Most small businesses that call their IT company and say "can you just make us secure?" get back either an incomprehensible technical list or a vague proposal with no defined deliverables.

What they rarely get is a structured conversation about where they actually are, where they need to be, and what that journey will cost.

SMB1001's five tiers give you the framework for exactly that conversation. In this practical guide, I'll walk you through how to assess your current position honestly, choose the right target tier, build a costed plan with your IT provider, and know exactly what you're signing when attestation time comes.

Bronze means firewalls and backups.

Silver means individual accounts and MFA on email.

Gold means EDR, DMARC, and a proper incident response plan.

Platinum means someone actually checks your work.

Diamond means you pay ethical hackers to break in and find the holes before real criminals do.

That's the SMB1001 ladder in five sentences.

The marketing version stops there. The version I'm giving you today includes the bit where the standard contradicts NCSC guidance on passwords, the director accountability trap most businesses walk straight into, and exactly how much this all costs.

Part 2 of Cyber Belts: The SMB1001 Deep Dive.

There's a new certification in town. Five tiers, Bronze through to Diamond, annual renewal, and a price that starts at £75 a year.

It's called SMB1001, and depending on who's selling it to you, it's either the structured security roadmap your business has been waiting for, or the latest badge to stick on the website while Brenda in accounts is still using the same password she's used since 2009.

In this first episode of our Cyber Belts deep-dive series, Graham Falkner, Mauven MacLeod, and I cut through the marketing and tell you exactly what SMB1001 is, and what it isn't.

A week of Cyber Essentials v3.3 done. Scope reviews, cloud scoping rules, MFA for everyone, the 14-day patching window.

You now know more about CE than most IT managers I've spoken to this year.

Next Monday we zoom out. SMB1001 runs from Bronze to Diamond and was built specifically for small businesses that want a structured security roadmap beyond the CE baseline. It is not a UK government scheme, it does not carry the same procurement weight, and the two frameworks do not map neatly.

So the question is: complement or distraction? Monday's episode works through exactly that for UK SMBs with limited time and budget.

Your Cyber Essentials badge is either a credential or creative writing. There is no third option. If you certified properly, maintained your scope, kept your controls current, and can explain v3.3 to a customer without reaching for Google, it's a credential.

If your cert expired six months ago, your scope hasn't been reviewed since the original certification, your cloud services were never in scope, and you couldn't name the five controls under pressure, you're not certified. You're exposed. And post-breach, the badge on your website won't protect you. It'll be the first thing a lawyer points at.

By the time anyone at Meridian Advisory noticed the problem, their Cyber Essentials certificate had been renewed four times.

Each renewal had covered the same carefully defined scope: two office servers, the on-premises file share, and about fifteen managed laptops.

By 2025, the actual business ran on Microsoft 365, a cloud-based CRM, a remote project management platform, and a VOIP system. None of those were in scope.

When a credential-based breach exposed client financial data held in the CRM, the certificate did not protect them. It gave the ICO a very interesting set of questions to start with.

Right. Noel and Mauven have told you what's changing in Cyber Essentials v3.3 and why scope failures become legal problems.

My job is the bit that comes after: what do you actually do, in what order, with realistic timelines? I have broken this into a 30-60 day plan that works for most UK SMBs, whether you're renewing before 26th April under Willow or preparing for Danzell afterwards. No tools to buy, no consultants to hire for the basics. Mostly time, a spreadsheet, and an honest look at what your IT estate actually looks like. Let's get into it.

After years observing how organisations navigate security certification, I have reached a fairly uncomfortable conclusion: most scope failures in Cyber Essentials are not technical errors. They are decisions. Somebody looked at the full picture of what should be in scope, felt the weight of what that would require, and drew the line somewhere more manageable. I understand the impulse.

I have watched it play out at every scale. But CE v3.3 closes the ambiguities that made that line defensible. And post-breach, the scope document is not filed quietly away. It becomes the first thing lawyers and insurers read.

Cyber Essentials v3.3 is not a wholesale rewrite. It's a precision instrument for closing the loopholes that UK SMBs have been quietly exploiting for years. Cloud services you can't exclude anymore. MFA that has to cover everyone, not just the IT manager. A 14-day patching window that applies to vendor config changes, not just Windows Update. Scope documents that have to reflect your actual IT estate rather than the tidy fiction you'd prefer. Here is every material change, translated into what you actually need to do before 26th April 2026. No jargon. No softening. Just the bits that matter.

If you're flashing a Cyber Essentials badge on your website but couldn't explain the difference between Willow and Danzell without Googling it, you're not certified. You're exposed. One awkward question from a big customer, an insurer, or a regulator and that logo goes from asset to evidence.

In Season 2 Episode 10 of The Small Business Cyber Security Guy, Noel Bradford, Graham Falkner, and Lucy Harper walk through every material change in CE v3.3: scope rules, cloud scoping, FIDO2, the 14-day patching rule, and exactly what you need to sort before 26 April 2026.

Yesterday's podcast proposed criminal liability for cybersecurity negligence. Today, we're dismantling the three-tier framework piece by piece so you know exactly where your business stands. Tier One protects small businesses with explicit gross negligence thresholds and Cyber Essentials safe harbour. Tier Two raises the bar for medium organisations whilst maintaining proportionate standards. Tier Three brings genuine consequences for large enterprises and public sector bodies that still can't implement MFA. This isn't fear-mongering. It's showing you precisely what reasonable care looks like at every business size so you can demonstrate compliance before anyone asks.

Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security.

The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protection.

Time to understand what these terms actually mean, what they really cost, and which approach keeps your business alive instead of just enriching consultants.

Stop getting fleeced.

Security vendors are playing you for fools, and they're getting rich doing it. Every week I watch UK business owners waste £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 of basic IT security.

The industry deliberately muddies the difference between InfoSec, CyberSec, and IT Security because confused customers pay premium prices for inappropriate solutions. Meanwhile, 50% of small businesses were breached in 2025, proving that expensive confusion doesn't equal protection.

Time to understand what these terms actually mean, what they really cost, and which approach keeps your business alive instead of just enriching consultants.

Stop getting fleeced.

Every week I talk to UK business owners who've just spent £20,000 on "comprehensive cybersecurity platforms" when they needed £5,000 worth of basic IT security. Or they've paid consultants to develop "enterprise information security frameworks" for 15-person companies that can't keep Windows updated. The security industry profits from keeping you confused about InfoSec versus CyberSec versus IT Security. This week's episode cuts through the bollocks to explain what each term actually means, what they really cost, and which one will keep your business alive instead of just making consultants rich. Listen now.

After decades of watching government departments wave certificates while getting breached,

I'm done pretending compliance equals security. Yes, you need SOC 2 for some contracts. Yes, ISO27001 impresses procurement teams. But if you think those certificates will stop ransomware, you're living in a dangerous fantasy.

I've seen FTSE 100 companies with pristine audit reports get absolutely destroyed by basic phishing attacks.

It's time for some brutal honesty about what compliance actually protects (your contracts) versus what it doesn't (your business). Pull up a chair, this is going to sting.

Too many UK businesses trust ISO27001 and SOC 2 to keep them safe. They shouldn’t. These frameworks focus on governance, not enforcement. When ransomware hits or supply chains collapse, it’s always the same gaps: patching failures, lack of segmentation, poor endpoint hygiene.

Cyber Essentials, especially CE+, isn’t a tick-box. It’s the defensive baseline that would have saved countless organisations from disaster.

This article lays out the real problem and preaches the blunt truth: no ISO, no SOC 2, no procurement badge means a thing unless Cyber Essentials or equivalent is tested, verified, and enforced.