SecurSentry
← Essential Eight hub
Essential Eight

Essential Eight vs SMB1001: Where Should You Start?

Two well-known Australian cyber baselines doing two very different jobs. Here's how to tell which one your small business should reach for first.

The short version

If you run a small business in Australia and you’ve started looking into cyber security, you’ve probably bumped into two names: the Essential Eight and SMB1001. They get mentioned in the same breath, so it’s easy to assume they’re rivals and that you have to pick one. You don’t. They’re built to do different jobs, and once you see the difference you can stop spinning your wheels and start making real progress.

This piece lays out, in plain terms, what each one actually is, where each one fits, and a sensible place to begin for a small Australian business weighing up SMB1001 against the Essential Eight. Neither is better than the other. They answer different needs.

What is the Essential Eight?

The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate’s ACSC, designed as a baseline to make it much harder for an attacker to compromise your systems.

It isn’t a certificate. There’s no badge at the end. It’s a list of eight things to get right, plus a way of grading how thoroughly you’ve done them. The eight strategies are:

You measure yourself against these using the Essential Eight Maturity Model, which runs from Maturity Level Zero (little or nothing in place) up to Maturity Level Three (fully and consistently implemented). ML1 is aimed at attackers using basic, widely available techniques; ML2 raises the bar against more capable adversaries; ML3 targets well-resourced, determined attackers. One important detail: the ACSC expects all eight strategies to be implemented to a given level before you can claim that level. Your overall maturity is set by your weakest strategy. For a fuller walk-through, see the eight strategies explained and the maturity levels explained.

It's a baseline, not a certification

The ACSC is clear that the Essential Eight is not something you get "certified" in the way you would ISO/IEC 27001 or SOC 2. You assess your own maturity. That's a strength, because you can start improving today without waiting on anyone, but it also means there's no third-party stamp at the end to wave at a customer.

What is SMB1001?

SMB1001 is a tiered cyber security certification standard built specifically for small and medium businesses, where you progress through five named levels — Bronze, Silver, Gold, Platinum and Diamond.

Where the Essential Eight is a technical checklist you grade yourself against, SMB1001 is a standard you certify against. You achieve a tier, and that tier is something you can point to. It’s a maintained standard (the current edition is SMB1001:2026), deliberately designed around the realities of smaller organisations rather than the heavier enterprise frameworks that can be daunting for a business of a handful of people.

The five tiers build on one another:

A key practical detail: the lower three tiers, Bronze, Silver and Gold, are achieved by self-attestation from a business owner or director, while Platinum and Diamond require independent external verification. That tiered approach is the whole point. A two-person business can sensibly aim for Bronze. A larger or more security-conscious operation can climb toward Diamond as it grows.

The Essential Eight tells you what to harden. SMB1001 gives you a level you can prove. Most small businesses end up wanting both.

How they overlap, and where they differ

The two frameworks cover a lot of the same practical ground, but they differ in their core purpose: one is a self-graded technical baseline, the other is a recognised, tiered credential.

Look at SMB1001’s foundational Bronze tier (firewalls, backups, automatic updates, antivirus, basic password hygiene) and you’ll see a strong family resemblance to the Essential Eight. That’s no accident. SMB1001 is designed around the same everyday fundamentals that the Essential Eight prioritises, so the work rarely competes. Harden your patching and your backups, and you move forward on both at once.

The real difference is in what you get out the other end:

There’s also a difference in who’s checking. With the Essential Eight, you’re the assessor. With SMB1001’s Bronze, Silver and Gold, you’re still self-attesting as a director or owner, but it’s a formal attestation against a published standard. Step up to Platinum or Diamond and an independent assessor is involved, which is where the assurance becomes genuinely external.

So which should you start with?

For most small Australian businesses, the sensible order is to do the practical security work first (much of which the Essential Eight describes), then pursue an SMB1001 tier when you have a concrete reason to prove your posture.

It helps to be honest about why you’re doing this in the first place.

If your goal is to genuinely be harder to attack, start with the hands-on work. The Essential Eight is a brilliant map of what matters: get multi-factor authentication on, get patching under control, sort your backups, restrict who’s an administrator. None of this requires you to buy into a certification scheme, and every step makes you measurably safer. A simple self-assessment checklist is a good way to see where you stand today.

If your goal is to prove your security to someone else (a customer asking awkward questions, a tender requiring evidence, an insurer wanting reassurance) then a certification you can name matters, and that’s SMB1001’s territory. Bronze is an achievable first rung for a small business, and because it overlaps so heavily with Essential Eight fundamentals, the technical work you’ve already done counts toward it.

You don't have to choose forever

Starting with the Essential Eight's practical work doesn't lock you out of SMB1001 later, and aiming for SMB1001 Bronze doesn't mean abandoning the Essential Eight. The lower SMB1001 tiers and the Essential Eight baseline pull in the same direction: better day-to-day security. Pick the entry point that matches your immediate need, and let the overlap carry you.

The trap to avoid is treating this as a fork in the road where one path cancels the other. It isn’t. The Essential Eight is the substance, the actual hardening of your systems. SMB1001 is a way to package and prove that substance at a level that suits your size. A small business that quietly works through the Essential Eight fundamentals is, almost by definition, ready to start climbing the SMB1001 tiers when the need arises.

A practical takeaway

If you’re not sure where to begin, start with the everyday security work that underpins both: multi-factor authentication, reliable updates, locked-down admin accounts and backups you’ve actually tested.

Don’t let the two acronyms paralyse you. That everyday work is the heart of the Essential Eight, and it’s the heart of SMB1001 Bronze too. The certification tier can follow once you know why you need it: a tender, a supplier requirement, an insurer’s question.

Getting these controls in place is rarely as hard as the jargon makes it sound. It’s a sequence of sensible, ordinary steps, taken in a sensible order. For a deeper look at how the pieces fit together, the Essential Eight topic guide breaks each strategy down into plain English, and the eight strategies explained walks through them one at a time so you can get moving today.

Frequently asked questions

Is SMB1001 the same as the Essential Eight?

No. The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate, scored against maturity levels you assess yourself. SMB1001 is a separate tiered certification standard built for small and medium businesses, where you achieve a named level such as Bronze or Gold. They cover overlapping ground but do different jobs.

Is the Essential Eight a certification?

No. The ACSC is explicit that the Essential Eight is a baseline, not a certification you achieve in the way you would ISO/IEC 27001 or SOC 2. You measure your own maturity against it, from Maturity Level Zero to Maturity Level Three. If you need a credential to show a customer, that's where a certification standard such as SMB1001 comes in.

What are the SMB1001 tiers?

SMB1001 has five levels: Bronze, Silver, Gold, Platinum and Diamond, each building on the one before. Bronze, Silver and Gold are achieved by self-attestation from a business owner or director; Platinum and Diamond require independent external verification.

Which should an Australian small business do first?

For most small businesses, the practical answer is to do the hands-on security work first (much of which the Essential Eight describes) and pursue an SMB1001 tier when you have a concrete reason to prove your posture, such as a tender, a supplier requirement or an insurer. The two reinforce each other.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Essential Eight

The Essential Eight Checklist for Australian Small Business

28 Jun 2026 · 7 min
Essential Eight

The Essential Eight Controls, Explained Simply

28 Jun 2026 · 7 min
Essential Eight

Essential Eight Maturity Levels (ML1–ML3), Explained

28 Jun 2026 · 7 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.