SMB1001

SMB1001 is an International Standard against which businesses, particularly Small Businesses, can self assess and self attest the level of their cybersecurity measures within their business.

There are 3 levels of SMB1001 that are based on director self attestation, and two higher levels that require external audit. This page will focus on the 3 base levels (Bronze, Silver and Gold), and the steps to achieving Gold. Bronze allows the business to start with the basics, like patching, firewalls, and anti-virus software, and then move up to the next level once they have the Silver or Gold controls in place. This is a step-by-step approach to be more focused on cybersecurity in the business.

The Standard includes different aspects of cybersecurity including training, backup, incidents, policies and procedures, technology, passwords etc. It is a very well-rounded approach that most small business could, and probably should, achieve.

Once the business has determined they have met the requirements for one of the 3 base levels, they can apply for, and pay for, Certification from CyberCert. Getting the certification is a way to show that you and your business are committed to good cybersecurity practices in your business, and with the data of your customers, clients, and other third parties.

For a complete DIY solution, CyberCert has a workbook that the business can work through. There are also products like Assuredly that have a platform that will guide the business through each of the controls, document them, and provide templates for policies that can be customised specifically for the business. This is what I used. Alternatively, if the business is already working with a trusted advisor (eg maybe an MSP or a business solutions company like The Detail Department) who will step the business through the process. Whichever approach is taken, the evidence of meeting the controls needs to be saved, as part of the certification process.

The Standard: Dynamic Standards International (DSI)

“SMB1001 provides organisations of any sector with guidance for developing their cyber security hygiene. This standard has a particular awareness of small and medium-sized businesses with their needs and resources being considered in the development of SMB1001.

Meeting the highest tier of SMB1001 indicates that an organisation has implemented good cyber security measures.”

The Certifier: CyberCert | Cyber security certification for every business

Certification like this should ideally be a confirmation of what your business is already doing to protect it from cybersecurity threats.

I would love to see this certification, at the Gold Level take the place of all the irrelevant questions you are asked in your annual cyber insurance renewal.