What Is SMB1001?
SMB1001 is a tiered cyber security standard designed specifically for small and medium businesses. Instead of asking a 20-person company to interpret a framework written for enterprises, it sets out clear, achievable controls and lets you certify at a tier that matches your size, risk, and obligations.
Controls are grouped across five domains - technology, access and identity, backups and recovery, policies and governance, and people and training - so the certification reflects how a business is actually attacked, not just its technology.
It is also designed to align with the frameworks you may already be measured against, including the ACSC Essential Eight, so the work you do toward one rarely goes to waste.
- Technology controls - patching, configuration, and endpoint protection
- Access & identity - multi-factor authentication and account management
- Backups & recovery - tested, recoverable, and protected from ransomware
- Policies & governance - documented, owned, and reviewed
- People & training - security awareness across the whole team
The Five Tiers
Certification scales with assurance. The lower tiers are self-attested and quick to reach; the higher tiers are independently audited and carry more weight with insurers and large customers. You start where you can and step up over time.
The core controls every business should have in place. The fastest way to demonstrate you take security seriously.
Builds on Bronze with documented, repeatable security practices rather than ad-hoc effort.
Risk-based controls and governance, formally signed off at director level. A credible posture for organisations handling sensitive data.
Your controls are verified by an independent third-party audit - the level larger clients and insurers increasingly ask to see.
The highest tier: a mature, continuously improving security program, independently audited. Built for businesses where trust is the product.
Why Get Certified
Insurers increasingly want evidence of real controls before they cover you - or before they pay out. A recognised certification is a clear, defensible answer to that question.
Larger clients, government, and primes are pushing security requirements down their supply chain. A tier you can point to shortens vendor questionnaires and unlocks work you would otherwise be screened out of.
SMB1001 is scoped for small and medium business from the ground up. You get a credible standard without the cost and overhead of an enterprise certification you do not need.
The framework is refreshed annually, so your certification reflects current threats rather than a snapshot from years ago. Maintaining it keeps your security honest.
SMB1001 and the Essential Eight
These two are complementary, not competing. The Essential Eight is the ACSC's set of technical mitigation strategies - a strong baseline for hardening your systems. SMB1001 is a certifiable, tiered standard that wraps those technical controls together with governance and people, and gives you something you can formally certify against.
In practice, the Essential Eight work you do maps directly into SMB1001. We routinely run them together: harden the technology against the Essential Eight, then evidence the broader controls SMB1001 asks for, and certify at the right tier.
How RTCS Gets You Certified
Gap Assessment
We measure you against your target tier across all five domains and show you exactly what is missing, in plain language.
Remediation & Uplift
We close the gaps - hands-on where you need us, advisory where you have the capability - so the controls are real, not just on paper.
Evidence & Documentation
We prepare the policies, records, and evidence the standard requires and get your attestation pack ready to submit.
Certification Support
We guide you through self-attestation, or prepare and support you through the independent audit for Platinum and Diamond.
Maintain & Progress
We keep you certified through the annual refresh and, when you are ready, help you step up to the next tier.
What It Costs
We do not publish a price list, because the honest answer depends on your size, your target tier, and how much is already in place. What we do commit to is a fixed-scope quote up front - you know the cost before we start, with no creeping invoices.
Bronze through Gold is usually a focused engagement. Platinum and Diamond are larger, because of the independent audit involved. Every engagement starts with a gap assessment so we are both working from facts, not guesses.
- Fixed-scope, quoted up front - no surprise invoices
- Starts with a gap assessment against your target tier
- Delivered in-house and onshore - no offshore data transfer
- Retainer available to maintain certification year on year
SMB1001 Straight Answers
What is SMB1001?
SMB1001 is a tiered cyber security certification standard built specifically for small and medium businesses. It sets out clear controls across five domains - technology, access, backups, policies, and training - and lets you certify at one of five tiers (Bronze, Silver, Gold, Platinum, Diamond) that matches your size and risk.
How is SMB1001 different from the Essential Eight?
The Essential Eight is a set of technical mitigation strategies from the ACSC - a hardening baseline. SMB1001 is a certifiable, tiered standard that combines technical controls with governance and people, and gives you a formal certification to show insurers and clients. They are complementary: the Essential Eight work you do feeds directly into SMB1001, and we often run them together.
Which tier does my business need?
It depends on what you are trying to achieve. Many businesses start at Bronze or Silver to demonstrate baseline security quickly, move to Gold when handling sensitive data or chasing larger contracts, and pursue Platinum or Diamond when a client, insurer, or regulator requires independently audited assurance. We will recommend a target tier in the gap assessment.
Can RTCS certify us directly?
We get you certification-ready and support you through the process. For the self-attested tiers we prepare your evidence and guide the attestation; for the independently audited tiers (Platinum and Diamond), an accredited third party performs the audit and issues the certification - we prepare you for it and support you through it. We are upfront about that split so there is no conflict of interest.
How long does certification take?
Bronze can be a matter of weeks if your fundamentals are in reasonable shape. Silver and Gold typically take one to three months depending on the gaps we find. Platinum and Diamond take longer - usually three to six months or more - because of the independent audit and the depth of evidence required.
Does SMB1001 help with cyber insurance?
It can. Insurers increasingly ask for evidence of specific controls before offering cover or settling a claim, and a recognised certification is a clear way to demonstrate them. It is not a substitute for a policy, but it strengthens your position and can simplify the application.