Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

More about SMB1001

More about Cybersecurity Assurance

IN PROGRESS

I run a small business where I am the sole director and sole employee. I work in the technology space and help my clients with their software, business systems, and information security needs.

My business is 100% cloud, and currently earns 100% of its income via working within the cloud. There are no servers, routers, switches, or anything beyond a few computers, phones, and a few internet connections (yes technically there is a modem/router to connect to the NBN).

So whilst the cybersecurity industry and the Australian Government maintains that Essential Eight is the base level of cybersecurity maturity, there is still parts of the Essential Eight that I can not meet, or just do not apply, or are way overkill for my business. Eg:

  • Automated asset discovery (as I said, a few laptops, phones, and internet connections, plus some internet connected devices like my TV). This is not something I need automated.

  • Requests for privileged access to systems are validated - well it’s just me. I suppose I do validate when I enter my Admin password.

  • Application Control - I run Windows 11, it is not a built in feature, apart from UAC and they are not talking about that.

  • Web browser security settings cannot be changed by users - again, just me, yes, I can change any setting.

  • Macros - well, you know what I am an Excel expert from way back to Excel Version 4 and yes, I may still want to create or use an occasional macro (but there are other better ways to do things now also).

But of course I am fully all over the MFA and Backup requirements.

Sure, if you are a small business that needs to be PCI-DSS compliant, or you are legislated by APRA, then yes, you will need to start with Essential Eight, but for the rest of us, we need something simple and straightforward, and that is SMB1001.

Yes it is straightforward, and simple, but that does not mean that it wasn’t challenging for me, and required me to make some significant changes before I could hand-on-heart attest that yes I do do X and I do have a policy on Y.

I chose to use the Assuredly Starter Plan as I needed to have the platform guide me through the process. Assuredly has excellent templates for policies that really helped (again, it’s just me, I don’t really need policies, but it was a great exercise to do, regardless).

Personal vs Business

Being a sole director company, with my main office now at home (I reluctantly had to give up my office after it shut down after the pandemic), there is a vast overlap between personal and business, especially around devices, accounts etc. So I can’t separate out keeping my personal data safe online vs keeping my business data safe.


The Australian Government’s new basic message to individuals to “Act Now. Stay Secure” is good advice if you are just thinking about your personal devices (but when they tell you to “change your password” after your data has been breached an every bit of your personal information is “out there” it’s then not so good).

But unless you work for a top tier organisation that has a significant security budget and either issues you with a work device or has installed some software on your personal devices, then you may want to think beyond just your personal information, and think about how you access your work through your personal devices and home computers.

I now have attained the SMB1001 Gold Certification and the end result was that I had no increase in the cost of my cyber and business insurance, but with the added bonus of 4 times the cybersecurity coverage value as previous, so I think that is worth it.

For me out of the 26 controls:

  • 10 controls I was already doing and could just check off, this includes using a password manager, MFA on all accounts

  • A few of the controls needed written documentation, which being only me was not really necessary (I do have a business addendum to my will, to address how my business will be wound down, and to give my executor a head start when the situation arises). Thankfully Assuredly had templates to help me write the documents, but I still did have to write parts of them and ensure they fit with my business.

  • Three controls I needed to work on.

Admin accounts for all my services. I already has two users for Google and Microsoft from when I had a staff member. I had to sacrifice a user account on each one of those services to set up myself as an Admin account, distinct from my user account. I'm not convinced there is much benefit in this given that I have MFA on both of them, but there are some things that I have to just say, yep, I agree this is best practice, and it was not a lot of money.

I was logging into my laptop as an administrator account, and yeah I don't fully agree with not logging in as Admin every day, but the heightened risk of ranswomware installs happening without knowing, makes it worthwhile. It is annoying having to enter the username and password often, but it is just a reminder as to why I'm doing this whole process.

This is where we need to put the pragmatic layer over the top of these standards. I heard of a situation where a company had three staff who were "System Administrators" for their Salesforce org, bit their regular accounts were not System Administrators, they would log into one separate Salesforce Account as System Administrator to do any Admin work. Whilst this may be the "letter of the law" it removes every aspect of the features of Salesforce which is to have an Audit trail of who dies what, and it violates the other control of every user must have their own login. So unless you are going to have two full logins for each of your three Admins (values at around $6k per year), you have to be pragmatic, and say that the control built into Salesforce of having full audit tracking of changes made, and logging in as System Administrator, is the better option.

Backups. I had a backup set up for my regular files, but I purchased a backup plan for Google, Microsoft, and Salesforce. It wasn't that expensive, and is a good reassurance because I think losing my email would be the hardest thing to recover from for business continuity.

Digital Asset Register, and secure destruction, it wasn't that I was not doing it, it was that I was over doing it. I am on the hoarderish side of redundancy. I had three backup Android devices, two backup laptops etc. So it was the case of getting to one good known backup device for Windows and Android, then wipe and securely dispose of the others.

Explore

Our flagship Dynamic Standard SMB1001

Multi-tiered cyber security certification standard for small and medium-sized businesses.

Purchase the Standard

A simpler way to ISO/IEC 27001.

No one starts with a black belt. As the 'coloured belts' before the black belt, SMBs can start at their level of maturity and work towards their black belt.

Abstract

SMB1001 is a multi-tiered cyber security certification standard. This standard comprises five tiers that support an organisation in their journey of developing their cyber security hygiene from Bronze to Gold tier.

SMB1001 provides organisations of any sector with guidance for developing their cyber security hygiene. This standard has a particular awareness of small and medium-sized businesses with their needs and resources being considered in the development of SMB1001.

Meeting the highest tier of SMB1001 indicates that an organisation has implemented good cyber security measures.

Adopting SMB1001 supports organisations in their path towards meeting ISO/IEC 27001 requirements. It also supports organisations in managing the likelihood and impact of potential cyber threats.

Release

20232025

General Information

Status:

Published

Publication Date:

2024-09-01

Edition:

2

Number of pages:

32

Steering Committee:

SMB1001 Steering Committee

Certification Issuer:

CyberCert

DelveDelvedeeperdeeperintointothethedetailsdetailsofofSMB1001SMB1001

Principles of SMB1001

To ensure SMB1001 remains relevant for SMBs, we have five principles that must be maintained in any future versions of SMB1001.

Backwards compatible

Preservation of 5-level structure

Easy to understand language

Appropriate prescriptions for each level’s SMB profile

Sector agnostic

Specific sectors can provide additional guidance alongside SMB1001 if it's required.

Other Frameworks

The logos used are trademarks of their respective owners.

Promoting uptake and adoption of Essential 8 and many other frameworks.

SMB1001 has been mapped to and aligns with existing guidelines, frameworks, and standards (see Working Group), such as Australian Signal Directorate’s Essential Eight.

This means that SMBs who begin working towards complying with SMB1001 will be also starting their journey towards complying with the mapped to guidelines, frameworks, and standards.

Steering Committee

Our committee actively participates in the drafting and review process, collaborating with the community and experts from the Standards and Certification Oversight Board (SCOB). Their collective efforts enable the timely publication and regular updates of Dynamic Standards.

Our Steering Committee

Updates on our Steering Committee

  1. Sep 1, 2023

    SMB1001:2023 has been published.

  2. Sep 1, 2024

    SMB1001:2025 has been published.

View upcoming updates

  1. September 1, 2023

    SMB1001:2023 has been first published.

  2. October, 2023

    First revision of 2023 edition by Steering Committee / Call for feedback.

  3. February, 2024

    Feedback reviewed by Steering Committee.

  4. May, 2024

    Feedback reviewed by Steering Committee / Final call for feedback / Approved to progress to Draft.

  5. July, 2024

    Draft presented to Steering Committee.

  6. August, 2024

    Draft approved by Steering Committee / Draft approved by SCOB for release.

  7. September 2024

    SMB1001:2025 Released.

  8. Published SMB1001 Icon

Annual Publication Timeline

To keep pace with cyber threats, we update our dynamic standard annually so that businesses can certify or "vaccinate" against the latest threats.

The genesis and process of creating a Dynamic Standard is guided by an Industry Steering Committee.

A draft of a standard will undergo a period of development by the Steering Committee, and several iterations of review by the community and experts from the Standards and Certification Oversight Board (SCOB), before final publication within a year.

CSCAU provides secretariat and publication support.

This process repeats annually with Steering Committees reviewing and updating the respective published Dynamic Standards.

The quicker pace of this process overcomes the relatively-slower pace and bureaucracy of traditional standards development processes at national levels (close to 3 years) and at international levels (e.g., ISO) (close to 6 years) – empowering certified organisations with the best strategies to prevent cyber attacks relative to the latest threat types.

UnderstandingUnderstandingSMB1001SMB1001ControlsControls

People. Process. Technology.

CSCAU’s cyber security certifications are based on a ‘People, Process, Technology’ approach to managing cyber risk and cover five (5) core areas of focus.

Each of these areas are developed considering the common elements in existing cyber security guidelines and recommendations. These areas and their supporting controls also address common gaps and the “essential” controls recognised in existing industry surveys.

Technology Management

Access Management

Backup & Recovery

Policies, Plans & Procedures

Education & Training

Certification Requirements

6

Explore

Our flagship Dynamic Standard SMB1001

Multi-tiered cyber security certification standard for small and medium-sized businesses.

Purchase the Standard

A simpler way to ISO/IEC 27001.

No one starts with a black belt. As the 'coloured belts' before the black belt, SMBs can start at their level of maturity and work towards their black belt.

Abstract

SMB1001 is a multi-tiered cyber security certification standard. This standard comprises five tiers that support an organisation in their journey of developing their cyber security hygiene from Bronze to Gold tier.

SMB1001 provides organisations of any sector with guidance for developing their cyber security hygiene. This standard has a particular awareness of small and medium-sized businesses with their needs and resources being considered in the development of SMB1001.

Meeting the highest tier of SMB1001 indicates that an organisation has implemented good cyber security measures.

Adopting SMB1001 supports organisations in their path towards meeting ISO/IEC 27001 requirements. It also supports organisations in managing the likelihood and impact of potential cyber threats.

Release

20232025

General Information

Status:

Published

Publication Date:

2024-09-01

Edition:

2

Number of pages:

32

Steering Committee:

SMB1001 Steering Committee

Certification Issuer:

CyberCert

DelveDelvedeeperdeeperintointothethedetailsdetailsofofSMB1001SMB1001

Principles of SMB1001

To ensure SMB1001 remains relevant for SMBs, we have five principles that must be maintained in any future versions of SMB1001.

Backwards compatible

Preservation of 5-level structure

Easy to understand language

Appropriate prescriptions for each level’s SMB profile

Sector agnostic

Specific sectors can provide additional guidance alongside SMB1001 if it's required.

Other Frameworks

The logos used are trademarks of their respective owners.

Promoting uptake and adoption of Essential 8 and many other frameworks.

SMB1001 has been mapped to and aligns with existing guidelines, frameworks, and standards (see Working Group), such as Australian Signal Directorate’s Essential Eight.

This means that SMBs who begin working towards complying with SMB1001 will be also starting their journey towards complying with the mapped to guidelines, frameworks, and standards.

Steering Committee

Our committee actively participates in the drafting and review process, collaborating with the community and experts from the Standards and Certification Oversight Board (SCOB). Their collective efforts enable the timely publication and regular updates of Dynamic Standards.

Our Steering Committee

Updates on our Steering Committee

  1. Sep 1, 2023

    SMB1001:2023 has been published.

  2. Sep 1, 2024

    SMB1001:2025 has been published.

View upcoming updates

  1. September 1, 2023

    SMB1001:2023 has been first published.

  2. October, 2023

    First revision of 2023 edition by Steering Committee / Call for feedback.

  3. February, 2024

    Feedback reviewed by Steering Committee.

  4. May, 2024

    Feedback reviewed by Steering Committee / Final call for feedback / Approved to progress to Draft.

  5. July, 2024

    Draft presented to Steering Committee.

  6. August, 2024

    Draft approved by Steering Committee / Draft approved by SCOB for release.

  7. September 2024

    SMB1001:2025 Released.

  8. Published SMB1001 Icon

Annual Publication Timeline

To keep pace with cyber threats, we update our dynamic standard annually so that businesses can certify or "vaccinate" against the latest threats.

The genesis and process of creating a Dynamic Standard is guided by an Industry Steering Committee.

A draft of a standard will undergo a period of development by the Steering Committee, and several iterations of review by the community and experts from the Standards and Certification Oversight Board (SCOB), before final publication within a year.

CSCAU provides secretariat and publication support.

This process repeats annually with Steering Committees reviewing and updating the respective published Dynamic Standards.

The quicker pace of this process overcomes the relatively-slower pace and bureaucracy of traditional standards development processes at national levels (close to 3 years) and at international levels (e.g., ISO) (close to 6 years) – empowering certified organisations with the best strategies to prevent cyber attacks relative to the latest threat types.

UnderstandingUnderstandingSMB1001SMB1001ControlsControls

People. Process. Technology.

CSCAU’s cyber security certifications are based on a ‘People, Process, Technology’ approach to managing cyber risk and cover five (5) core areas of focus.

Each of these areas are developed considering the common elements in existing cyber security guidelines and recommendations. These areas and their supporting controls also address common gaps and the “essential” controls recognised in existing industry surveys.

Technology Management

Access Management

Backup & Recovery

Policies, Plans & Procedures

Education & Training

Certification Requirements

  • Guuggu
    •  
      • U
  •  
    •  
  •  
    •  
      •  
        •  
          • : (error)
  • No labels