SMB1001 and Australian Cyber Essentials: Understanding the Difference
SMB1001 has emerged as one of the most accessible cybersecurity certification frameworks available to Australian small and medium businesses. Developed by Dynamic Standards International (DSI) and certified through CyberCert, it offers a practical, tiered pathway that many organisations have found as a credible and achievable starting point. We will explore it covers, how certification works at each level, and how it compares to Australian Cyber Essentials (ACE) helps organisations make informed decisions about which framework fits their goals.
What SMB1001 offers
SMB1001 is structured across five tiers: Bronze, Silver, Gold, Platinum, and Diamond. Each tier builds on the one before it, covering five domains: technology management, access management, backup and recovery, policies and processes, and education and training.
The framework is designed to be agile. It is updated annually by DSI to reflect the current threat environment, which is one of its practical strengths. The current edition, SMB1001:2026, includes 27 controls at Gold level and introduces requirements for email authentication, endpoint detection, and cybersecurity awareness training across multiple tiers.
For organisations starting their security journey, the tiered structure provides a clear ladder. Bronze and Silver establish foundational controls: antivirus, firewalls, patching, multi-factor authentication (MFA) on key accounts, and basic backup disciplines. Gold adds meaningful depth: endpoint detection and response (EDR), email authentication (SPF, DKIM, and DMARC), a written incident response plan, a digital asset register, regular staff training, and defined policies including a responsible AI use policy. Platinum and Diamond extend further into vulnerability scanning, data encryption, penetration testing, rehearsed incident response drills, and formal supplier due-diligence programmes.
How certification works at each level
This is an important distinction that organisations should understand before pursuing SMB1001 certification.
Bronze, Silver, and Gold certifications are self-attested. The business works through the required controls, collects evidence of compliance, and a director attests to meeting the standard before certification is issued through CyberCert. This makes certification at these levels accessible and affordable. It also means the certificate reflects the organisation’s own assessment of its compliance, rather than independent verification by an external party.
Platinum and Diamond are different. At these tiers, an Independent Verification Organisation (IVO) conducts an external audit before certification is issued. Someone outside the organisation reviews the evidence and confirms that the controls are genuinely in place.
Both approaches have value. Self-attested certification at Bronze through Gold is a credible signal that an organisation has thought about its security posture and taken structured steps to address it. External audit certification at Platinum and Diamond provides independent confirmation of that posture, which carries different weight when presenting to boards, regulators, major clients, or supply chain partners who require independently verified assurance.
Where ACE sits in comparison
Australian Cyber Essentials (ACE) is an independently certified, evidence-based assurance framework that is certified by Bureau Veritas, one of the world’s largest independent testing, inspection, and certification organisations.
The distinction matters. Every ACE certification, at every level, requires independent third-party verification. Bureau Veritas reviews the evidence of controls before any certification is issued. There is no self-attestation pathway in ACE. This positions ACE closer to the Platinum and Diamond end of the SMB1001 spectrum in terms of how the certification is verified, regardless of the tier being assessed.
ACE also covers a broader set of domains than the lower SMB1001 tiers. Where SMB1001 Bronze and Silver focus primarily on technical and process fundamentals, ACE incorporates governance, board accountability, risk management frameworks, incident response, business continuity, third-party and supply chain risk, and regulatory alignment from the outset. These are not optional additions at higher tiers; they are part of the assurance framework across all ACE levels.
The question of what you are trying to demonstrate
Both SMB1001 and ACE are legitimate frameworks, and the right choice depends on what an organisation is trying to demonstrate and to whom.
If the goal is to establish a documented security baseline, begin building internal security disciplines, and provide clients and insurers with evidence of structured cybersecurity effort, SMB1001 provides a clear and accessible pathway. The tiered structure means organisations can progress incrementally, and the annual recertification cycle keeps the programme current.
If the goal is to provide independently verified assurance to a board, a regulator, a major enterprise client, or a supply chain partner who requires certified evidence of security maturity including governance and risk oversight, the independent certification model that ACE delivers becomes important. The Bureau Veritas certification is internationally recognised and carries the weight of a long-established, independent certification body.
If you have already pursued SMB1001
Existing SMB1001 work contributes directly to an ACE pathway. Controls implemented at Gold, Platinum, or Diamond tier across SMB1001’s technology management, access management, and backup and recovery domains align with ACE’s technical control requirements. Documented evidence collected for SMB1001 certification can be assessed against the relevant ACE domains, reducing the gap analysis work required.
The two frameworks are not in competition. Organisations that have invested in SMB1001 certification have already built security disciplines and collected evidence that forms a solid starting point. ACE extends that work by adding the independent verification layer and the broader governance and risk management domains that complete the assurance picture.
For organisations that are newer to structured cyber security, both frameworks can be pursued in parallel. The technical controls required by SMB1001 align closely with ACE’s technical domains, and a structured programme addressing both simultaneously is practical for most SMB environments.
