Insights · Frameworks

SMB1001 vs ISO 27001 vs Essential Eight: What Should You Pick?

By RTCS · 28 June 2026 · 10 min read

Australian businesses are being asked more questions about cyber security. Insurers want evidence. Enterprise customers want assurance. Boards want a clearer view of risk. Government and supply chain requirements are becoming harder to ignore.

That usually leads to one question: should we use SMB1001, ISO 27001 or the Essential Eight?

The right answer depends on your size, your customers, your risk profile and why you need the framework in the first place. For many small and medium businesses, SMB1001 is the most practical starting point. For organisations that need a recognised Australian technical baseline, the Essential Eight is often the right first focus. For businesses that need formal information security governance and international recognition, ISO 27001 is usually the stronger long-term target.

The Short Answer

Pick SMB1001 if you are a small or medium business that wants a practical, tiered cyber security certification pathway.

Pick Essential Eight if you need to align with Australian Government guidance, improve core technical controls or show maturity against a recognised Australian baseline.

Pick ISO 27001 if you need a formal information security management system, stronger governance, enterprise customer assurance or international recognition.

Some organisations will eventually use all three. The mistake is trying to start with the most complex option before the basics are working.

What Each Framework Is For

SMB1001

SMB1001 is built for small and medium businesses. It gives organisations a tiered cyber security pathway, rather than forcing them into an enterprise-style compliance program from day one. It is useful when a business wants to improve security, show progress to clients or insurers, and work through achievable control levels.

For many smaller organisations, SMB1001 feels more practical because it is designed around staged uplift. It suits businesses that need structure, but do not yet need a full ISO 27001 information security management system.

Essential Eight

The Essential Eight is an Australian cyber security framework published by the Australian Signals Directorate. It focuses on eight mitigation strategies:

Application control
Patch applications
Configure Microsoft Office macro settings
User application hardening
Restrict administrative privileges
Patch operating systems
Multi-factor authentication
Regular backups

The Essential Eight is practical and technical. It is less about running a full management system and more about reducing common attack paths. It is useful when an organisation needs to improve baseline cyber resilience, especially around patching, MFA, admin access and backups.

ISO 27001

ISO 27001 is an international standard for information security management systems. It is broader than a technical control framework. It covers governance, risk management, policies, roles, continual improvement, internal audit, management review and control selection.

ISO 27001 is often chosen when customers, regulators, tenders or enterprise contracts require formal assurance. It suits organisations that handle sensitive information, operate across multiple markets, serve enterprise customers or need mature governance around information security.

Simple Comparison

Framework	Best For	Main Focus	Typical Buyer Driver
SMB1001	Small and medium businesses	Practical staged cyber security uplift	Client assurance, insurance, board comfort
Essential Eight	Australian organisations needing a technical baseline	Core technical controls	Government alignment, risk reduction, maturity uplift
ISO 27001	Larger, regulated or enterprise-facing organisations	Information security management system	Certification, tenders, governance, customer assurance

When SMB1001 Makes the Most Sense

SMB1001 is often the best starting point when the organisation needs a cyber security pathway that is achievable. It suits:

Professional services firms
Local businesses with sensitive client data
Small technology providers
Accounting, legal and advisory firms
Regional businesses with limited internal IT resources
Businesses that need to show cyber maturity to customers
Organisations that want certification without starting with ISO 27001

A common example is a small professional services firm that has MFA, backups and antivirus in place, but no formal cyber security framework. Jumping straight to ISO 27001 may be too much. Essential Eight may still be useful, but it does not provide the same small-business certification pathway. In that scenario, SMB1001 gives the business a more realistic structure.

When the Essential Eight Makes the Most Sense

The Essential Eight is a strong choice when the main concern is technical control maturity. It suits organisations that need to answer questions like:

Are all users protected by MFA?
Are privileged accounts restricted properly?
Are applications and operating systems patched quickly enough?
Are backups protected and tested?
Are macros and risky user applications controlled?
Can we show evidence of technical security uplift?

The Essential Eight is especially useful for Australian organisations that want to align with ASD guidance. It is also a good fit where the business is not ready for ISO 27001 but needs better control over identity, patching, backups and endpoint hardening.

For example, a mid-sized organisation using Microsoft 365, Entra ID, Intune and Defender may get strong value from an Essential Eight assessment. The work can identify gaps in MFA, Conditional Access, patching, device controls and administrative access.

When ISO 27001 Makes the Most Sense

ISO 27001 is the better option when the organisation needs formal information security governance. It suits:

SaaS providers selling to enterprise customers
Managed service providers
Financial services organisations
Health, legal and professional services firms handling sensitive data
Businesses responding to tender requirements
Organisations operating across Australia and overseas
Companies that need formal customer assurance
Boards that want structured cyber risk governance

ISO 27001 is more demanding because it is not only about technical controls. It requires an information security management system that is maintained over time. That means defining scope, assets, risks, policies, responsibilities, controls, audits, management reviews and continual improvement.

A business should not choose ISO 27001 only because it sounds more impressive. It should choose ISO 27001 when the business case supports the effort.

The Wrong Way to Choose

Many businesses choose a framework for the wrong reason. They choose ISO 27001 because a competitor has it. They choose Essential Eight because it is Australian, but they do not know which maturity level they need. They choose SMB1001 because it seems simpler, but they do not check whether their customers will accept it.

The better way is to ask:

Who is asking for this?
What evidence do they need?
Is certification required or is alignment enough?
What systems and data are in scope?
What level of internal effort can we support?
What risks are we trying to reduce?
What will the business need in 12 to 24 months?

The best framework is the one that fits the actual business driver.

If you are unsure which framework fits, RTCS can help compare SMB1001, Essential Eight and ISO 27001 against your actual business drivers, systems, customer requirements and risk profile.

Compare Frameworks With RTCS

Decision Guide

Choose SMB1001 if

You are an SMB and need a practical certification pathway.
You want staged uplift instead of a large compliance program.
You need something clearer than informal best practice.
You want to show clients, insurers or partners that cyber security controls are being addressed.
You have limited internal security resources and need a framework that can be implemented progressively.

Choose Essential Eight if

You want a recognised Australian technical baseline.
You need to improve patching, MFA, privileged access, backups and endpoint hardening.
You are responding to government, board or internal risk expectations.
You want to understand current maturity before investing in broader compliance.
You need a practical control uplift plan.

Choose ISO 27001 if

You need formal information security governance.
You are being asked for ISO 27001 by customers or tenders.
You handle sensitive information at scale.
You need a recognised international certification pathway.
You have the internal maturity to maintain policies, risk assessments, audits and management review.
You want an ongoing information security management system, not only a control uplift project.

What About Using More Than One?

These frameworks can work together. SMB1001 can be a practical starting point for an SMB. The Essential Eight can strengthen technical controls. ISO 27001 can provide the broader management system once the business needs formal governance and certification.

A sensible pathway may look like this:

Start with SMB1001 if you are a smaller business needing structure and certification.
Use Essential Eight to improve core technical controls.
Move towards ISO 27001 when customer, tender or governance requirements justify it.

Another pathway may be:

Start with an Essential Eight assessment to identify control gaps.
Fix identity, patching, backup and privileged access issues.
Build ISO 27001 readiness once technical foundations are stronger.

For SaaS businesses, professional services firms and growing Australian companies, this staged approach often makes more sense than trying to do everything at once.

Common Mistakes

Starting with ISO 27001 too early

ISO 27001 can be valuable, but it requires commitment. If the business has weak MFA, poor patching, no asset register and untested backups, it may be better to fix those foundations first.

Treating Essential Eight as a paperwork exercise

The Essential Eight is technical. A policy saying MFA is required is not enough. The organisation needs evidence that controls are actually configured and working.

Assuming SMB1001 replaces all other requirements

SMB1001 may be suitable for many SMBs, but it may not satisfy every customer, tender, insurer or regulator. The business still needs to confirm what the relying party expects.

Picking a framework without knowing the audience

A framework should match the person asking for assurance. A government-aligned customer may care more about Essential Eight. An enterprise SaaS customer may ask for ISO 27001. A smaller client or insurer may accept SMB1001 evidence.

Ignoring operational effort

Every framework creates ongoing work. Controls need to be maintained. Evidence needs to be updated. Staff need to follow processes. Systems change. Exceptions need review.

What Good Looks Like

A good framework decision should produce a practical roadmap. That roadmap should explain:

Current cyber security position
Target framework or maturity level
Gaps that need remediation
Evidence required
Systems and business areas in scope
Internal owners
Priority actions
Expected effort
Dependencies
Next review point

The roadmap should not be vague. It should give the business a clear path from current state to target state.

How RTCS Can Help

RTCS helps Australian organisations choose and implement the right cyber security framework for their size, risk and commercial requirements.

For SMBs, RTCS provides SMB1001 certification support, including gap assessment, uplift, evidence preparation and certification support.

For organisations aligning to ASD guidance, RTCS provides Essential Eight assessment and uplift planning.

For businesses preparing for formal assurance, RTCS provides compliance and risk governance and vCISO and security advisory support, including ISO 27001 readiness activities, cyber risk reporting and security roadmap development. Supporting uplift often draws on vulnerability management, identity and access management, cloud security review and incident response readiness.

Practical Recommendation

For most Australian SMBs, the best starting point is usually SMB1001 or an Essential Eight gap assessment.

Choose SMB1001 when the business needs a staged certification pathway. Choose Essential Eight when the business needs to reduce technical risk and align with Australian Government guidance. Choose ISO 27001 when the business needs formal governance, stronger customer assurance or certification for tenders and enterprise sales.

The right choice is not always the most advanced framework. It is the one your organisation can implement, maintain and use to reduce real risk.

Summary

SMB1001, ISO 27001 and the Essential Eight are not interchangeable. SMB1001 is usually the most practical certification pathway for small and medium businesses. The Essential Eight is a strong Australian technical baseline for reducing common cyber risks. ISO 27001 is best when the organisation needs a formal information security management system and recognised assurance.

For many organisations, the answer is staged. Start with the framework that matches your current need, then build towards stronger governance over time.

Frequently Asked Questions

Is SMB1001 better than ISO 27001?

No. SMB1001 and ISO 27001 serve different purposes. SMB1001 is designed for small and medium businesses that need a staged cyber security certification pathway. ISO 27001 is a broader information security management system standard used by organisations that need formal governance and recognised assurance.

Is the Essential Eight the same as ISO 27001?

No. The Essential Eight focuses on eight technical mitigation strategies. ISO 27001 covers a broader management system for information security, including governance, risk management, policies, controls, audit and continual improvement.

Should a small business choose SMB1001 or Essential Eight?

A small business should consider SMB1001 if it wants a practical certification pathway. It should consider the Essential Eight if it wants to improve core technical controls such as MFA, patching, backups and privileged access.

Should we do Essential Eight before ISO 27001?

Often, yes. Essential Eight uplift can strengthen technical foundations before ISO 27001 readiness work. It is not mandatory, but it can make ISO 27001 implementation more practical.

Can SMB1001 help with ISO 27001 later?

Yes. SMB1001 can help create useful evidence, policies and control maturity that may support later ISO 27001 readiness. It does not replace ISO 27001, but it can be a practical stepping stone.

Which framework do customers prefer?

It depends on the customer. Enterprise and international customers may ask for ISO 27001. Australian Government-aligned customers may focus on the Essential Eight. Smaller commercial customers or insurers may accept SMB1001 or other evidence of practical cyber security controls.

Do we need certification or just alignment?

That depends on the requirement. Some customers or tenders require formal certification. Others only need evidence that controls are in place. Before starting, confirm whether certification, attestation, assessment or general uplift is required.

What should we do first?

Start by identifying who is asking, what evidence they need and what systems are in scope. Then assess your current maturity against the most relevant framework before committing to certification or major uplift work.

Choose the Right Framework

Not Sure Which One Fits?

RTCS can assess your current position, compare SMB1001, Essential Eight and ISO 27001 against your business requirements, and build a practical roadmap for uplift.

Speak With RTCS