For many small businesses, full ISO 27001 certification is out of reach — too costly, too complex for the size of the operation. SMB1001 was designed to fill that gap: a tiered cyber security standard that lets smaller organisations demonstrate real, graded maturity. Here is how it works.

Key takeaways
  • SMB1001 is a tiered cyber security standard aimed at small and medium businesses.
  • It offers progressive levels, so businesses can start small and climb.
  • It is designed to be more accessible than enterprise standards like ISO 27001.
  • Backup and recovery feature among its expected controls at the appropriate tiers.

The gap SMB1001 fills

Enterprise frameworks like ISO 27001 are thorough but demanding. For a small business with a handful of staff, achieving them can be disproportionate to the size of the operation — yet those businesses still need to demonstrate they take security seriously, often to win work or satisfy a partner. SMB1001 is built for exactly that situation: a standard scaled to smaller organisations.

How the tiers work

The defining feature of SMB1001 is that it is tiered. Rather than a single pass/fail bar, it defines progressive levels of cyber maturity. A business can certify at an entry tier and climb as its capability grows. This graded approach means security improvement is a journey with recognisable milestones, not an all-or-nothing leap.

Why a graded model helps

  • It gives small businesses an achievable starting point.
  • It creates a roadmap — each tier is a concrete next step.
  • It lets businesses demonstrate progress to customers and partners along the way.
  • It keeps cost and effort proportionate to business size and risk.

Where it sits among other frameworks

Think of SMB1001 as an accessible on-ramp. It complements rather than replaces the Essential Eight, which provides the specific technical mitigations, and it can be a stepping stone toward heavier standards later. The common thread across all of them is fundamentals done consistently.

Backups, naturally, are in scope

As with every credible framework, recovery is part of the picture: maintaining backups and being able to restore from them is expected as businesses progress through the tiers. Getting an independent, tested backup of your critical data in place early means you satisfy this expectation from the outset — and it is one of the simplest controls to implement well.