SMB1001 vs the Essential Eight: which does your Australian business need?
The Essential Eight is the baseline everyone cites. SMB1001 is the one you can actually get certified against. We hold SMB1001 Silver, so here is how the two compare and which your business needs.
On this page
Two names come up whenever an Australian small business starts taking cyber security seriously: the Essential Eight and SMB1001. A client asks for proof you take security seriously. An insurer sends a questionnaire. A tender lists a requirement. Suddenly you are trying to work out whether you need one, the other, or both.
We get asked this a lot, so here is the plain version. We are a CyberCert partner and we hold SMB1001 Silver certification ourselves, so this comes from going through it, not reading about it.
The short version
The Essential Eight is a set of technical controls. It is a baseline, not a certificate. You can follow it, and you can be assessed against it, but there is no badge at the end that says "Essential Eight certified".
SMB1001 is a certification. It is a tiered standard built for small and medium businesses, and when you meet a tier you get a certificate and a badge you can show clients, insurers and tender panels.
They are not rivals. Most businesses end up doing both: the Essential Eight as the technical backbone, SMB1001 to prove it.
What the Essential Eight is
The Essential Eight comes from the Australian Cyber Security Centre. It is eight mitigation strategies that, done properly, stop the large majority of common attacks. Multi-factor authentication, patching, restricting admin rights, application control and regular backups all sit in the list.
It is measured in maturity levels rather than a simple pass or fail. You work up from a basic level toward a stronger one as your risk demands. It is used widely across government and is a sensible technical target for any business.
What it is not is a certification scheme. There is no central body issuing Essential Eight certificates, so on its own it cannot answer a client who wants documented proof.
What SMB1001 is
SMB1001 is a tiered cyber security standard built for small and medium businesses, as a practical alternative to heavyweight frameworks like ISO 27001. It is maintained by Dynamic Standards International and certified through CyberCert.
It has five tiers: Bronze, Silver, Gold, Platinum and Diamond. The lower tiers are met by director attestation, and the top tiers require an independent audit. You pick the tier that matches where you are, meet its requirements, and receive a certificate and badge that is easy to share.
Because it was designed for smaller businesses, the requirements are practical rather than academic. They also cover the human side, policies and staff training, not just technical controls.
Side by side
| Essential Eight | SMB1001 | |
|---|---|---|
| What it is | Technical baseline | Certifiable standard |
| Maintained by | Australian Cyber Security Centre | Dynamic Standards International |
| Certificate or badge | No | Yes, per tier |
| Built for | All organisations, government-leaning | Small and medium businesses |
| Measured by | Maturity levels | Tiers, Bronze to Diamond |
| Covers | Technical controls | Technical controls plus governance and training |
| Proof for clients and tenders | Not on its own | Yes |
They overlap more than they compete
Here is the part that saves you money. The two cover a lot of the same ground. Multi-factor authentication, patching and backups appear in both. So the work you do for one counts toward the other.
If you have already started on the Essential Eight, you are part of the way to an SMB1001 tier. And if you certify with SMB1001, you have effectively documented a chunk of the Essential Eight along the way. We line the two up so you are not paying to do the same thing twice.
The real difference is what sits around the controls. The Essential Eight is technical. SMB1001 adds the governance layer: a written policy, defined responsibilities, and staff who understand the rules. That governance layer is usually what a client, board or insurer is actually asking for.
So which do you need?
- A client, insurer or tender wants proof. You need SMB1001. It is the one that certifies, and Silver or Gold is the usual target.
- You want a solid technical baseline, or you work with government. Aim at the Essential Eight, and most businesses should regardless.
- You are a typical small business. Use the Essential Eight as your technical backbone and certify with SMB1001 to prove it. That is the combination we recommend most often.
What you should not do is treat this as a choice between security and a certificate. Good security comes first. SMB1001 is how you show it.
How we approach it
We went through SMB1001 Silver ourselves before we offered it as a service, so we know where small businesses get stuck. We run a short readiness check against your target tier, help close the gaps (which usually moves your Essential Eight maturity along at the same time), and get you cleanly through certification with CyberCert.
If certification is on your radar because a client or tender asked for it, that is the moment to start. Have a look at our SMB1001 certification service, or our broader AI security work if you are securing AI-built apps as well. While you are at it, our free AI policy template covers the policy side that both frameworks expect.