A fixed-fee, independent SMB1001 readiness assessment for Australian businesses. We assess your controls, close the gaps, and prepare you for certification — through CyberCert, the official certification body.
SMB1001 is a five-tier cybersecurity certification standard published by Dynamic Standards International
and certified by CyberCert. It was designed specifically for small and medium businesses —
not repurposed from government or enterprise frameworks.
It covers the controls that matter for your risk profile: patching, MFA, backups, email authentication,
staff awareness, incident response, and policy fundamentals. Updated annually. Endorsed by the
Queensland Law Society for member law firms.
Controls are scaled for 5–100 person businesses. No dedicated security team required. No six-figure implementation budget.
Formally endorsed by the Queensland Law Society. Increasingly cited in procurement and insurance conversations across professional services, healthcare, and legal.
Updated every year — faster than the Essential Eight and far faster than ISO 27001. Controls reflect current threats, not a 2018 threat landscape.
SMB1001 certifications run from Bronze (essential hygiene) to Diamond (pen tested, audited, supplier-governed). The tier you pursue depends on what you need to prove, and to whom.
Firewall, anti-malware, patching, password hygiene, backup with offline copy, awareness training.
Good for: Getting started. Internal discipline. First step on the ladder.
Adds: Server patching, MFA on email, SPF email authentication, password manager, individual accounts, confidentiality agreements, invoice fraud policy.
Good for: Small professional services firms, sole traders, businesses under procurement pressure to show basic hygiene.
Adds: MFA on all business apps, EDR on all devices, DKIM and DMARC, incident response plan, digital asset register, cyber security policy, regular staff training.
Good for: Most SMBs. The practical target for businesses wanting to satisfy insurer and client expectations. QLS-endorsed tier for law firms.
Adds: Vulnerability scanning, MFA on RDP and VPN, cloud IAM, cyber insurance requirement, enhanced backup with annual restore test, MSP SLA requirement.
Good for: Businesses with active insurer or procurement requirements. The first tier where an independent auditor has verified the controls — not just a director's word.
Adds: Encryption at rest, application control, annual penetration testing, IR tabletop exercises, supplier due diligence programme, police vetting for privileged staff.
Good for: Businesses approaching ISO 27001 maturity. Supply chain requirements. High-value data environments.
Our role is advisory. We assess your controls against the target tier, identify gaps, and prepare you
for certification. We do not implement technical controls — that's your IT provider's job. We do not
issue the certificate — that's CyberCert's job.
What that independence gives you: an honest, unbiased picture of where you stand. No one at Coastal Cyber
benefits from certifying you before you're ready, or from selling you technology to close the gaps.
Independent gap analysis against your target tier. Evidence review. Structured interviews. Plain-English findings.
Prioritised remediation roadmap. We tell you what to fix, in what order, and what good looks like. Your MSP implements.
Certification readiness brief. Pre-attestation review. CyberCert discount link so you can complete certification at 35% off the standard fee.
Book a 20-minute call to discuss scope, target tier, and whether a Readiness Assessment is right for you. Certification subscription fees are charged separately by CyberCert via our partner discount link.
Six steps from introductory call to certificate in hand.
We establish your target tier, your timeline, and whether a Readiness Assessment is the right starting point. No obligation.
Engagement letter signed. Kick-off call with you (and your IT provider if relevant). We confirm scope, evidence to gather, and interview schedule.
Structured review of controls across all five domains: Technology Management, Access Management, Backup & Recovery, Policies & Procedures, Education & Training. Evidence-based, not a tick-box.
You receive the gap register and remediation roadmap. We walk you through it. Your IT provider implements the outstanding items.
Once your IT provider has closed the gaps, we review the CyberCert workbook with you before you sign. You attest with confidence.
You complete the attestation via CyberCert's platform and receive your certificate. We provide the partner discount link (35% off).
SMB1001 is particularly relevant for businesses facing procurement, insurer, or regulatory pressure to demonstrate cyber maturity — or those that simply want a structured path to better security.
The Queensland Law Society formally endorsed SMB1001:2025 as a recommended standard for member law firms. Gold certification provides documented evidence of cybersecurity due diligence — relevant to PII obligations, PI insurance, and client expectations.
Private clinics, allied health practices, and aged care providers handle highly sensitive personal and health information. SMB1001 Gold covers the operational controls most relevant to APP compliance and OAIC expectations — and gives insurers and referring hospitals something concrete to review.
B2B technology companies are increasingly asked to complete security questionnaires by enterprise customers. SMB1001 Gold is an efficient way to demonstrate baseline cyber maturity without the overhead of ISO 27001 — and creates a clear pathway toward it.
Any business facing supply chain scrutiny, cyber insurance pressure, or a board asking "what are we doing about cybersecurity?" can use SMB1001 as a structured starting point and a defensible answer.
Independent schools handle sensitive student records, health information, and staff data under Privacy Act obligations — and face increasing pressure from school boards, insurers, and parent communities to demonstrate structured cyber governance. SMB1001 Gold provides an achievable certification pathway sized for school budgets, with controls directly relevant to EdTech vendor risk, identity management, and incident response. Government schools typically operate under state-level frameworks; this pathway suits independent and Catholic schools with governance boards accountable for cyber risk.
Start with a free 20-minute call. No obligation. We'll tell you whether a Readiness Assessment is the right fit, which tier makes sense, and what the process looks like.
No sales pitch. We'll tell you whether a Readiness Assessment is the right fit and what to expect.
Book a 20-minute chat