SMB1001: What Each Tier Actually Demands of Your Business (And Where It Gets Complicated)
Yesterday I introduced SMB1001 at 30,000 feet. What it is, where it came from, the key UK reality check.
Today we go into the engine room.
This is Part 2 of Cyber Belts: The SMB1001 Deep Dive. I'm going through each tier with specific controls, real-world implications, and the parts the vendor marketing tends to leave out. If you haven't read Part 1 yet, start there.
Bronze: The Floor, Not the Ceiling
Bronze is tier one. Basic hygiene. I'm going to be direct: if your IT provider can't get you to Bronze level, you need a different IT provider.
The controls are not exotic. You need a managed service provider or competent IT contractor handling your tech support. You need a firewall at the edge of your network and software firewalls enabled on every device. Default passwords changed from factory settings. Antivirus or endpoint protection installed on every laptop and PC, set to update automatically. Automatic security updates configured across your machines. And daily backups, encrypted, stored off-site, not on a USB drive permanently plugged into the server.
That's Bronze. Most businesses with any kind of decent IT support should already have most of this in place. If you don't, that gap is your primary risk, and no amount of higher-tier certification will fix it.
The NCSC Password Conflict
Here's where I have to flag something that the SMB1001 documentation gets wrong, and that matters.
Bronze includes a requirement for "routine password changes" — annual at minimum. The NCSC is explicit that this is bad advice. Forcing regular password resets drives users to weaker, predictable passwords. People just add a number on the end. NCSC guidance, which Cyber Essentials also follows, says: use long passphrases, deploy MFA, and don't force periodic rotation.
If your MSP tells you everyone needs to change their password every 90 days because SMB1001 says so, push back. Ask them to reconcile that instruction with the NCSC's own published guidance. This conflict is real and should be on your radar from the start.
Director Attestation: The Accountability Trap
For Bronze, Silver, and Gold, there is no external auditor. A company director has to personally log into the CyberCert portal and attest that all the required controls are in place. Their name goes on the record.
Done properly, this is excellent. The director actually reads the control requirements, understands the risks, and has personal accountability for whether the business meets them.
Done badly, it's a director clicking through a checklist they haven't read, trusting that "IT have sorted it", and signing off controls that aren't actually implemented.
I will come back to this theme in Friday's case study, because the gap between attestation and reality is where a lot of the real damage happens.
Silver: Where Attackers Are Actually Stopped
Silver is where the changes start to affect day-to-day working life, and where the controls genuinely begin to address how UK businesses get compromised most often.
The headline requirements: everyone gets their own unique user account. No more shared logins. No more "info@" mailbox used by half the office as an authentication credential. Each person has their own username and password, and crucially, nobody is doing routine work from an admin account.
A password manager is required: a proper password vault so staff can use long, unique passwords for every system without having to remember them all. This is non-negotiable at Silver, and rightly so.
MFA on email. This one is enormous. Multi-factor authentication on your business email is one of the highest-impact security controls that exists for small businesses. If someone steals a password, they still can't access the inbox without the second factor. The majority of UK business email compromise starts with a stolen password and no MFA. Silver makes this a requirement.
On the email security side, Silver requires SPF: a DNS record that tells receiving mail servers which services are authorised to send email on your behalf. Your website also needs TLS, the padlock in the browser bar.
The human-side controls at Silver are underestimated. Confidentiality agreements for staff before they start. A documented policy specifically for invoice fraud verification: any change of bank details must be verified by a phone call to a known number, not just an email. A visitor register for restricted areas.
The Invoice Fraud Policy Is More Important Than It Sounds
Business email compromise targeting accounts payable is the dominant financial cyber threat to UK small businesses. A criminal spoofs or compromises a supplier's email address, sends updated banking details, and your accounts person pays the wrong account before anyone realises. The NCSC and Action Fraud have documented this pattern repeatedly.
Silver's invoice verification policy directly counters it. The requirement is simple: any request to change payment details must be confirmed by a phone call to a number you already have on record, not a number provided in the email. That one control prevents the overwhelming majority of these attacks.
Silver is where habit change starts. Password managers mean learning a new tool. MFA on email means codes on phones. Those changes create friction. Leadership needs to back them, not roll their eyes.
Gold: The Grown-Up Programme
Gold is where it stops feeling like just IT infrastructure and starts looking like an actual security programme.
Technically, the headline addition at Gold in the 2026 edition is EDR: Endpoint Detection and Response. This is your antivirus with a brain. It watches device behaviour in real time, spots suspicious patterns, and typically has a monitoring service behind it. EDR is now mandatory at Gold in SMB1001:2026, having been promoted from a higher tier. That's the right call.
MFA expands beyond email to cover all key business applications, social media accounts, and if you use remote desktop, it must be accessible only through a VPN and not directly exposed to the internet.
Email authentication steps up significantly. DKIM adds a digital signature to outbound email confirming it genuinely came from your systems. DMARC is a DNS policy that tells receiving mail servers what to do if something fails SPF or DKIM checks: quarantine it or reject it. SMB1001:2026 explicitly requires DMARC to be set to quarantine or reject, not the soft "none" setting that provides no protection. This is correct and I'm glad they've made it mandatory.
On governance, Gold requires a written cyber security policy, a formal incident response plan, a digital asset register (a list of your systems and data, where they live, who has access), secure document destruction procedures, and a policy on responsible AI use. That last one is new in the 2026 edition and reflects a real gap: staff pasting client data into AI tools with no controls is an increasing GDPR exposure.
How Gold Compares to Cyber Essentials
Cyber Essentials and SMB1001 Gold cover similar technical ground. Firewalls, patching, malware protection, access controls: those themes align. But Cyber Essentials is laser-focused on five prescriptive technical controls, whereas SMB1001 Gold adds governance, training, and email authentication that CE doesn't mandate.
The key difference: Cyber Essentials is UK government-backed, audited (at Plus level), and recognised in procurement. SMB1001 Gold is not. If you need CE for contracts, CE is what you pursue. SMB1001 Gold can be a useful companion framework for the governance layer that CE doesn't address. Not a replacement for it.
Platinum: Someone Else Checks
Platinum is where self-attestation ends. At this tier, CyberCert or their authorised auditors verify your controls. External scrutiny replaces trust.
Technically, Platinum adds regular vulnerability scanning of any systems you have exposed to the internet: your website, VPN endpoints, anything public-facing. Automated tools probe for known vulnerabilities on a scheduled basis so you can patch before attackers find them.
Remote access is tightened further. MFA must be properly enforced. Sensitive data at rest, on servers and on laptops, must be encrypted: if a device walks out of the building, your client data doesn't go with it.
There is also a formal requirement to vet third parties who touch your systems or data: supplier due-diligence, tighter contractor agreements, an active cyber insurance policy.
For most UK small businesses under 50 staff operating in domestic supply chains, Platinum is beyond what your risk profile realistically requires. Where it starts making sense is with larger firms, businesses embedded in international supply chains, or organisations where clients are beginning to push for ISO 27001 but the cost and complexity of that certification isn't yet justified.
Diamond: The Full-Fat Version
Diamond requires penetration testing: you pay ethical hackers to attack your systems and report what they find. You also run rehearsed incident response drills so that when something goes wrong, your team knows exactly what to do rather than improvising in a panic.
The supplier due-diligence programme is fully embedded at Diamond. You're systematically managing cyber risk across all key vendors, not just sending them a questionnaire once a year.
Application control, where only approved software can run on company devices, is a Diamond-level expectation. It's genuinely effective and genuinely unpopular with staff.
Diamond is the closest SMB1001 gets to ISO 27001 territory, without claiming equivalence. The standard is explicit about this: different beast, similar intent.
For most UK SMBs under 50 people, Diamond is not your goal. If you're a ten-person accountancy firm in Leeds or a 25-person marketing agency in Bristol, Bronze through Gold is where your money is best spent. Platinum and Diamond are for specific scenarios: international supply chains, firms transitioning toward ISO 27001, or organisations that have had an incident and need demonstrable uplift for clients and insurers.
Do not let anyone make you feel morally obligated to pursue Diamond. It is a tool for specific circumstances.
What It All Costs
The certification fees themselves are, as frameworks go, genuinely affordable. At the time we recorded this week's episode, the quoted GBP figures were: Bronze £75, Silver £153, Gold £310, Platinum £467, and Diamond £780, all exclusive of VAT. Verify current pricing on the CyberCert website (cybercert.ai) before budgeting, as these are from the podcast recording and may have been updated.
Those are the certificate and platform fees only. The real cost is the uplift work.
Bronze is usually cheap and fast if your IT setup is reasonably current. Days to a few weeks, potentially a couple of thousand pounds in gap remediation on top of the cert fee.
Silver is a few weeks of work. Low thousands in licence and implementation costs: password manager rollout, MFA deployment, SPF and TLS configuration, policy drafting.
Gold is a meaningful project. One to three months, several thousand pounds when you add EDR licences, DMARC configuration, incident response plan drafting, and staff training. The 2026 edition's increase from 23 to 27 controls makes this more substantive than previous years.
Platinum and Diamond depend heavily on your specific infrastructure and will require quoted MSP project costs. Budget for external audit fees on top of implementation.
None of this is a ten-pound tick-box exercise, but none of it is a six-figure ISO 27001 engagement either. That is the genuine value of the ladder.
How to Turn This Into a Competitive Advantage
Tier-specific claims are more credible than generic ones. "We're SMB1001 Gold certified, which means we have EDR on every device, DMARC on all outbound email, a written incident response plan, and annual staff training" is a genuinely specific and verifiable security statement. That is more persuasive to a procurement team or an insurer than "we take security seriously."
Use the tier controls as your MSP's performance standard. If your IT provider manages your security, SMB1001's control lists give you a precise checklist to audit their delivery against. Each control is described specifically enough that you can verify it yourself or commission an independent check.
Build tier progression into your contract reviews. Set a defined target tier with your MSP and include it as a measurable outcome in your contract review. "Get us to Silver by end of Q2" is a specific, testable commitment. "Improve our security posture" is not.
How to Sell This to Your Board
Frame it as defined risk reduction, not certification cost. Each tier addresses specific attack vectors. Silver's MFA and invoice fraud policy directly addresses business email compromise. Gold's EDR directly addresses ransomware. You can map the controls to the threats that your specific business type faces.
The director attestation question is a useful board conversation. Ask: "Would our directors be comfortable personally signing off that we have proper backups, MFA on all email accounts, an invoice fraud policy, and regular staff training?" If the answer is yes with confidence, your security posture is reasonable. If it produces uncertainty, that uncertainty is the most accurate risk assessment you have.
The annual recertification cycle gives the board a recurring review point. Rather than cybersecurity disappearing from the agenda after a one-off audit, annual recertification creates a scheduled accountability moment. Boards respond well to defined review cycles.
What This Means for Your Business This Week
Run yourself against the Silver controls right now. Does everyone have individual accounts? Is MFA on email? Do you have an invoice fraud verification procedure? Those three controls address the three most common paths into a UK small business. If any are missing, that is your immediate priority.
Ask your MSP specifically about DMARC. Not whether they've heard of it. Whether it's configured for your domain, whether it's set to quarantine or reject, and whether they've monitored it since deployment. A DMARC policy set to "none" is not protecting you.
Flag the password rotation conflict. If your IT provider references the SMB1001 Bronze requirement for periodic password changes, push back and ask them to align with NCSC guidance instead.
Come back Thursday. Graham Falkner's practical guide to using SMB1001 as your MSP conversation framework is the most directly actionable post of the week.
| Source | Article / Resource |
|---|---|
| Dynamic Standards International (DSI) | SMB1001 Standard — DSI Overview |
| CyberCert | SMB1001 Certification Tiers |
| Manage Protect | SMB1001:2026 Gold — What's New for MSPs and Clients |
| dmarcian | SMB1001 Includes DMARC for Risk Management |
| NCSC | Password Administration Guidance for System Owners |
| NCSC | Cyber Essentials: Overview |
| NCSC | Business Email Compromise Guidance |
| Action Fraud | Mandate Fraud (Invoice / Payment Redirection) |
| Black Swan Cyber (UK) | SMB1001 for UK Micro and Small Businesses |
