...

Yes it is straightforward, and simple, but that does not mean that it wasn’t challenging for me, and required me to make some major significant changes before I could hand-on-heart attest that yes I do do X and I do have a policy on Y.

I chose to use the Assuredly Starter Plan as I needed to have the platform guide me through the process. Plus they have Assuredly has excellent templates for policies that really helped (again, it’s just me, I don’t really need policies, but it was a great exercise to do, regardless).

Info

Personal vs Business

Being a sole director company, with my main office now at home (I reluctantly had to give up my office after it shut down after the pandemic), there is a vast overlap between personal and business, especially around devices, accounts etc. So I can’t separate out keeping my personal data safe online vs keeping my business data safe. Eg the

The Australian Government’s new basic message to individuals to “Act Now. Stay Secure” is good advice if you are just thinking about your personal devices (but when they tell you to “change your password” after your data has been breached an every bit of your personal information is “out there” it’s then not so good).

But unless you work for a top tier organisation that has a significant security budget and either issues you with a work device or has installed some software on your personal devices, then you may want to think beyond just your personal information, and think about how you access your work through your personal devices and home computers.

I now have attained the SMB1001 Gold Certification and the end result was that I had no increase in the cost of my cyber and business insurance, but with the added bonus of 4 times the cybersecurity coverage value as previous, so I think that is worth it.

For me out of the 26 controls:

10 controls I was already doing and could just check off, this includes using a password manager, MFA on all accounts
A few of the controls needed written documentation, which being only me was not really necessary (I do have a business addendum to my will, to address how my business will be wound down, and to give my executor a head start when the situation arises). Thankfully Assuredly had templates to help me write the documents, but I still did have to write parts of them and ensure they fit with my business.
Three controls I needed to work on.

Admin accounts for all my services. I already has two users for Google and Microsoft from when I had a staff member. I had to sacrifice a user account on each one of those services to set up myself as an Admin account, distinct from my user account. I'm not convinced there is much benefit in this given that I have MFA on both of them, but there are some things that I have to just say, yep, I agree this is best practice, and it was not a lot of money.

I was logging into my laptop as an administrator account, and yeah I don't fully agree with not logging in as Admin every day, but the heightened risk of ranswomware installs happening without knowing, makes it worthwhile. It is annoying having to enter the username and password often, but it is just a reminder as to why I'm doing this whole process.

Info

This is where we need to put the pragmatic layer over the top of these standards. I heard of a situation where a company had three staff who were "System Administrators" for their Salesforce org, bit their regular accounts were not System Administrators, they would log into one separate Salesforce Account as System Administrator to do any Admin work. Whilst this may be the "letter of the law" it removes every aspect of the features of Salesforce which is to have an Audit trail of who dies what, and it violates the other control of every user must have their own login. So unless you are going to have two full logins for each of your three Admins (values at around $6k per year), you have to be pragmatic, and say that the control built into Salesforce of having full audit tracking of changes made, and logging in as System Administrator, is the better option.

Backups. I had a backup set up for my regular files, but I purchased a backup plan for Google, Microsoft, and Salesforce. It wasn't that expensive, and is a good reassurance because I think losing my email would be the hardest thing to recover from for business continuity.

Digital Asset Register, and secure destruction, it wasn't that I was not doing it, it was that I was over doing it. I am on the hoarderish side of redundancy. I had three backup Android devices, two backup laptops etc. So it was the case of getting to one good known backup device for Windows and Android, then wipe and securely dispose of the others.

Explore

Our flagship Dynamic Standard SMB1001

Multi-tiered cyber security certification standard for small and medium-sized businesses.

Purchase the Standard

Image Added

A simpler way to ISO/IEC 27001.

No one starts with a black belt. As the 'coloured belts' before the black belt, SMBs can start at their level of maturity and work towards their black belt.

Abstract

SMB1001 is a multi-tiered cyber security certification standard. This standard comprises five tiers that support an organisation in their journey of developing their cyber security hygiene from Bronze to Gold tier.

SMB1001 provides organisations of any sector with guidance for developing their cyber security hygiene. This standard has a particular awareness of small and medium-sized businesses with their needs and resources being considered in the development of SMB1001.

Meeting the highest tier of SMB1001 indicates that an organisation has implemented good cyber security measures.

Adopting SMB1001 supports organisations in their path towards meeting ISO/IEC 27001 requirements. It also supports organisations in managing the likelihood and impact of potential cyber threats.

Release

20232025

Image Added

General Information

Status:

Published

Publication Date:

2024-09-01

Edition:

2

Number of pages:

32

Steering Committee:

SMB1001 Steering Committee

Certification Issuer:

CyberCert

DelveDelvedeeperdeeperintointothethedetailsdetailsofofSMB1001SMB1001

Principles of SMB1001

To ensure SMB1001 remains relevant for SMBs, we have five principles that must be maintained in any future versions of SMB1001.

Backwards compatible

Preservation of 5-level structure

Easy to understand language

Appropriate prescriptions for each level’s SMB profile

Sector agnostic

Specific sectors can provide additional guidance alongside SMB1001 if it's required.

Other Frameworks Image Added

The logos used are trademarks of their respective owners.

Promoting uptake and adoption of Essential 8 and many other frameworks.

SMB1001 has been mapped to and aligns with existing guidelines, frameworks, and standards (see Working Group), such as Australian Signal Directorate’s Essential Eight.

This means that SMBs who begin working towards complying with SMB1001 will be also starting their journey towards complying with the mapped to guidelines, frameworks, and standards.

Steering Committee

Our committee actively participates in the drafting and review process, collaborating with the community and experts from the Standards and Certification Oversight Board (SCOB). Their collective efforts enable the timely publication and regular updates of Dynamic Standards.

Our Steering Committee

Updates on our Steering Committee

Sep 1, 2023
SMB1001:2023 has been published.
Sep 1, 2024
SMB1001:2025 has been published.

View upcoming updates

September 1, 2023
SMB1001:2023 has been first published.
October, 2023
First revision of 2023 edition by Steering Committee / Call for feedback.
February, 2024
Feedback reviewed by Steering Committee.
May, 2024
Feedback reviewed by Steering Committee / Final call for feedback / Approved to progress to Draft.
July, 2024
Draft presented to Steering Committee.
August, 2024
Draft approved by Steering Committee / Draft approved by SCOB for release.
September 2024
SMB1001:2025 Released.
Image Added

Annual Publication Timeline

To keep pace with cyber threats, we update our dynamic standard annually so that businesses can certify or "vaccinate" against the latest threats.

The genesis and process of creating a Dynamic Standard is guided by an Industry Steering Committee.

A draft of a standard will undergo a period of development by the Steering Committee, and several iterations of review by the community and experts from the Standards and Certification Oversight Board (SCOB), before final publication within a year.

CSCAU provides secretariat and publication support.

This process repeats annually with Steering Committees reviewing and updating the respective published Dynamic Standards.

The quicker pace of this process overcomes the relatively-slower pace and bureaucracy of traditional standards development processes at national levels (close to 3 years) and at international levels (e.g., ISO) (close to 6 years) – empowering certified organisations with the best strategies to prevent cyber attacks relative to the latest threat types.

UnderstandingUnderstandingSMB1001SMB1001ControlsControls

People. Process. Technology.

CSCAU’s cyber security certifications are based on a ‘People, Process, Technology’ approach to managing cyber risk and cover five (5) core areas of focus.

Each of these areas are developed considering the common elements in existing cyber security guidelines and recommendations. These areas and their supporting controls also address common gaps and the “essential” controls recognised in existing industry surveys.

Technology Management

Access Management

Backup & Recovery

Policies, Plans & Procedures

Education & Training

Certification Requirements

6

Explore