You Probably Don't Need Diamond: A Brutally Honest Introduction to SMB1001
There's a new certification making the rounds in UK small business IT conversations, and the sales pitch is depressingly familiar.
Spend the money, get the logo, stick it on the website. Job done. Meanwhile the backups are still dodgy, nobody's actually turned on MFA for the whole team, and the invoice fraud policy that got signed off exists solely as a Word document in a folder nobody opens.
Today on The Small Business Cyber Security Guy, we're launching a new series called Cyber Belts: The SMB1001 Deep Dive. Over the coming weeks, Graham Falkner, Mauven MacLeod, and I are going to pull SMB1001 apart tier by tier, honest and in plain English.
This is Part 1. It covers what SMB1001 actually is, where it came from, and the single most important thing UK small businesses need to understand before anyone talks them into buying it.
So What Is SMB1001?
SMB1001 is a multi-tiered cybersecurity certification standard built specifically for small and medium-sized businesses. It was created by Dynamic Standards International (DSI), a private standards body headquartered in Washington D.C. with an additional office in Canberra, Australia. DSI was formerly known as Cyber Security Certification Australia, which tells you something about its origins: this is an Australian concept that has been internationalized.
The current edition is SMB1001:2026, which became certifiable in January 2026 and is the second internationally available edition of the standard. It is updated annually by a steering committee, which is why it's described as a "dynamic" standard. Think of it less like an MOT and more like an annual service: you recertify each year against the current controls.
Certification itself is handled through a separate company called CyberCert, which operates the platform where businesses do their self-assessment and receive their certificate.
The standard divides cybersecurity into five domains: Technology Management, Access Management, Backup and Recovery, Policies and Processes, and Education and Training. Within those five domains sit five certification tiers, each building on the one below: Bronze, Silver, Gold, Platinum, and Diamond.
The idea, as DSI describes it, is a ladder. You start where you are, and you climb at your own pace.
The Five Tiers: A 60-Second Overview
Bronze is basic hygiene. Firewalls, antivirus, automatic patching, encrypted off-site backups. The absolute floor. If your IT provider can't get you here, find a different IT provider.
Silver tightens things around people and email. Individual user accounts, a password manager, MFA on email, SPF on your domain, a documented invoice fraud policy, confidentiality agreements for staff. This is where attackers are stopped in their tracks most often.
Gold is where it starts looking like a grown-up security programme. Endpoint Detection and Response (EDR) on all devices, DKIM and DMARC on your email, a written incident response plan, a digital asset register, regular staff training, and a policy on responsible AI use. Gold now requires 27 controls in the 2026 edition, up from 23 in 2025. That's a meaningful increase.
Platinum brings in external verification: someone else checks your work rather than just trusting your word. You also add regular vulnerability scanning of internet-facing systems and formal requirements around data encryption at rest.
Diamond is the full-fat version. Penetration testing, rehearsed incident response drills, a systematic supplier due-diligence programme. It's the closest SMB1001 gets to ISO 27001 in spirit, though it explicitly does not claim equivalence.
I'll cover each tier in forensic detail in Tuesday's deep-dive. For now, here's the one thing you need to know upfront.
The Single Most Important Thing for UK Businesses
There is no NCSC logo on SMB1001. No UK government endorsement. It is not mentioned in any government procurement guidance. It does not appear in NCSC's own framework recommendations for SMBs.
This is a private standard, from a private body, being marketed into the UK.
That doesn't automatically make it bad. There is genuinely useful thinking in this framework, and I'll give credit where it's due across this series. But I get twitchy when I see it described as "the new Cyber Essentials" or as an insurance shortcut for UK businesses. In the UK today, it is neither.
If a public sector tender requires Cyber Essentials, an SMB1001 certificate does not satisfy it. Full stop. If your cyber insurer requires demonstrable security controls in line with NCSC guidance, SMB1001 has not been officially recognised in the UK market in the same way Cyber Essentials has.
One UK-based provider offering SMB1001 to small businesses puts it honestly: "While it isn't a UK Government scheme like Cyber Essentials, it is increasingly used by insurers and larger organisations as evidence of strong cyber hygiene, especially at Silver level and above." That's a fair characterisation. It isn't a government scheme. It is increasingly recognised. Those two things are both true.
The natural UK security pathway remains: start with Cyber Essentials, step up to Cyber Essentials Plus if clients require it, then consider IASME Cyber Assurance for governance depth, and ISO 27001 if enterprise clients demand it.
SMB1001 sits alongside that pathway as optional additional structure. Not instead of it.
So Why Are We Doing a Whole Series on It?
Because the framework has a genuine use that gets buried under the certification marketing.
SMB1001's real value, for most UK SMBs, is as a conversation tool.
Most small business owners who call their IT company and say "can you just make us secure?" get back either an incomprehensible list of technical recommendations or a vague proposal with no defined deliverables. Neither is particularly useful.
SMB1001 gives you a defined ladder. Instead of "make us secure", you can say: "I think we're roughly at Bronze level. Walk me through what Silver actually requires, give me a costed plan to get there, and tell me how long it will take." That's a very different conversation. And it's one that most small businesses have never been able to have.
Graham covers the practical MSP conversation guide in Thursday's post. That one is worth bookmarking.
The Director Accountability Angle
One thing I genuinely respect about SMB1001, and it's not something most certifications build in: a company director has to personally attest that the controls are in place for Bronze, Silver, and Gold certification. Not the IT manager. Not the MSP. A director.
Done properly, that drags real accountability into the boardroom. The director actually reads what they're signing, understands what controls should be in place, and has a personal stake in making sure they are.
Done badly, it's a director shrugging and clicking "agree" because IT said it was fine.
The standard can't force directors to engage genuinely. But it at least puts their name on the record. Given the direction of UK director liability in cyber incidents, that is not a trivial thing.
How to Turn This Into a Competitive Advantage
Use the framework language in your client conversations. If you can say to a prospective client "we operate at SMB1001 Gold level, which means we have EDR on every device, DMARC on our email, a written incident response plan, and regular staff training," that's a more specific and credible statement than "we take security seriously." Specificity wins trust.
Use it to hold your MSP to defined, measurable commitments. If your IT provider is managing your security, SMB1001's tier descriptions give you a precise checklist to verify they've actually implemented what they claim. No more "we've looked after the security side" as a complete answer.
Use it as an international trade signal. If you are working with Australian, US, Canadian, or New Zealand clients or supply chains, SMB1001 is increasingly recognised in those markets. Having Gold certification is a signal that means something in those conversations, even if it doesn't carry the same weight domestically.
Use the gap assessment honestly. Run yourself against the Bronze and Silver controls right now. Where are the gaps? Those gaps are your risk. Knowing them is genuinely useful, entirely separate from whether you ever pursue the certificate.
How to Sell This to Your Board
Most directors hear "new certification" and think "new cost." Here's how to reframe it.
The real conversation is about defined risk. SMB1001 gives you a structured map of where your security posture is and where it isn't. That is information the board should want, regardless of whether you ever pursue formal certification.
The certification fees are genuinely affordable. At the time of recording our episode, Bronze was quoted at £75 per year, Silver at £153, Gold at £310, Platinum at £467, and Diamond at £780, all exclusive of VAT. Verify current GBP pricing at cybercert.ai before budgeting. Those figures are for the certificate and platform access only: the actual cost is the IT uplift work your provider needs to do. But the framework itself is cheap.
Director personal attestation is either an opportunity or a warning. If your director is comfortable personally signing off that your business has proper backups, MFA on email, an invoice fraud policy, and regular staff training, that's reassuring. If the thought of signing that makes someone uncomfortable, that discomfort is the most accurate risk assessment you'll get.
The alternative is reactive security spending. Every business eventually spends money on cybersecurity. The only question is whether it's planned and proportionate, or whether it's emergency incident response after the fact. SMB1001 is a framework for doing it the first way.
What This Means for Your Business This Week
Check whether Cyber Essentials is actually on your radar. If you need to win public sector contracts or deal with larger clients in government supply chains, Cyber Essentials is not optional. SMB1001 does not substitute for it.
Have an honest look at where you sit against Bronze controls. Firewalls on all devices? Automatic patching? Daily encrypted backups stored off-site? If any of those are uncertain, that's your starting point.
Listen to the full episode. Graham, Mauven, and I go deeper on each tier, the cost landscape, and specifically where the standard conflicts with NCSC guidance, which it does in at least one significant area. Worth thirty minutes of your time.
Come back Tuesday. The deep-dive on each tier is where the genuinely useful detail lives. I'll go through Bronze to Diamond with specifics on what each one actually demands of you and your IT provider.
Listen to the Full Discussion
This is Part 1 of Cyber Belts: The SMB1001 Deep Dive. Part 2, the tier-by-tier technical breakdown, publishes Tuesday 17 March. Graham Falkner's practical MSP conversation guide follows on Thursday 19 March.
| Source | Article / Resource |
|---|---|
| Dynamic Standards International (DSI) | SMB1001 Standard Overview |
| CyberCert | SMB1001 Certification Tiers and Pricing |
| NCSC | Cyber Essentials: Overview |
| NCSC | Password Administration Guidance for System Owners |
| DSIT | Cyber Security Breaches Survey 2025 |
| IASME | IASME Cyber Assurance |
| Black Swan Cyber (UK) | SMB1001 Certification for Micro and Small Businesses |
| Manage Protect | SMB1001:2026 Gold Certification: What's New |
