Essential Eight vs SMB1001: Where Should You Start?
Two well-known Australian cyber baselines doing two very different jobs. Here's how to tell which one your small business should reach for first.
The short version
- Different jobs: The Essential Eight is a technical baseline you measure yourself against (maturity levels ML0–ML3). SMB1001 is a tiered certification standard (Bronze through Diamond) built specifically for small and medium business.
- Not a contest: Neither is 'better'. The Essential Eight tells you what to harden; SMB1001 gives you a recognised tier you can show a customer or insurer.
- A sensible start: Most small Australian businesses begin with the practical security work the Essential Eight describes, then pursue an SMB1001 tier if they need something to prove.
- They overlap: SMB1001's lower tiers cover much of the same ground as the Essential Eight, so progress on one is rarely wasted on the other.
If you run a small business in Australia and you’ve started looking into cyber security, you’ve probably bumped into two names: the Essential Eight and SMB1001. They get mentioned in the same breath, so it’s easy to assume they’re rivals and that you have to pick one. You don’t. They’re built to do different jobs, and once you see the difference you can stop spinning your wheels and start making real progress.
This piece lays out, in plain terms, what each one actually is, where each one fits, and a sensible place to begin for a small Australian business weighing up SMB1001 against the Essential Eight. Neither is better than the other. They answer different needs.
What is the Essential Eight?
The Essential Eight is a set of eight technical mitigation strategies published by the Australian Signals Directorate’s ACSC, designed as a baseline to make it much harder for an attacker to compromise your systems.
It isn’t a certificate. There’s no badge at the end. It’s a list of eight things to get right, plus a way of grading how thoroughly you’ve done them. The eight strategies are:
- Application control — only approved software can run
- Patch applications — keep your apps up to date
- Patch operating systems — keep Windows, macOS and the like current
- Configure Microsoft Office macro settings — block the macros attackers abuse
- User application hardening — turn off risky features in browsers and apps
- Restrict administrative privileges — limit who has the keys to everything
- Multi-factor authentication — a second step beyond a password
- Regular backups — so you can recover if the worst happens
You measure yourself against these using the Essential Eight Maturity Model, which runs from Maturity Level Zero (little or nothing in place) up to Maturity Level Three (fully and consistently implemented). ML1 is aimed at attackers using basic, widely available techniques; ML2 raises the bar against more capable adversaries; ML3 targets well-resourced, determined attackers. One important detail: the ACSC expects all eight strategies to be implemented to a given level before you can claim that level. Your overall maturity is set by your weakest strategy. For a fuller walk-through, see the eight strategies explained and the maturity levels explained.
It's a baseline, not a certification
The ACSC is clear that the Essential Eight is not something you get "certified" in the way you would ISO/IEC 27001 or SOC 2. You assess your own maturity. That's a strength, because you can start improving today without waiting on anyone, but it also means there's no third-party stamp at the end to wave at a customer.
What is SMB1001?
SMB1001 is a tiered cyber security certification standard built specifically for small and medium businesses, where you progress through five named levels — Bronze, Silver, Gold, Platinum and Diamond.
Where the Essential Eight is a technical checklist you grade yourself against, SMB1001 is a standard you certify against. You achieve a tier, and that tier is something you can point to. It’s a maintained standard (the current edition is SMB1001:2026), deliberately designed around the realities of smaller organisations rather than the heavier enterprise frameworks that can be daunting for a business of a handful of people.
The five tiers build on one another:
- Bronze — foundational defences such as firewalls, backups, automatic updates, antivirus and basic password practices
- Silver — broader, more consistent security policies across the business
- Gold — stronger measures such as endpoint protection, email authentication, an incident response plan, an asset register and staff training
- Platinum — independent external verification begins, for higher assurance
- Diamond — the highest tier, with the most rigorous testing and ongoing external verification
A key practical detail: the lower three tiers, Bronze, Silver and Gold, are achieved by self-attestation from a business owner or director, while Platinum and Diamond require independent external verification. That tiered approach is the whole point. A two-person business can sensibly aim for Bronze. A larger or more security-conscious operation can climb toward Diamond as it grows.
The Essential Eight tells you what to harden. SMB1001 gives you a level you can prove. Most small businesses end up wanting both.
How they overlap, and where they differ
The two frameworks cover a lot of the same practical ground, but they differ in their core purpose: one is a self-graded technical baseline, the other is a recognised, tiered credential.
Look at SMB1001’s foundational Bronze tier (firewalls, backups, automatic updates, antivirus, basic password hygiene) and you’ll see a strong family resemblance to the Essential Eight. That’s no accident. SMB1001 is designed around the same everyday fundamentals that the Essential Eight prioritises, so the work rarely competes. Harden your patching and your backups, and you move forward on both at once.
The real difference is in what you get out the other end:
- The Essential Eight gives you a clear-eyed, self-assessed picture of your technical posture, scored ML0–ML3. No certificate, but no waiting and no audit fee to begin improving.
- SMB1001 gives you a recognised tier: a named, defensible credential you can put in front of a customer, a tender panel or an insurer.
There’s also a difference in who’s checking. With the Essential Eight, you’re the assessor. With SMB1001’s Bronze, Silver and Gold, you’re still self-attesting as a director or owner, but it’s a formal attestation against a published standard. Step up to Platinum or Diamond and an independent assessor is involved, which is where the assurance becomes genuinely external.
So which should you start with?
For most small Australian businesses, the sensible order is to do the practical security work first (much of which the Essential Eight describes), then pursue an SMB1001 tier when you have a concrete reason to prove your posture.
It helps to be honest about why you’re doing this in the first place.
If your goal is to genuinely be harder to attack, start with the hands-on work. The Essential Eight is a brilliant map of what matters: get multi-factor authentication on, get patching under control, sort your backups, restrict who’s an administrator. None of this requires you to buy into a certification scheme, and every step makes you measurably safer. A simple self-assessment checklist is a good way to see where you stand today.
If your goal is to prove your security to someone else (a customer asking awkward questions, a tender requiring evidence, an insurer wanting reassurance) then a certification you can name matters, and that’s SMB1001’s territory. Bronze is an achievable first rung for a small business, and because it overlaps so heavily with Essential Eight fundamentals, the technical work you’ve already done counts toward it.
You don't have to choose forever
Starting with the Essential Eight's practical work doesn't lock you out of SMB1001 later, and aiming for SMB1001 Bronze doesn't mean abandoning the Essential Eight. The lower SMB1001 tiers and the Essential Eight baseline pull in the same direction: better day-to-day security. Pick the entry point that matches your immediate need, and let the overlap carry you.
The trap to avoid is treating this as a fork in the road where one path cancels the other. It isn’t. The Essential Eight is the substance, the actual hardening of your systems. SMB1001 is a way to package and prove that substance at a level that suits your size. A small business that quietly works through the Essential Eight fundamentals is, almost by definition, ready to start climbing the SMB1001 tiers when the need arises.
A practical takeaway
If you’re not sure where to begin, start with the everyday security work that underpins both: multi-factor authentication, reliable updates, locked-down admin accounts and backups you’ve actually tested.
Don’t let the two acronyms paralyse you. That everyday work is the heart of the Essential Eight, and it’s the heart of SMB1001 Bronze too. The certification tier can follow once you know why you need it: a tender, a supplier requirement, an insurer’s question.
Getting these controls in place is rarely as hard as the jargon makes it sound. It’s a sequence of sensible, ordinary steps, taken in a sensible order. For a deeper look at how the pieces fit together, the Essential Eight topic guide breaks each strategy down into plain English, and the eight strategies explained walks through them one at a time so you can get moving today.