Skip to main content
BaseHost
Get In Touch

COMPLIANCE  /  SMB1001

COMPLIANCE, SMB1001

A graduated cyber framework, built for SMBs.

SMB1001 is the Australian standard for cybersecurity in small and mid-sized businesses. Five tiers, graduated from a free self-assessment to a fully audited posture. BaseHost builds and runs the technical controls each tier needs. You decide which tier to commit to, and your assessor signs you off.

THE AUSTRALIAN SMB STANDARD

A five-tier path that scales with the business

SMB1001 is the Australian standard for cybersecurity in small and mid-sized businesses. It exists because Essential 8 ML2 and ISO 27001 are often too heavy for an organisation of five to fifty staff. SMB1001 provides a five-tier path that scales with the business, with verifiable certification at every level.

TIER 1

Basics

No-cost self-assessment baseline covering the essential hygiene controls every SMB should have in place. Recommended starting point for every business.

TIER 2

Bronze

Documented foundation of essential controls with self-attestation. Suitable for businesses that need a recognised cyber posture to satisfy basic supplier or insurance requirements.

TIER 3

Silver

Measurable security operations, documented incident response, and active monitoring. The realistic minimum for businesses handling sensitive client data.

TIER 4

Gold

Independently verified controls suitable for businesses with regulated customers, government contracts, or strict supply-chain obligations.

TIER 5

Platinum

Mature, audited cyber posture with continuous improvement, threat intelligence integration, and full evidence pipelines. Comparable to Essential 8 ML3 in technical depth.

Who SMB1001 is for

SMB1001 is designed for organisations between roughly five and two hundred staff that need credible cyber posture but cannot justify the overhead of ISO 27001 or Essential 8 Maturity Level 2.

  • Suppliers to government or listed corporations that have started requiring evidence of cyber controls.
  • Professional services firms (legal, accounting, advisory) whose clients are asking about cyber posture.
  • SaaS businesses below SOC 2 readiness but needing some form of customer-facing assurance.
  • Any SMB that wants a graduated path to maturity rather than a binary pass-or-fail audit.

How it relates to Essential 8 and ISO 27001

Many SMB1001 controls overlap directly with Essential 8 Maturity Level 1, so work done for one frequently counts toward the other. Tier 5 (Platinum) maps reasonably well to Essential 8 ML3 in technical scope.

SMB1001 is intentionally lighter on documentation than ISO 27001, but the same engineering controls underpin both. If ISO 27001 is on a 12-to-18-month horizon, SMB1001 Silver or Gold is a sensible interim posture that produces real evidence rather than a holding pattern.

HOW WE DELIVER SMB1001

Engineered evidence, not paperwork.

We help clients self-attest at Tier 1 (often as part of the free Essential 8 readiness conversation), then build progressively toward Bronze and Silver as part of the managed service. The work generates real evidence (configuration records, logs, training completion data) as the controls are implemented, so certification later becomes a verification step rather than a scramble.

Many SMB1001 controls overlap directly with Essential 8 ML1 and ISO 27001 Annex A, so once we have built the technical foundation, the same evidence base supports multiple frameworks. You do not pay twice to satisfy two standards.

SCOPE OF SERVICE

What BaseHost owns. What we don’t.

SMB1001 is the framework you’re certifying against. The technical posture it measures is what we build and operate.

What BaseHost owns

  • Configure the M365, Defender, MFA, backup and endpoint controls that each tier requires.
  • Run the awareness training (via KnowBe4) and the phishing-simulation cycle that several tiers mandate.
  • Produce the evidence and screenshots that the SMB1001 audit pack asks for.
  • Step the technical posture up tier by tier as your business needs it.

What we don’t

  • Issue your SMB1001 self-assessment or audit certificate.
  • Act as the SMB1001 auditor for Bronze, Silver, Gold or Platinum certification.
  • Decide which tier you commit to. That’s a business and customer-driven decision.
  • Own your written policies, employee handbook or vendor register.

Where does SMB1001 fit for your business?

30 minutes with a compliance lead. We will look at your current posture, your customer-driven requirements, and the realistic step that gives you most value first.

Book a Compliance Conversation

RELATED READING

Where to go next

Managed IT service Most SMB1001 controls become operational through the managed service that runs your IT.Cybersecurity service SMB1001 is the framing; our cybersecurity service is how the technical controls are delivered.Essential 8 framework Most SMB1001 controls overlap directly with Essential 8 ML1; the same work counts for both.Security Awareness KnowBe4-based training and simulated phishing cover the human-layer controls SMB1001 requires.