SMB1001 certification for small business: why the CyberGrape platform is the obvious choice

July 5, 2026

What SMB1001 actually is

SMB1001:2026 is the global cyber security standard built specifically for small and medium businesses. It sets out practical controls across five tiers, so you can start small and build as you grow rather than swallowing an enterprise standard whole.

The tiers run Bronze, Silver, Gold, Platinum and Diamond (Levels 1 to 5). Each one is cumulative, so a higher tier includes everything below it, sometimes in a stronger form.

Bronze (Level 1, 7 controls) covers the essentials: a firewall, antivirus on every device, automatic updates, decent passwords, a backup and basic staff awareness. Silver (Level 2, 17 controls) formalises the basics and adds multi-factor authentication on email, a password manager, TLS on your website and a few core policies. Gold (Level 3, 27 controls) is where real maturity kicks in, with endpoint detection and response, multi-factor authentication across all your apps, full email authentication, cyber insurance, an incident response plan, a digital asset register and an AI use policy. Platinum (Level 4, 32 controls) extends governance and requires independent verification. Diamond (Level 5, 39 controls) adds advanced technical controls such as encryption at rest, penetration testing and 24/7 managed detection.

Most SMBs start at Bronze or Silver. As supply chains tighten, more are being asked for Gold. The point is you choose the tier that fits where your business is now, and you are never certifying against a standard that is out of date, because SMB1001 is refreshed every year.

Knowing the controls is easy. Proving them is the work.

Here is the part nobody warns you about. Reading the SMB1001 control list takes an afternoon. Proving you meet each control, gathering the evidence, keeping it current and pulling it into a form an assessor will accept, that is where businesses lose weeks and burn money on consultants.

This is exactly the problem the CyberGrape platform was built to solve. Instead of a folder of screenshots and a spreadsheet that is out of date the moment you save it, you get one place where every SMB1001 control, every piece of supporting evidence and every report sits together and stays current.

How the platform maps to every SMB1001 control

SMB1001 groups its controls into five domains. Here is how each one lines up with a capability you get on the platform.

Technology management is the first domain, covering your firewall (control 1.2.0.1), antivirus and endpoint detection (1.3.0.1 and 1.12.0.0), automatic patching (1.4.0.0 and 1.6.0.1), website security (1.5.0.0), vulnerability scanning (1.7.0.1), penetration testing (1.11.0.0) and managed detection at the top tier (1.12.1.0). On the platform, live endpoint protection through CrowdStrike, Microsoft Defender or Bitdefender flows straight in, patch status is read from your remote management tooling, and Blacklock handles CREST-accredited penetration testing when you reach the higher tiers. Your firewall, website and endpoint status show up as evidence, not another job on your list.

Access management is about controlling who can get into your systems. It covers the password manager (controls 2.4.0.1 and 2.4.1.1), multi-factor authentication on email and then on all your apps (2.5.0.0 and 2.6.0.0), and email authentication using SPF, DKIM and DMARC (2.12.0.0 and 2.12.1.0). Bitwarden covers password management, and the platform reads multi-factor coverage from Microsoft Entra ID and Google Workspace so you can see exactly who is protected and who is not. PowerDMARC sets up the email records that stop scammers sending mail that looks like it came from your domain.

Backup and recovery covers your backup strategy (controls 3.1.0.1 and 3.1.1.1) and cyber insurance (3.2.0.0). KeepIt monitors your cloud backups and flags any gap against the tier's recovery rules. Risk quantification puts a real dollar figure on your exposure, which is exactly the evidence an insurer wants to see.

Policies, processes and plans is the governance domain. It covers your cyber security policy (control 4.4.0.0), incident response plan (4.5.0.0 and 4.5.1.0), digital asset register (4.8.0.0 and 4.8.1.0), AI use policy (4.11.0.0), supplier trust programme (4.9.0.1) and police vetting for high-access roles (4.10.0.0). The platform gives you ready-to-use policy templates with a proper approval workflow, an incident response plan builder, and an asset register that discovers your devices for you. For the higher tiers you also get a police vetting and contractor register, and the supplier trust requirement is met with continuous third-party risk monitoring powered by Black Kite.

Education and training is the final domain, covering staff awareness training (controls 5.1.0.0 and 5.1.1.0) and incident response exercises (5.2.0.0). uSecure runs the training and phishing simulations, and keeps completion records as evidence. You can schedule and log your incident response exercises in the same place.

A quick translation of the jargon, because you should not need a security degree to read this. Endpoint detection and response is software that watches your laptops and servers for threats. Multi-factor authentication is the second check when you log in, like a code on your phone. SPF, DKIM and DMARC are email settings that stop criminals impersonating your business. Managed detection and response is a team watching your systems around the clock. None of it is complicated once someone sets it up properly.

The bit that saves you the most time: evidence that collects itself

Most GRC tools give you a checklist and leave you to fill it in. The CyberGrape platform goes further. As your security tools sync, the platform matches what it finds against each SMB1001 control and updates your readiness automatically. Your endpoint protection reports it is running, your backups report they ran, your multi-factor coverage is pulled in live.

That means you are not sitting up the night before an assessment hunting for screenshots. Your evidence is already there, already current, already mapped to the right control. This continuous assurance is the difference between certification being a scramble and certification being a status you simply maintain.

Why it is genuinely cost friendly

Certification gets expensive when you are paying for a pile of disconnected tools and weeks of consultant time just to pull evidence together. This is where one platform changes the maths.

Because the tiers are cumulative, you only take on what your business needs today. Bronze might be a few days of work using tools you already run. You are not buying an enterprise programme to solve a small business problem.

Because so much evidence collects itself, you are not paying anyone to gather it by hand. And because CyberGrape offers senior security leadership as CSO-as-a-Service, you get the guidance of a security executive at a fraction of what a big-four consultant charges, without carrying that cost as a salary.

Compliance done this way pays for itself. SMB1001 certification wins contracts, satisfies insurers and gives clients a reason to trust you, so it becomes a growth lever rather than a grudging cost.

Bronze to Diamond, with the right support at each step

Bronze, Silver and Gold (Levels 1 to 3) are self-assessed, and CyberGrape supports you through the entire process on the platform, from first gap analysis to a certification-ready evidence pack.

Platinum and Diamond (Levels 4 and 5) require independent third-party verification. CyberGrape manages that programme in coordination with an accredited certifier, so the higher tiers are still a guided path rather than a leap into the unknown. In every case the certification itself is issued by the accredited certifier, and the platform keeps your evidence audit-ready year round.

Built for small businesses across Australia and New Zealand

CyberGrape works with small and medium businesses across Australia and New Zealand, backed by an award-winning team and a 4.8-plus Google rating. The platform is purpose-built for SMB1001, not a resold enterprise tool bent into shape, which is why it fits the way smaller businesses actually operate.

If a client, insurer or tender has put SMB1001 certification on your radar, the fastest route is a single platform that maps the controls, gathers the evidence and walks you through the process.

Find out which SMB1001 tier fits your business, and get a clear path to certification. Book a free discovery call with CyberGrape.