisation.
Direct cost in 2026	Free. ACSC publishes the model. Audit and assessment cost is your time and your IT spend on the controls themselves.	Annual certification fee per organisation, AU ex GST: $95 (Bronze), $195 (Silver), $395 (Gold), $3,595 (Platinum), $5,995 (Diamond). The standard text itself is paywalled at USD $99 to $1,000 with usage-based pricing.	First-audit cost typically AU $15,000 to $50,000 depending on scope and certifier. Standard text sold by ISO at roughly AU $150 fixed.
Update cadence	Maturity model revised every few years. Last major revision November 2023; minor updates more often.	Annual editions (2023, 2025, 2026). Genuinely faster cadence than the alternatives.	5 to 10 year revision cycles. Current edition 2022, predecessor 2013.
Recognised by Australian Government	Yes. ACSC publishes it. Cited in federal cyber strategy, sector regulator guidance, and many procurement panels.	Not in primary legislation. As of April 2026, not named in the Cyber Security Act 2024 or the SOCI Act CIRMP Rules. CSCAU made a 2024 submission asking Government to add SMB1001 to LIN 23/006 s10; the ask did not land in the 2025 SOCI amendments.	Yes. Specifically named in CIRMP Rules for some critical-infrastructure sectors. Required by Right Fit For Risk and several other government accreditation regimes.
Recognised by cyber insurers	De facto baseline language used in most Australian renewal questionnaires. ML1 typically clears a renewal without raised flags.	MSP marketing claims insurer recognition. We were unable to find a single named Australian insurer that publishes SMB1001 as a documented premium-discount input.	Universally recognised. Often satisfies entire questionnaire sections in lieu of itemised answers.

Essential Eight

Who runs it: Australian Signals Directorate (ACSC). Sovereign cyber authority.
How you prove it: Self-assessment against ACSC criteria. No certificate. Often used as evidence inside cyber-insurance renewals and supplier-security questionnaires.
Tier or maturity model: Four maturity levels: ML0 (partial or missing), ML1, ML2, ML3. Overall maturity is the floor of your eight control scores, not the average.
Direct cost in 2026: Free. ACSC publishes the model. Audit and assessment cost is your time and your IT spend on the controls themselves.
Update cadence: Maturity model revised every few years. Last major revision November 2023; minor updates more often.
Recognised by Australian Government: Yes. ACSC publishes it. Cited in federal cyber strategy, sector regulator guidance, and many procurement panels.
Recognised by cyber insurers: De facto baseline language used in most Australian renewal questionnaires. ML1 typically clears a renewal without raised flags.

SMB1001

Who runs it: Dynamic Standards International (DSI), formerly CSCAU. Private Australian standards body. Sister entity CyberCert operates certification.
How you prove it: Bronze, Silver and Gold: self-attested by a company director. Platinum and Diamond: third-party audit. Annual recertification for all tiers.
Tier or maturity model: Five tiers from Bronze to Diamond. Each tier adds controls on top of the previous. 6 controls at Bronze, 35 at Diamond.
Direct cost in 2026: Annual certification fee per organisation, AU ex GST: $95 (Bronze), $195 (Silver), $395 (Gold), $3,595 (Platinum), $5,995 (Diamond). The standard text itself is paywalled at USD $99 to $1,000 with usage-based pricing.
Update cadence: Annual editions (2023, 2025, 2026). Genuinely faster cadence than the alternatives.
Recognised by Australian Government: Not in primary legislation. As of April 2026, not named in the Cyber Security Act 2024 or the SOCI Act CIRMP Rules. CSCAU made a 2024 submission asking Government to add SMB1001 to LIN 23/006 s10; the ask did not land in the 2025 SOCI amendments.
Recognised by cyber insurers: MSP marketing claims insurer recognition. We were unable to find a single named Australian insurer that publishes SMB1001 as a documented premium-discount input.

ISO 27001

Who runs it: ISO and IEC, the international standards bodies. Audits by independently accredited certification bodies (e.g. JAS-ANZ in Australia).
How you prove it: Third-party audit by an accredited certification body. Three-year certificate cycle, annual surveillance audits. No self-attest pathway.
Tier or maturity model: Single binary state (certified or not), but the certificate covers a defined Statement of Applicability that scopes which controls are in play for your organisation.
Direct cost in 2026: First-audit cost typically AU $15,000 to $50,000 depending on scope and certifier. Standard text sold by ISO at roughly AU $150 fixed.
Update cadence: 5 to 10 year revision cycles. Current edition 2022, predecessor 2013.
Recognised by Australian Government: Yes. Specifically named in CIRMP Rules for some critical-infrastructure sectors. Required by Right Fit For Risk and several other government accreditation regimes.
Recognised by cyber insurers: Universally recognised. Often satisfies entire questionnaire sections in lieu of itemised answers.

Cost figures are direct certification or audit fees only. The actual cost of meeting the controls (technical work, software, staff time) is in every case multiples of the certification fee.

SMB1001 close look

What SMB1001 actually requires at each tier.

The controls list at the heart of the SMB1001 standard, drawn from CSCAU's own 2024 submission to the Department of Home Affairs. Each tier adds controls on top of the previous; the cost figures are AU per organisation per year, ex GST.

Bronze (Level 1)

$95 per year · 6 controls · Director attested

Engage technical support, install a firewall, install anti-virus, automatically install patches, change passwords routinely, and have a backup strategy. Six controls.

Silver (Level 2)

$195 per year · 14 controls · Director attested

Adds 8 controls including TLS on public sites, no admin rights for normal user accounts, individual logins, a password manager, MFA on email, NDAs, an invoice-fraud policy, and a visitor register.

Gold (Level 3)

$395 per year · 22 controls · Director attested

Adds 8 controls including server patching, MFA on business apps and social, a written cyber security policy, an incident-response plan, secure document and device disposal, an asset register, and awareness training.

Platinum (Level 4)

$3,595 per year · 28 controls · External audit

Adds 6 controls including external vulnerability scanning, MFA on stored data, MFA on VPN, MFA on RDP, remote-access credential management, and a requirement to purchase business insurance.

Diamond (Level 5)

$5,995 per year · 35 controls · External audit

Adds 7 controls including encryption at rest, application control, disabling untrusted Office macros, penetration and social-engineering testing, supplier digital trust, police vetting for admins, and IR-plan tabletop training.

Three things to flag before you pay

Routine password changes are still a Bronze control. NIST SP 800-63B Revision 4, in force since August 2025, explicitly tells organisations to stop forcing scheduled password rotation. Rotation is the single most common modern-day password-policy mistake. SMB1001's published Bronze tier still mandates it. Level 2 then adds a password manager, which makes the rotation requirement at Level 1 internally inconsistent.
A Gold-certified business is not required to have MFA on RDP. RDP without MFA is one of the most common ransomware initial-access vectors and has been for years. SMB1001 puts MFA on RDP, VPN and stored data at Level 4 (Platinum, $3,595/year, externally audited). Below that, a certificate holder can run RDP with a password and still hold the badge.
The framework's Essential Eight alignment claim is partial. SMB1001 markets itself as aligning with E8. Application control and disabling untrusted Office macros (both ML1 strategies in E8) only appear at SMB1001 Level 5. Awareness training only appears at Level 3. A SMB1001 Gold certificate covers a meaningful chunk of E8 ML1, but it is not equivalent to it.

These criticisms are technical, not commercial. SMB1001's Steering Committee includes credible academic and policy figures (Professor Ryan Ko among them), and the framework's annual revision cadence is genuinely faster than ASD's E8 update pace. The points above are the specific places we'd want fixed before recommending the certificate as substantive evidence of cyber posture.

Which one for which buyer

A buyer's guide by size and obligation.

The right answer almost always falls out of two questions: how big are you, and is anyone external (insurer, customer, regulator) asking you for a specific framework? Find your row.

If you are

Microbusiness, under 10 staff

We'd pick

Essential Eight ML1 self-assessment, no certificate

At under 10 staff, you almost certainly don't have a regulatory or insurance reason to hold a certificate. The work to get to E8 ML1 (MFA, patching, backups, awareness training, basic admin separation) is the work either way. Run our free self-assessment, fix what falls out, and revisit certification if a future client or insurer specifically asks for one.
If you are

10 to 30 staff, no specific compliance driver

We'd pick

Essential Eight ML1, plus the SMB1001 control checklist as a useful internal checklist

Your insurer probably isn't asking for a SMB1001 certificate, your customers probably aren't asking for one, and the certificate doesn't currently get you anything regulatory. The control set inside SMB1001 Bronze and Silver is broadly sound and worth implementing. Treat the framework as a checklist, not a credential. If you want a credential to wave at a customer or broker, pursue E8 ML1 evidence first; it's the language those parties already speak.
If you are

10 to 50 staff, you have an insurer or large customer asking

We'd pick

Essential Eight ML1 as substance, ISO 27001 if the customer is paying you to hold it

If a corporate customer's procurement gate, an insurer's questionnaire, or a regulator's accreditation regime is naming a specific framework, do that one. ISO 27001 is the credential the largest enterprise customers and federal-government procurement actually recognise. SMB1001 is occasionally accepted in supply-chain conversations, but treat any MSP claim of broad insurer or procurement recognition with scepticism and ask for a named published policy before paying for the certificate.
If you are

20 to 50 staff in a regulated industry (legal, finance, health, RTO)

We'd pick

Essential Eight ML2, with ISO 27001 if your sector regulator or your major clients require it

Your sector regulator is almost certainly speaking the Essential Eight or ISO 27001 dialect, not SMB1001. Law firms, accountants, allied health, financial services, RTOs and aged-care providers all face frameworks built against E8 or ISO. SMB1001 may help you organise internally, but the audit evidence your regulator will accept is in another framework. Run the E8 self-assessment first; the answer will tell you whether the gap to ML2 is small enough to handle in-house or large enough to make a project.
If you are

50+ staff, formal compliance program, board reporting

We'd pick

ISO 27001 with Essential Eight controls baked in

At this size, ISO 27001 is the credential that opens enterprise procurement and clears insurer questionnaires without follow-up. The controls inside an ISO 27001 ISMS will incorporate E8 controls anyway. SMB1001 is not designed for this scale and won't be recognised by the parties you most need recognition from.

Free self-assessment

Start with the framework Australia is already aligned on.

Run our Essential Eight self-assessment first.

Eight questions, one for each ACSC control. You get an estimated maturity level (ML0 to ML3) and a branded PDF you can share with your board, broker or auditor. Whichever framework you eventually pick, the answers tell you where you actually sit today, in the language Australian institutions already speak. No email required.

Take the self-assessment

Common questions

What buyers actually ask when they're choosing between frameworks.

Is SMB1001 a recognised Australian Government standard?: No. As of April 2026, SMB1001 is not named in the Cyber Security Act 2024 and not added to the Security of Critical Infrastructure (CIRMP) Rules. CSCAU made a 2024 submission to Home Affairs asking Government to add SMB1001 to LIN 23/006 s10 of the SOCI Act CIRMP Rules; the SOCI 2025 Measures No. 1 Rules amendments (commenced 4 April 2025) made changes for data storage and telecommunications, but did not add SMB1001. SMB1001 remains a private market certification offering, not an Australian Government standard.
Does SMB1001 actually get you a cyber insurance discount?: We don't have evidence that it does. MSP marketing material commonly claims insurer recognition, but in researching this guide we could not find a single named Australian cyber insurer that publishes SMB1001 as a documented premium-discount input or accepts the certificate in lieu of specific questionnaire sections. If your broker tells you SMB1001 will move your premium, ask them to point at the published policy. Essential Eight ML1 evidence and ISO 27001 certification both have documented insurer recognition; SMB1001's recognition appears to be MSP folklore rather than insurer policy in 2026.
Are the controls inside SMB1001 actually any good?: Mostly yes, with one visible problem. The 2026 control set covers the right ground for SMB cyber risk: MFA, patching, backups, EDR, awareness training, email authentication, an AI-use policy. But the published Bronze tier still mandates routine password changes, which contradicts NIST SP 800-63B Revision 4 (the current global baseline; previous version was formally withdrawn August 2025). For a framework whose main marketing point is annual revision pace, missing this on the visible Bronze tier is hard to defend.
Why does CCP keep recommending Essential Eight first?: Because in 2026 it's the language insurers, regulators, larger customers and incident responders all speak. The Essential Eight isn't perfect (it's narrowly technical and ignores governance, training and policy), but it's the lingua franca our clients are being asked about. If you need a credential, ISO 27001 is the international one; if you need a control framework, the Essential Eight is the one Australia's institutions are already aligned on. SMB1001's controls overlap with both, but neither group has standardised on it.
Can a SMB1001 Gold certificate substitute for Essential Eight ML1?: No. Gold (Level 3) is 22 controls and is self-attested. Essential Eight ML1 includes application control and disabling untrusted Office macros; both of those only appear in SMB1001 at Level 5 (Diamond). Gold also doesn't require MFA on RDP or VPN; those wait until Level 4. Treat SMB1001 Gold and E8 ML1 as overlapping but not equivalent. If you've done the E8 ML1 work, you've done most of SMB1001 Silver and a lot of Gold; the reverse isn't as true.
Where does ISO 27001 fit for a 30-person business?: Usually nowhere, unless a paying customer or regulator is the reason. ISO 27001 is a serious commitment: an ISMS to design, implement and maintain, plus a three-year certification cycle with annual surveillance audits, plus first-audit cost typically in the AU $15,000 to $50,000 range. For a 30-person business with no specific external driver, the same money buys you considerably better cyber posture spent on E8 ML1 controls and an external pen test.

Sources

SMB1001 control set and certification pricing: CSCAU 2024 submission to the Department of Home Affairs, Annex A. homeaffairs.gov.au
Password rotation and modern password guidance: NIST SP 800-63B Revision 4, August 2025. pages.nist.gov
Cyber Security Act 2024 (no. 98 of 2024). legislation.gov.au
ACSC Essential Eight Maturity Model. cyber.gov.au
ISO/IEC 27001:2022 information security management systems. iso.org

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.