SMB 1001:2023 Cyber Security for Small and Medium Business
Security should fit the business, not the other way round
Usually appears when an Australian customer stops accepting 'we take security seriously' and wants tiered, independently-recognised evidence before the next contract signs or renews.
This page helps when
- An Australian customer, supplier, or parent company is asking for cyber evidence before the next renewal
- You want a credible answer without taking on the full weight of ISO 27001 right now
- The board needs a tiered path to demonstrable security the business can actually sustain
Best next move
Start with Assurance.
Use the scorecard for a fast benchmark, then move into a working session when this requirement is already affecting customers, insurers, procurement, or internal accountability.
Where This Starts To Hurt
The buyer moment that makes this rule urgent
The moment usually arrives when an Australian customer, a trans-Tasman buyer, or a cyber-insurance prospectus asks for the SMB 1001 tier score
SMB 1001 becomes relevant when an Australian buyer moves from general security talk to asking for recognisable evidence. Most NZ businesses selling trans-Tasman come across it the first time a customer's procurement team asks for a certification the business does not yet have.
The framework is tiered by design. That is its biggest advantage for smaller operators — instead of a single all-or-nothing standard, SMB 1001 lets the business land somewhere credible now and move up as customer or commercial pressure grows. That makes it practical for organisations that need a defensible answer quickly without committing to an enterprise-scale programme.
For NZ businesses with Australian revenue, SMB 1001 often becomes the clearest way to show security without over-engineering. The same work supports ISO 27001 later if the business grows into that standard, so the effort is rarely wasted.
What Starts Breaking
What stalls: deals, audits, or insurer renewals
SMB 1001 matters because Australian buyers increasingly treat it as the baseline. Procurement teams, enterprise customers, and prime contractors use it as shorthand for "you have done the basic work and can prove it." Without a recognised answer, deals slow down while the supplier scrambles to assemble the evidence.
It also matters because the tiered model gives leadership a clear runway. The business can be credibly certified at an entry level, use that as buyer-facing evidence, and step up the level as the customer base or risk profile grows. That avoids the common problem of committing to a standard the business cannot sustain.
For NZ exporters, it is often the shortest path from "customer is asking" to "we can give you a clear answer" — especially where ISO 27001 would take longer than the buyer will wait.
What You Will Need To Prove
The first controls, owners, and evidence to put in place
The five tiers Bronze through Diamond drive the commercial answer — Bronze to Gold covers the controls most Australian buyers ask to see first
See the main requirements
Governance and Accountability
Named responsibility for cyber security at leadership level, with a documented security approach the business actually follows rather than a policy written for audit only.
Access and Identity Controls
Two-step login on the accounts that matter, joiner-mover-leaver discipline, and a clear view of who can reach which systems and data.
Staff Awareness and Behaviour
Regular, practical awareness activity aimed at the behaviours that actually matter — phishing recognition, password hygiene, reporting suspicious activity — not a one-off annual training module.
Data Protection and Backup
Classified data handling, secure backup and recovery, and tested restoration so the business can recover without paying a ransom.
Incident Detection and Response
Monitoring that surfaces problems early, a written response plan the team can actually follow, and evidence that shows the business would know if something went wrong.
Third-Party and Supply-Chain Risk
A view of which suppliers touch customer data or critical systems, with basic controls so vendor issues do not become your incident.
How We Help You Answer It
When the business usually calls us
We usually get called when a trans-Tasman buyer lands without an ISO 27001 budget and the deal needs a defensible tier inside 90 days
Stop Guessing When A Buyer Asks How Secure You Are
Our baseline assessment scores the business against SMB 1001 expectations, showing which level fits today, which is worth moving to, and where the quickest gains sit. That becomes the roadmap for a tiered certification path.
See what an auditor will ask for before they ask
We prepare the evidence package SMB 1001 auditors or Australian customers actually ask for — controls, documents, and proof points organised into a submission the business can stand behind.
Stop Rebuilding The Same Evidence For Every Standard
SMB 1001 work often maps directly to ISO 27001 Annex A controls and parts of CIS. We map the overlap so the same effort covers multiple buyer asks, avoiding duplicated work.
Stop rewriting the same questionnaire for every deal
Australian customer questionnaires reference SMB 1001 expectations repeatedly. We build a response library that answers SMB 1001-shaped questions consistently across every new deal.
Stop Maintaining Policies Nobody Actually Reads
SMB 1001 expects a working policy set, not a one-off document. We build, maintain, and refresh the policies that actually support the certification level the business is targeting.
See What Information Runs The Business
Every SMB 1001 tier from Bronze upward expects a defensible view of what the business holds, where it lives, and who owns it. We build the asset register so the auditor question has an answer before it gets asked.
Questions Before A Decision
The questions that come up before the contract
What level of SMB 1001 should we target first? +
For most NZ businesses selling into Australia, the right starting point is the entry-level tier that shows credible basic hygiene. That creates an immediate buyer-facing answer. Higher tiers require more evidence and independent audit, and are usually worth stepping up to once an Australian customer or enterprise procurement team has specifically asked for them.
How does SMB 1001 compare to ISO 27001? +
ISO 27001 is the fuller management-system standard, with a broader audit and more evidence requirements. SMB 1001 is tiered specifically for smaller organisations and lets the business show credible security without the ISO 27001 lift. Many businesses start with SMB 1001 and use the evidence base as the foundation for an ISO 27001 programme later.
Is SMB 1001 recognised by NZ customers? +
It is increasingly referenced by NZ buyers whose own customers or parent companies are Australian, especially in professional services, SaaS, and supply-chain sectors. For businesses whose main pressure is NZ-only, ISO 27001 or CIS Controls are often a better fit. We can help work out which gives the strongest commercial answer for the business's actual customer base.
How long does SMB 1001 certification take? +
For most businesses with basic hygiene already in place, the entry tier is achievable within a few months. Higher tiers require more evidence, documented practices, and independent audit, so expect six to twelve months from a cold start. The realistic timeline depends on the level targeted and how much of the base work is already underway.
Need a clearer answer on SMB 1001?
A working session scopes the tier that fits today, identifies the 6-to-8-week-closeable gaps, and leaves the business with an Australian-buyer-ready evidence pack