Skip to content

Compliance + certification

SMB1001:2026 — the Australian SMB cyber standard, delivered.

A fixed-fee certification path from Bronze to Diamond, built around how SMB1001 actually works — annual cadence, not monthly retainer. Bundled at our Premium tier; available as a paid project at every other tier.

What it is

A practical cyber standard written for Australian SMBs.

SMB1001 is the Australian standard for small business cyber security, maintained by Digital Security Institute (DSI). Five tiers — Bronze, Silver, Gold, Platinum, Diamond — covering 27 mandatory controls at the Gold level for SMB1001:2026. Bronze is self-attestation against DSI's published control framework — you formally declare your control coverage to DSI's register, which buyers, insurers, and tender processes can verify. Silver adds independent attestation by a qualified assessor; Gold requires a third-party audit. Each tier is a recognised certification.

Federal procurement

Australian government tenders increasingly require SMB1001 certification — particularly defence, health, and critical-infrastructure-adjacent contracts. Bronze is often the floor; Silver and above for sensitive work.

Cyber insurance

Underwriters now ask whether your business holds SMB1001 or equivalent. Premiums drop. Coverage exclusions narrow. Post-incident disputes about “reasonable steps” become much harder to lose.

Supply chain compliance

If you sell to enterprise clients, expect them to ask for evidence of cyber maturity within the next 12-24 months. SMB1001 is the published answer. RFPs increasingly ask for it directly.

Start here

$880 gap assessment. Credited back when you sign on.

A 4-hour structured discovery + written gap report covering where you sit against SMB1001 controls. We tell you the cleanest tier to aim for, what the remediation work looks like, and how much it will cost. The $880 fee is credited back in full when you sign an engagement letter for any Bronze, Silver, or Gold certification within 30 days — the actual remediation timeline can run longer; only the sign-on needs to land in 30 days.

Book an $880 gap assessment →

What you get

  • Control-by-control assessment against SMB1001 Bronze baseline
  • Written gap report — what you have, what's missing, what's needed
  • Recommended tier (Bronze / Silver / Gold) based on your buyer requirements
  • Fixed-fee quote for the remediation + certification work
  • $880 credited back when you sign an engagement letter within 30 days

When this fits

  • An enterprise client has asked you about cyber maturity in an RFP
  • Your cyber insurance renewal is coming up
  • You're chasing federal procurement and need to know what tier applies
  • You're considering Premium-tier managed services and want to confirm Bronze certification is included

At a glance

Tier comparison + indicative timelines.

Pricing is fixed-fee inc-GST. Timelines assume you start from a reasonable baseline (M365 in place, MFA on, backup running). If you're starting cold, the gap assessment will tell you what additional remediation time is needed.

Tier Verification Initial fee Annual renewal Typical timeline Best for
Bronze Self-attestation to DSI $3,300 $660/yr 2–4 weeks Insurance, most SMB-to-enterprise RFPs
Silver Independent attestation by qualified assessor $5,500 $1,100/yr 6–10 weeks Buyers asking for assured controls
Gold Independent third-party audit $11,000 $2,200/yr 3–6 months Sensitive federal, critical-infrastructure-adjacent
Platinum / Diamond Enterprise-scope third-party audit Pricing on enquiry Pricing on enquiry 6+ months Larger SMBs / mid-market

Timelines are from engagement-letter signing through to certification issued — not from your first enquiry. Remediation can run inside or alongside this window depending on how much control work you need.

The certification path

Five tiers. Pick the one that fits your buyers.

Most Outlaw IT clients land on Bronze. It's the right entry point — sufficient for cyber insurance underwriting, most federal procurement, and most enterprise supply-chain RFPs. Silver and Gold are the upgrade paths when your buyers ask for them. Platinum and Diamond are enterprise scope.

Bronze · self-attestation · most clients land here

SMB1001 Bronze

The entry tier. Self-attestation against the Bronze control framework. Sufficient for cyber insurance underwriting and most SMB-to-enterprise RFPs. Bundled at our Premium tier as ongoing certification + maintenance.

Initial certification

$3,300 one-off inc-GST

Annual renewal + standards-watch

$660 / year inc-GST

Bundled at Premium tier — included in your monthly fee, no separate certification or renewal charge. Worth $3,960 in your first year (initial $3,300 + renewal $660).

Silver · independent attestation

SMB1001 Silver

Adds independent attestation by a qualified assessor. Vendor management review, incident response capability assessment, business continuity review. Recommended when buyers specifically ask for assured controls.

Initial certification

$5,500 one-off inc-GST

Annual renewal + standards-watch

$1,100 / year inc-GST

Gold · third-party audit

SMB1001 Gold

27 mandatory controls under SMB1001:2026. Independent third-party audit. Required for sensitive federal procurement, critical-infrastructure-adjacent work, and high-trust enterprise relationships. Includes auditor pass-through cost.

Initial certification + audit

$11,000 one-off inc-GST

Annual renewal + audit + standards-watch

$2,200 / year inc-GST

Gold delivery is currently run in partnership with a qualified third-party auditor while Outlaw IT's own Gold certification is in progress. Your audit is conducted to full Gold standard regardless.

Platinum + Diamond · enterprise scope

SMB1001 Platinum / Diamond

Enterprise-scope certifications targeting larger SMBs and mid-market organisations with elevated regulatory or supply-chain obligations. Beyond Outlaw IT's standard scope — but we can scope individually or refer to a specialist partner.

Pricing

Pricing on enquiry

Talk to us about Platinum / Diamond →

Honest pricing

Annual renewal. Not a monthly retainer.

The real maintenance work for SMB1001 Bronze is ~5-8 hours a year — re-attestation, evidence refresh, standards-change watch when DSI updates the framework, annual training and policy review. Some MSPs charge $440-$880/month as a “compliance retainer” for what's actually an annual rhythm. We don't. The annual renewal fee matches the actual work.

For Premium tier clients we go further — the renewal + standards-watch work fits inside the existing tier labour estimate. You keep the certification, your insurance underwriter and your enterprise clients stay satisfied, and there's no extra line on your monthly invoice.

Can you self-maintain Bronze? Technically yes — Bronze is self-attestation. In practice most SMBs forget about it for 11 months and scramble at renewal. The value of working with us is removing that mental load. If you'd rather DIY, we'll tell you straight.

30 minutes. Plain English. No sales script.

Tell us where you are. We'll tell you whether we're a good match and what it would cost. If we're not the right fit, we'll point you to someone who is.

Book a 30-min discovery call