SMB1001 vs Essential Eight vs ISO 27001: Which Is Right for Your Business?

smb1001vsE8vsISO27001

Australian businesses are increasingly being asked to demonstrate that they take cybersecurity seriously. This may come from customers, insurers, government contracts, supply-chain questionnaires or internal risk-management requirements.

Three frameworks commonly considered by Australian organisations are:

  • SMB1001
  • The Essential Eight
  • ISO/IEC 27001

Although all three are designed to improve cybersecurity, they are not interchangeable.

SMB1001 is a tiered cybersecurity certification standard developed specifically for small and medium-sized businesses. The Essential Eight is a technical cybersecurity framework developed by the Australian Signals Directorate. ISO/IEC 27001 is an internationally recognised information security management system standard.

The right choice depends on your size, industry, contractual obligations, risk exposure and budget.

Quick comparison

AreaSMB1001Essential EightISO/IEC 27001
Primary purposePractical cybersecurity certification for SMBsTechnical protection against common cyber threatsOrganisation-wide information security management
Developed byDynamic Standards InternationalAustralian Signals DirectorateISO and IEC
StructureFive certification levelsMaturity Levels 0 to 3Risk-based Information Security Management System
Formal certificateYesNot issued by ASDYes, through a certification body
Independent audit requiredLevels 4 and 5Optional independent assessmentRequired for accredited certification
Best suited toSmall and medium businessesAustralian organisations needing technical hardeningOrganisations needing internationally recognised assurance
Typical complexityLow to mediumMedium to highHigh
Typical initial costApproximately A$2,000 to A$25,000 for Levels 1 to 3Approximately A$8,000 to A$150,000+, depending on maturityApproximately A$25,000 to A$80,000+ for an SMB
Certification periodOne yearNo official certification periodGenerally a three-year certification cycle with surveillance audits

These figures are indicative estimates for an Australian organisation with approximately 10 to 50 users. Actual costs depend on existing technology, documentation, locations, legacy applications and the amount of remediation required.

What is SMB1001?

SMB1001 is a relatively new cybersecurity certification standard, first released in 2023 and updated annually. Its market recognition is still developing, but it was created specifically to make structured cybersecurity certification more accessible to small and medium-sized businesses.

Instead of requiring every organisation to implement the same large set of controls, SMB1001 provides five progressively stronger certification levels:

  • Level 1, Bronze
  • Level 2, Silver
  • Level 3, Gold
  • Level 4, Platinum
  • Level 5, Diamond

The standard covers five main cybersecurity domains:

  • Technology management
  • Access management
  • Backup and recovery
  • Policies, processes and plans
  • Education and training

The 2026 standard contains seven controls at Level 1, 17 controls at Level 2, 27 controls at Level 3, 32 controls at Level 4 and 39 controls at Level 5. Higher levels include the requirements of the lower levels.

Unlike frameworks that focus mainly on technical settings, SMB1001 includes practical business requirements such as staff awareness training, invoice-fraud procedures, confidentiality agreements, incident response planning, cyber insurance and asset registers.

How is SMB1001 assessed?

Levels 1, 2 and 3 use a self-assessment and attestation process facilitated through a Dynamic Standard Certifier.

Levels 4 and 5 require independent verification and attestation. SMB1001 certification applies to the entire organisation rather than a small selected department or system, and the certificate remains valid for one year.

This distinction is important. A Gold certificate demonstrates that the organisation has attested to meeting the applicable requirements, but it does not provide the same level of independent assurance as a Platinum, Diamond or accredited ISO/IEC 27001 certification audit.

How much does SMB1001 cost?

The published CyberCert annual certification fees at the time of writing are:

SMB1001 levelCertification subscriptionAdditional audit fee
Bronze, Level 1US$95None listed
Silver, Level 2US$195None listed
Gold, Level 3US$395None listed
Platinum, Level 4US$595US$3,000
Diamond, Level 5US$995US$5,000

Taxes, implementation, consulting, software subscriptions and remediation are additional. Current CyberCert pricing should always be checked before commencing a project.

The certificate itself is therefore relatively affordable. The larger cost is normally the work required to meet the standard.

Indicative SMB1001 implementation costs

For an Australian business with 10 to 50 users:

LevelIndicative implementation budget
BronzeA$2,000 to A$5,000
SilverA$4,000 to A$12,000
GoldA$8,000 to A$25,000
PlatinumA$20,000 to A$50,000+
DiamondA$35,000 to A$90,000+

These estimates exclude the subscription, applicable audit fees, GST and major recurring software licences.

A business already receiving properly configured managed IT and cybersecurity services may require substantially less remediation. A business with shared accounts, unmanaged computers, no reliable backups and limited policies may require significantly more.

Who should use SMB1001?

SMB1001 is most appropriate for businesses that want a structured and attainable cybersecurity certification without immediately adopting a complete ISO management system.

It is particularly suitable for:

  • Professional-services businesses
  • Law firms and accounting firms
  • Not-for-profit organisations
  • Trades, construction and manufacturing businesses
  • Small healthcare and allied-health providers
  • Businesses participating in supplier assurance programs
  • Organisations that need a visible cybersecurity certificate
  • Businesses that want a staged pathway towards stronger governance

For many established SMBs, Silver or Gold will provide the most useful balance between cost, technical protection, policies and commercial credibility.

Bronze is a basic starting point. Gold introduces more meaningful measures such as Endpoint Detection and Response, broader MFA, incident response planning, cybersecurity policies, asset management and improved employee training.

What is the Essential Eight?

The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate.

The eight strategies are:

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups

The Essential Eight Maturity Model uses four maturity ratings:

  • Maturity Level 0
  • Maturity Level 1
  • Maturity Level 2
  • Maturity Level 3

Maturity Level 0 means the organisation does not meet all requirements of Maturity Level 1. Levels 1 to 3 are designed to protect against progressively more capable and targeted threat actors.

Is the Essential Eight a certification?

The Australian Signals Directorate does not issue an official Essential Eight certificate.

An organisation can conduct an internal assessment or engage an independent assessor to produce an assessment report. Some private certification businesses may issue their own certificate or attestation, but this should not be described as an ASD-issued or Australian Government-issued certification.

The official ASD assessment guidance focuses on gathering credible evidence and testing whether controls operate effectively. The assessment result is based on the lowest maturity level achieved across all eight strategies.

For example, an organisation that meets seven strategies at Maturity Level 2 but only meets one strategy at Maturity Level 1 would generally be assessed at Maturity Level 1 overall.

How much does Essential Eight implementation cost?

There is no licence fee for using the Essential Eight framework. The guidance is publicly available.

Costs arise from:

  • Gap assessments
  • Endpoint and server configuration
  • Application control
  • Patch-management systems
  • MFA deployment
  • Privileged-access management
  • Backup protection and testing
  • Vulnerability scanning
  • Centralised logging and monitoring
  • Replacing unsupported applications
  • Evidence collection
  • Independent assessment
  • Ongoing management

Indicative Essential Eight costs

For an Australian business with 10 to 50 users:

TargetIndicative initial budget
Gap assessment onlyA$3,000 to A$10,000
Maturity Level 1A$8,000 to A$25,000
Maturity Level 2A$25,000 to A$75,000
Maturity Level 3A$60,000 to A$150,000+
Independent assessmentCommonly A$5,000 to A$20,000+

The range is wide because Essential Eight implementation is highly dependent on the organisation’s technology.

Application control may be straightforward in a modern, cloud-managed environment but difficult in an organisation that relies on old software, custom applications or users installing their own programs.

Maturity Level 2 can also introduce significant work around phishing-resistant MFA, privileged accounts, centralised event collection, application control and more demanding patching requirements.

At Maturity Level 3, critical vulnerabilities may need to be addressed within 48 hours, with broader coverage of firmware, drivers, operating systems and applications.

Who should use the Essential Eight?

The Essential Eight is most suitable for organisations that:

  • Supply services to Australian government entities
  • Have contracts specifying an Essential Eight maturity level
  • Want a strong technical security baseline
  • Operate Windows-based business environments
  • Need detailed technical evidence of cybersecurity controls
  • Have higher exposure to targeted cyber threats
  • Already have governance policies but need stronger technical controls

Maturity Level 1 is a reasonable technical baseline for many ordinary businesses.

Maturity Level 2 is more appropriate where the organisation stores sensitive information, supports government clients, faces contractual requirements or has a higher risk profile.

Maturity Level 3 is generally reserved for organisations exposed to sophisticated or highly targeted threat actors.

What is ISO/IEC 27001?

ISO/IEC 27001 is an international standard for establishing, implementing, maintaining and continually improving an Information Security Management System, commonly called an ISMS.

Rather than prescribing one fixed technical configuration, ISO/IEC 27001 requires an organisation to identify its information-security risks, determine appropriate treatments, assign responsibilities, measure performance and continually improve its management system.

ISO describes ISO/IEC 27001 as the world’s best-known standard for information security management systems. It addresses people, processes and technology and can be applied to organisations of different sizes and industries.

ISO/IEC 27001:2022 includes a reference set of 93 Annex A controls grouped into:

  • Organisational controls
  • People controls
  • Physical controls
  • Technological controls

Not every Annex A control is automatically mandatory. The organisation determines which controls are necessary based on its risks, legal requirements and business context, then documents those decisions in its Statement of Applicability.

What does an ISO/IEC 27001 project include?

A typical project involves:

  • Defining the scope of the ISMS
  • Identifying interested parties and legal obligations
  • Creating an information-security risk methodology
  • Completing risk assessments
  • Developing a risk-treatment plan
  • Preparing a Statement of Applicability
  • Creating policies and procedures
  • Assigning security roles and responsibilities
  • Conducting awareness training
  • Managing suppliers
  • Establishing incident-management processes
  • Tracking objectives and performance measures
  • Conducting an internal audit
  • Completing management review
  • Correcting nonconformities
  • Completing Stage 1 and Stage 2 certification audits

ISO itself develops the standard but does not certify businesses. Certification is performed by an independent certification body. ISO recommends checking whether the certification body is appropriately accredited.

How much does ISO/IEC 27001 cost?

ISO/IEC 27001 is normally the most expensive option because it requires an operational management system rather than only a collection of technical controls.

Indicative ISO/IEC 27001 costs for an Australian SMB

Cost areaIndicative budget
Initial gap assessmentA$3,000 to A$10,000
ISMS development and readinessA$15,000 to A$50,000+
Stage 1 and Stage 2 certification auditsA$5,000 to A$15,000+
Typical initial totalA$25,000 to A$80,000+
Annual maintenance and surveillanceA$5,000 to A$20,000+

Published Australian market estimates vary considerably, with complexity, locations, employee numbers, scope and existing maturity having a major effect on the final cost.

A small cloud-based business with good existing policies may sit near the lower end. A multi-site business with physical records, legacy servers, complex suppliers, regulated data and no existing governance system may spend significantly more.

ISO/IEC 27001 certificates normally operate on a three-year certification cycle, subject to ongoing surveillance audits and continued operation of the ISMS.

Who should use ISO/IEC 27001?

ISO/IEC 27001 is usually the strongest choice for:

  • Technology and SaaS companies
  • Managed service providers
  • Businesses selling to large enterprises
  • Government and defence suppliers
  • Financial-services organisations
  • Healthcare organisations
  • Businesses handling sensitive customer information
  • Internationally operating organisations
  • Companies regularly completing enterprise security questionnaires
  • Organisations whose contracts explicitly require accredited certification

ISO/IEC 27001 is particularly valuable when customers need independently audited, internationally recognised evidence that information-security risks are being managed.

It is less suitable when a very small business simply needs an affordable cybersecurity starting point and has no customer or contractual requirement for an ISMS.

Which option should your business choose?

Choose SMB1001 when:

  • You are a small or medium business
  • You want a recognised cybersecurity certificate
  • You need an affordable and staged pathway
  • You do not have a dedicated compliance team
  • ISO/IEC 27001 would currently be disproportionate
  • You want to improve technical controls, policies and staff awareness together

Choose the Essential Eight when:

  • A customer or government contract requires it
  • Your priority is technical security uplift
  • You want detailed guidance for common attack techniques
  • You need to assess your Microsoft and Windows environment
  • Your organisation faces a higher level of technical risk

Choose ISO/IEC 27001 when:

  • An enterprise customer requires accredited certification
  • You sell to international customers
  • You need an independently audited ISMS
  • Information security is central to your service
  • Your business is regularly completing detailed supplier assessments
  • You need formal governance, risk management and continual improvement

Accel IT’s recommendation for most Australian SMBs

For a typical Australian business with 10 to 50 employees, SMB1001 Gold can provide a practical starting point.

It covers core technical security, access management, backups, staff training, policies, incident response, cyber insurance and asset management without immediately imposing the full management-system workload of ISO/IEC 27001. Where a business supports government clients, manages highly sensitive information or faces more capable threats, SMB1001 should be supplemented with an Essential Eight assessment.

ISO/IEC 27001 becomes more appropriate when certification is required by contracts, large customers, regulators or international growth plans.

The correct answer should ultimately be based on the organisation’s risk and commercial requirements, not simply which badge is cheapest.

How long does implementation take?

Estimated timeframes are:

FrameworkTypical timeframe
SMB1001 BronzeTwo to four weeks
SMB1001 SilverFour to eight weeks
SMB1001 GoldSix to twelve weeks
Essential Eight Maturity Level 1Six to twelve weeks
Essential Eight Maturity Level 2Three to nine months
ISO/IEC 27001Four to twelve months

Actual timeframes depend on organisational maturity, availability of evidence, management participation and the number of technical gaps.

How Accel IT can assist

Accel IT helps Australian businesses assess, implement and maintain practical cybersecurity controls.

Our services can include:

Certification or independent assessment is completed through the relevant external certification or assessment provider where required.

Speak with Accel IT to determine which cybersecurity framework is appropriate for your organisation, contracts and risk profile.

Pricing is indicative, excludes GST and does not constitute a formal quotation. Costs depend on organisational size, technology, scope, existing maturity, licensing and remediation requirements.

Frequently asked questions


Is SMB1001 an Australian Government cybersecurity standard?

No. SMB1001 is published by Dynamic Standards International. It is not an Australian Signals Directorate standard and should not be presented as Australian Government certification.

Is the Essential Eight mandatory for every Australian business?

No. It is recommended cybersecurity guidance for Australian organisations, but it may become contractually mandatory where a customer, government entity or industry requirement specifies a maturity level.

Can I obtain an official Essential Eight certificate from the ACSC?

No. The ACSC and ASD provide the framework and assessment guidance but do not issue an official Essential Eight certificate. Independent organisations can provide assessment reports or private attestations.

Is ISO/IEC 27001 only for large businesses?

No. ISO/IEC 27001 can be scaled for smaller organisations. However, operating an ISMS, conducting internal audits, completing management reviews and maintaining evidence still requires meaningful time and resources.

Which framework is cheapest?

SMB1001 Bronze, Silver and Gold normally have the lowest certification fees and lowest implementation barrier.
The Essential Eight itself is free, but technical implementation can be expensive.
ISO/IEC 27001 generally has the highest total cost because it requires management-system implementation and an external certification audit.

Does certification guarantee that a business will not be breached?

No cybersecurity certification can guarantee that an incident will not occur.
Certification demonstrates that defined requirements were assessed or attested at a particular point in time. Security controls must continue to be monitored, maintained, tested and improved after certification.

Can a business use more than one?

Yes.
A practical progression for an Australian SMB may be:
Achieve SMB1001 Silver or Gold to establish broad cyber hygiene.
Implement Essential Eight Maturity Level 1 or 2 to strengthen technical controls.
Adopt ISO/IEC 27001 when customers, growth or risk justify a formal ISMS.
Another organisation may start directly with the Essential Eight because a customer contract specifies it.
A SaaS company selling internationally may move directly to ISO/IEC 27001, while using the Essential Eight as an additional technical benchmark.