Client PortalCyber Security Framework
SMB1001: security that can be measured, not just claimed.
The Australian cyber security maturity framework built for small and medium businesses. What it is, why it matters to your business, and why your IT partner's alignment to it changes the quality of the security you actually have.
The framework
What SMB1001 is
SMB1001 is an Australian cyber security maturity framework developed by Dynamic Standards International (DSI) specifically for small and medium businesses. It defines the security controls a business should have in place, organises them into five maturity levels, and gives businesses a structured and measurable way to assess where they are and improve from there. The standard is continuously updated by the SC1001 Steering Committee, of which SMBiT Professionals (Agile IT's industry association) is a member.
Security maturity is measured against a recognised Australian standard, not a vendor's checklist or a vague assurance that things are "secure."
Most small and medium businesses have some security controls in place. The problem is they often do not know which controls are working, which are missing, and how that compares to a defined standard. SMB1001 solves that. It gives the conversation a shape, and gives your IT partner something specific to be held accountable to.
The business case
Why SMB1001 matters to your business, not just your IT team
Cyber security alignment is increasingly a business requirement, not just a technical one. The reasons it matters are showing up in practical places.
Cyber insurance
Insurers are asking more detailed questions at underwriting. Businesses that can demonstrate a structured, measurable security posture are better placed to obtain coverage, and to support claims when they need to. SMB1001 gives you something concrete to show. Vague assurances do not hold up under scrutiny.
Client and partner trust
If your business holds sensitive client information, financial data, health records, legal files, the expectation that you manage it securely is growing. Professional services clients are increasingly asking about security practices. Being able to reference a recognised framework is a more credible answer than "we have IT support."
Regulatory environment
AFSL holders, healthcare providers, and businesses subject to the Privacy Act face specific obligations around data security. The regulatory expectation is not that you have implemented every possible control, but that you have made a reasonable and documented effort. A framework like SMB1001 provides that documentation structure.
Risk reduction that is real
Most successful attacks against small businesses exploit basic gaps, unpatched systems, weak authentication, unprotected email. SMB1001 Bronze addresses exactly these. A business that has worked through Bronze has closed the most common attack vectors. That is a meaningful reduction in risk, not a theoretical one.
A measurable investment
When security is undefined, every expenditure is a guess. When it is aligned to a framework, you can see what each control achieves and where you sit relative to a defined standard. That makes security an investment with a visible return, not a cost with an unclear outcome.
Incident response readiness
When something goes wrong, and for a meaningful number of businesses it will, the quality of your response depends entirely on what you had in place before. Businesses with a structured security posture recover faster, lose less, and have a defensible position with their clients and insurers.
Why partner alignment matters
An IT partner who is not aligned to a framework is managing security by feel
Most IT providers will tell you they take security seriously. The question is whether that claim has any structure behind it. Without alignment to a recognised framework, there is no reliable way to know which controls are in place, which are absent, and how your environment compares to a defined standard.
An IT partner aligned to SMB1001 brings a specific methodology to your security. They can assess your current posture against the framework, identify gaps clearly, prioritise remediation in a logical order, and maintain your controls as your business and the threat landscape change. That is a fundamentally different proposition to "we handle security."
The practical difference shows up when something goes wrong. A provider with a structured approach has documented what was in place, can identify what failed, and can remediate from a known position. A provider managing by feel cannot tell you any of those things with confidence.
The maturity model
Five levels, from essentials to independent assurance
SMB1001 organises security maturity into five levels. Most professional services businesses should aim for Bronze as a baseline and Silver as a realistic medium-term target. Gold and above is for businesses with higher regulatory obligations or risk profiles. The right level depends on your risk profile, industry obligations, and the nature of the data you hold.
The SMB1001 maturity pyramid, five levels of progressively stronger cyber security posture.
Bronze
The essential foundations every business should be able to demonstrate. Addresses the most common attack vectors: weak authentication, unpatched systems, unprotected email, and inadequate backup. This is the minimum credible baseline.
Silver
A more consistent and managed posture. Controls that were in place at Bronze become well managed, documented, tested, and maintained on a regular cadence. Silver is the right target for most professional services businesses that hold sensitive client data.
Gold
A mature, well-governed security position. Appropriate for businesses with higher obligations, AFSL holders, healthcare providers, businesses handling significant volumes of sensitive information. Controls are systematic and independently verifiable.
Platinum
A continuously improving security posture, with formal assurance processes and security deeply embedded in business operations. Relevant for businesses with higher risk profiles or regulatory requirements that need ongoing verification beyond Gold.
Diamond
The highest assurance level, with independent audit and continuous monitoring of controls. Relevant for businesses with the most demanding regulatory or contractual obligations, such as critical infrastructure, defence supply chain, or regulated financial services.
Control areas
What SMB1001 actually covers
SMB1001 organises security controls across five capability areas. Each area has defined controls at each maturity level. These are not aspirational, they are specific, testable things that are either in place or not.
Identity and access
Multi-factor authentication, conditional access policies, privilege management, and controls on who can access what, and from where. Identity is the most targeted attack surface for small businesses.
Email and collaboration
Advanced email filtering, phishing and impersonation protection, threat detection, and visibility into email activity. Business email compromise is one of the highest-impact attacks on SMBs.
Endpoints and devices
Managed endpoint detection and response across all devices, patching and vulnerability management, and application controls. Every unmanaged device is a potential entry point.
Data and backup
Managed backups for Microsoft 365, servers, and desktops with defined retention, tested recovery, and immutable protection. Backup is the last line of defence, and one of the most neglected.
Governance and assurance
Security policies, baseline management, security awareness training, incident response planning, and regular review cycles. Controls without governance do not stay in place.
The framework as a whole
SMB1001 is not a product. It is a standard your IT environment is measured against. Every control has a defined requirement. Either it is met or it is not, and your IT partner should be able to show you which.
How Agile IT applies SMB1001
Aligned by design, not by claim
SMB1001 was developed by Dynamic Standards International (DSI). Agile IT is a founding member of SMBiT Professionals, which sits on the SC1001 Steering Committee that continuously updates the standard. Our security practice, AgileSECURE, is built around SMB1001 in daily delivery. Alignment is not a marketing position for us; it is how our security work is structured.
How we assess
Every new engagement includes a security posture assessment against SMB1001. We identify where you sit today, which controls are in place, which are partial, and which are absent, and map the gap between your current position and your target maturity level.
This is not a questionnaire. It is a structured technical assessment of your environment against defined framework controls.
How we improve it
Gaps are addressed systematically, prioritised by risk and by the sequence of the framework. We do not try to close everything at once. We work through Bronze controls first, then Silver, building a posture that is sustainable, not a sprint to a certification that falls apart six months later.
Improvement is project work, scoped and quoted separately from the ongoing managed service.
How we maintain it
Controls drift. People leave, configurations change, new threats emerge. AgileSECURE includes ongoing baseline management and a regular review cycle to keep your posture current. A security posture that is not actively maintained is not really a posture, it is a historical record.
How we report on it
Clients receive clear reporting on their security posture as part of the managed service. Not a stack of logs, a readable account of what is in place, what the current maturity level is, and what the next priorities are. Security should be visible to the business, not just the IT provider.
Common questions
SMB1001 questions
What is SMB1001?
SMB1001 is an Australian cyber security maturity framework developed by Dynamic Standards International (DSI) specifically for small and medium businesses. It defines security controls across five capability areas and organises them into Bronze, Silver, Gold, Platinum and Diamond maturity levels, giving businesses a structured and measurable path to improving their security posture. The standard is continuously updated by the SC1001 Steering Committee, of which SMBiT Professionals (Agile IT's industry association) is a member.
How is SMB1001 different from the Essential 8?
The Essential 8 is an Australian Signals Directorate framework that defines eight specific mitigation strategies for cyber threats. SMB1001 is a broader maturity framework that incorporates those strategies alongside additional controls, and organises them into maturity levels suited to SMB environments. The two complement each other: Essential 8 describes what to do, SMB1001 provides the maturity structure for measuring how well you are doing it. Agile IT's security practice is aligned to both.
Why does my IT partner's alignment to SMB1001 matter?
An IT partner who is not aligned to a recognised framework is managing security by feel. Without a structured methodology, there is no reliable way to know which controls are in place, which are missing, and how your posture compares to a defined standard. SMB1001 alignment means your IT partner has a structured approach to assessing, implementing, and maintaining security controls, and you can hold them to it.
Does SMB1001 certification affect our cyber insurance?
Yes, in practice. Cyber insurers are asking more detailed questions at underwriting. Businesses that can demonstrate a structured, measurable security posture, particularly against a recognised Australian framework, are better positioned to obtain coverage and to support claims when they need to. SMB1001 alignment gives you something concrete to show an insurer. Vague assurances do not hold up under scrutiny.
Can Agile IT help us get to SMB1001 Bronze?
Yes. AgileSECURE is aligned to SMB1001 and is a core component of every AgileMANAGED engagement. We assess where you sit today, identify the gaps between your current environment and Bronze, and work through those gaps systematically. The starting point is the discovery conversation.
What level should we be aiming for?
For most professional services businesses, Bronze is the minimum credible baseline and Silver is the right medium-term target. Gold and Platinum are relevant for businesses with higher regulatory obligations, AFSL holders, healthcare providers, and businesses handling large volumes of sensitive data. The right target depends on your risk profile, your industry, and the nature of the data you hold. We work through that in the discovery conversation.