How to Use SMB1001 as a Practical Roadmap (Not Just Another Badge): A Step-by-Step Guide for UK Small Businesses
I want to start with a question.
When your IT company last told you they'd improved your security, did you have any concrete way of checking? Any defined list of controls? Any baseline to measure against?
If the answer is no, that's the problem SMB1001 can actually solve. Not because the certificate matters, necessarily. But because the framework gives you something to point at.
This is Part 3 of Cyber Belts: The SMB1001 Deep Dive. Noel introduced the standard on Monday. Tuesday covered what each tier specifically demands. Today's post is the practical guide: how to use SMB1001 as a working roadmap for your IT conversations, your MSP project plan, and your own security programme. No vendor pitch, just method.
Link: Part 1 — A Brutally Honest Introduction to SMB1001
Link: Part 2 — What Each Tier Actually Demands
Step 1: Be Honest About Where You Actually Are
Before you can plan a journey, you need to know your starting point. This is harder than it sounds.
Most small businesses have a rough sense that their IT is "fine" or "could be better." Very few have a clear picture of which specific controls are in place and which are missing.
Run yourself against the Bronze tier controls first. These are binary questions, not subjective ones:
Does every device on your network have a firewall enabled? Not just the router: every laptop, every desktop?
Is antivirus or endpoint protection installed on every device and set to update automatically?
Are security patches applied automatically, across every machine, including ones that rarely come into the office?
Do you have daily backups, encrypted, stored somewhere that is not physically in your building?
Has anyone changed the default passwords on your router and any other network equipment from the factory settings?
If you are uncertain about any of those, that uncertainty is your answer. A gap at Bronze level is your first priority, regardless of what tier you're aiming for.
Then move to Silver:
Does every member of staff have their own individual account? No shared logins?
Is anyone using an admin account for their day-to-day work?
Does every member of staff use a password manager?
Is MFA enabled on your business email for every user, without exception?
Is SPF configured for your domain?
Do you have a documented procedure for verifying any change of supplier bank details?
Honest answers to those questions give you your actual starting position. Not your preferred starting position: your actual one.
Step 2: Choose the Right Target Tier for Your Situation
Not every business should aim for the same tier. Here is a practical framework for matching your target to your actual circumstances.
Bronze is your minimum if: You are a very small business, sole trader, or start-up. You have limited IT budget. You do not handle significant client data. You are not in a regulated sector. Your clients have not asked for any specific security certification.
Bronze is not a goal to be proud of. It is the floor. But it is a defined floor, which is better than an undefined one.
Silver is appropriate for most businesses in the 5-20 person range if: You handle any client data at all. You have staff accessing business systems from home. You have been targeted by phishing emails. Your cyber insurer has asked about your security controls. You process invoices and make payments on behalf of clients.
Silver addresses the attack patterns that affect UK small businesses most frequently. MFA on email and an invoice verification policy alone will stop the majority of financially damaging incidents.
Gold is the right target if: You have 20 or more staff. You handle sensitive data: financial information, health information, legal information, or personal data in volume. You are tendering for contracts with larger businesses that ask security questions. You operate internationally. You want to demonstrate structured security maturity to clients or insurers.
Gold in the 2026 edition is a meaningful programme. EDR on all devices, DMARC enforcement, a written incident response plan, regular staff training. This is not a weekend project; budget for a one-to-three-month implementation.
Platinum or Diamond: only if: You are in an international supply chain where overseas partners are asking for ISO 27001 or equivalent. You have 50 or more staff. You have recently had an incident and need demonstrable uplift. Your sector has specific audit requirements that Platinum's external verification satisfies.
Do not let anyone push you towards Platinum or Diamond unless your circumstances genuinely warrant it.
Step 3: Have a Structured Conversation With Your IT Provider
This is where SMB1001 delivers its real value. The framework gives you a vocabulary for a conversation that most small businesses have never been able to have.
Instead of: "Can you make us more secure?"
You say: "We've assessed ourselves against SMB1001 Bronze and Silver. We have these gaps: [list]. We want to be at Silver level by the end of Q2. Can you give us a project plan and cost estimate for closing those specific gaps?"
That is a completely different conversation. It has a defined scope. It has a measurable outcome. It has a timeline. And because both you and your IT provider are working from the same control list, there is no ambiguity about what "done" means.
Here are the specific questions to put to your MSP, referencing SMB1001 tiers:
For each device on our network, can you confirm that the firewall, antivirus, and automatic patching are all enabled and current? Please show me the evidence.
For our email domain, is SPF configured? Is DKIM enabled? Is DMARC set to quarantine or reject, not "none"? If any of those are missing, what is the plan and timeline to implement them?
Is MFA enabled for every user on our email platform, without any exceptions? If there are exceptions, who authorised them and why?
What password manager do you recommend for our size and budget? What would the rollout plan look like?
What EDR solution do you recommend at Gold level, what does it cost per device per month, and what does the monitoring service cover?
Do you have a template incident response plan we can adapt, or will you draft one for us? What does that cost?
These are not unreasonable questions. Any competent MSP should be able to answer all of them specifically and promptly. If the response is vague, evasive, or relies on "trust us, we've got it covered," that is important information about your MSP.
Step 4: Build a Costed, Time-Phased Plan
Vague security commitments are worthless. A costed project plan is what you actually need.
Here is a practical template for structuring the conversation with your MSP:
Phase 1 (Weeks 1-4): Bronze Gap Close
Audit all devices for firewall, AV, patching status
Identify and remediate any machines that have fallen off automatic updates
Confirm backup status: encrypted, off-site, daily, tested
Change all default network equipment passwords
Estimated cost: £500-£2,000 in remediation work, depending on number of devices and current state, plus the £75 certification fee if pursuing formal certification
Phase 2 (Weeks 4-8): Silver Gap Close
Deploy password manager to all staff (typical licence cost: £3-£6 per user per month)
Enable MFA on business email for all accounts, no exceptions
Configure SPF and review TLS status for your domain
Draft invoice fraud verification policy and communicate to all staff
Establish individual user accounts: eliminate any shared logins
Estimated cost: £1,500-£4,000 in implementation work plus ongoing licence costs, plus £153 certification fee
Phase 3 (Month 2-4): Gold Gap Close
Deploy EDR to all devices (managed EDR typically £5-£15 per device per month)
Configure DKIM and DMARC to quarantine/reject
Draft written cyber security policy and incident response plan
Create digital asset register
Implement regular staff security training programme
Draft responsible AI use policy
Estimated cost: £3,000-£8,000 in implementation work plus ongoing licence costs, plus £310 certification fee
All figures are indicative and exclude VAT. Get specific quotes from your MSP for your actual environment.
Step 5: Understand What You Are Signing
If you pursue formal certification at Bronze, Silver, or Gold, a company director has to personally attest that the controls are in place. This is not a box-ticking formality. That director's name is on the record.
Before any director signs off on the CyberCert portal, they should be able to answer the following questions themselves, not just rely on the MSP's assurance:
Have we tested our backups recently? Has anyone actually tried to restore from them?
Is MFA genuinely enabled for every user on email, including any accounts that senior staff asked to exempt for convenience?
Does every member of staff know the invoice verification procedure?
Is there a written incident response plan, and do the key people know what it says?
If the director cannot confidently answer yes to those questions, the attestation should not be signed. Not because of the certification: because those gaps represent real business risk.
Attestation is not a legal magic shield. A director who signs off controls that were never actually implemented has put their name on a document that may become relevant if an incident occurs and insurance or legal proceedings follow.
Step 6: Plan for Annual Recertification
SMB1001 is not a one-time exercise. You recertify every year against the current edition of the standard. The controls update annually, which means what was required at Gold in 2025 is not identical to Gold in 2026.
Build recertification into your annual business cycle. Some practical suggestions:
Put the recertification review in your calendar at least six weeks before your certificate renewal date
Include a question about the updated standard in your annual MSP contract review
Treat the annual control check as a board agenda item, not just an IT task
Budget for the recertification fee and any remediation work in your annual IT budget
The annual cycle is genuinely useful. It prevents security from disappearing from the agenda after an initial push, and it creates a natural moment to verify that controls are still in place and working, not just theoretically deployed.
Red Flags to Watch For
When working with an MSP on SMB1001 implementation, watch out for the following:
"We'll get you Gold by the end of the month." Gold is a substantive programme. If an MSP is promising rapid Gold certification without a detailed gap assessment and project plan, ask them to explain exactly how that timeline is achievable. Fast certifications often mean self-attestation to controls that are not genuinely in place.
"You don't need to worry about the password rotation requirement." Actually, you do need to worry about it, but in the opposite direction: if your MSP is implementing routine password changes because Bronze mentions them, they're out of step with NCSC guidance. This is a flag that they're following the SMB1001 document uncritically rather than applying professional judgement.
"SMB1001 covers your Cyber Essentials requirement." It does not. If a tender or contract specifies Cyber Essentials, you need Cyber Essentials. Any MSP suggesting otherwise is either misinformed or being misleading.
"The director just needs to sign here." If attestation is presented as a formality to be completed quickly, that's a process failure. The director needs to understand what they are attesting to.
How to Turn This Into a Competitive Advantage
Publish your tier publicly. Once you reach Silver or above, put it on your website: "We operate at SMB1001 Silver level, which means every member of our team uses MFA on email, a password manager, and we have verified procedures for handling payment instructions." That specificity builds client trust in a way that vague security claims do not.
Use your tier as a supplier questionnaire response. When large clients send security questionnaires asking about your controls, SMB1001's control descriptions give you precise, auditable answers. This reduces the time you spend on supplier questionnaires and increases confidence in your responses.
Offer it as a supply chain signal. If you have suppliers or subcontractors who handle your data, use your own SMB1001 journey to start conversations with them about their controls. Asking your suppliers to at least reach Bronze level is a reasonable supply chain due-diligence step that most small businesses have never taken.
How to Sell This to Your Board
"Can you just make us secure?" costs more than a defined programme. Reactive security spending, incident response after an attack, emergency IT support, regulatory notifications, insurance claims disputes: the unplanned costs of poor security are always higher than planned investment. A tiered programme with defined costs and timelines is a much easier budget conversation than an open-ended security commitment.
The MSP accountability question is valuable regardless of certification. Even if you never pursue formal certification, running your IT provider against SMB1001's control list gives you a structured basis for holding them accountable. That alone is worth the exercise.
Board members who sign personal attestations need to be informed. If your directors are going to attest to controls under their name, they need to understand what those controls are. SMB1001's requirement for director-level sign-off is an opportunity to run a board-level security review that would otherwise never happen.
What This Means for Your Business This Week
Run the Bronze and Silver gap assessment this week. Use the control questions in Step 1 as your checklist. Write down the honest answers. That document is your starting point.
Book a structured conversation with your MSP using the questions in Step 3. Tell them you are working through SMB1001 tiers as a framework for your security programme. Ask for a written response with specific evidence and timelines.
Identify your realistic target tier using the framework in Step 2. Write it down, include it in your next board meeting agenda, and treat it as a defined business objective rather than a vague aspiration.
Read Friday's case study. Lucy Harper has documented what happens when the certification process is treated as a box-ticking exercise rather than a genuine security programme. Worth reading before you start.
Sources
| Source | Article / Resource |
|---|---|
| Dynamic Standards International (DSI) | SMB1001 Standard Overview |
| CyberCert | SMB1001 Certification Tiers and Pricing |
| NCSC | Cyber Essentials: Overview |
| NCSC | Password Administration Guidance for System Owners |
| NCSC | Business Email Compromise Guidance |
| Black Swan Cyber (UK) | SMB1001 Certification for UK Small Businesses |
| DSIT | Cyber Security Breaches Survey 2025 |
| IASME | IASME Cyber Assurance |
