Developed by Dynamic Standards International (DSI), SMB1001 provides a flexible, tiered framework for small and medium-sized businesses (SMBs) to enhance their cyber resilience.
Any useful standard must evolve to reflect current technology and user behaviours, and cybersecurity is one area where these change rapidly. A new SMB1001 standard will be introduced in 2026, including updates such as responsible AI use, stronger email security controls, and expanded requirements for contractor and third-party agreements.
In this article we focus on the Level 3 – or Gold – standard, which we believe should be the minimum level attained by MSPs to best service SMB clients.
Key changes to the Gold Requirements
SMB1001:2026 tightens the screws at Gold, moving the bar from 23 to 27 required controls and shifting several items earlier in the maturity path. For Australian MSPs this isn’t just paperwork, it changes what you should be deploying and advising clients right now.
1) Technology Management
- New mandatory control 1.12.0.0 Implement Endpoint Detection and Response expects continuous telemetry, behavioural detection and automated response (not just antivirus).
- Server patching (1.6.0.1) is still required for Gold but is now also required for Silver.
GOOD NEWS: The EDR requirements for Gold certification are all covered by Guardz unified cybersecurity platform.
2) Access Management
- There is a new email control 2.12.1.0 Email Authentication and Anti-Spoofing SPF + DKIM + DMARC with policy p=reject or p=quarantine. This means you must implement a robust set of technical controls to verify the authenticity of your outgoing emails to prevent email “spoofing” and protect the recipients of your emails.
- Password control updated to 2.1.0.1 Ensure strong password hygiene (passphrases, change-after-incident).
- Password manager requirement 2.4.1.1 now requires a centrally managed solution with MFA and auditing.
- Remote Desktop Protocol control 2.7.0.1 has been tightened to require centrally managed, business-grade VPNs or application proxies.
3) Backup & Recovery
- Cyber insurance 3.2.0.0 is now mandatory for Gold.
- Backup strategy 3.1.0.1 now starts at Bronze and explicitly requires at least one offline, isolated backup copy for ransomware protection.
4) Policies, Processes & Plans
- Reflecting the significant adoption of generative AI in the workplace, there is a new AI policy 4.11.0.0 requiring AI data governance, risk and security rules.
- Confidentiality agreements (4.1.0.1) have been expanded to contractors and third parties.
- Invoice-fraud policy (4.2.0.1) adds prescriptive controls including dual verification for bank detail changes and dual sign-off on large payments.
5) Education & Training
- Basic cybersecurity awareness (5.1.0.0) is now required for Bronze.
- Gold (5.1.1.0) requires an ongoing, continuous awareness campaign with annual policy reviews.
Impact for MSPs and clients
If it feels like the bar is continually moving, that’s because it is. Bad actors leveraging AI powered ransomware as a service don’t care about your certification level. They will continue to change their approach to get ahead of cybersecurity measures, and we have to keep up to maintain security for our clients.
- EDR becomes a must-sell / must-manage. Clients will need EDR deployed, tuned, and integrated into monitoring/incident playbooks. If you don’t already offer managed EDR, this is the moment to add it — including alert triage and response runbooks mapped to SMB1001 control 1.12.0.0.
- Email hygiene is non-negotiable. DMARC enforcement means helping clients through SPF/DKIM alignment and staged DMARC rollout. Expect to handle false positives and supplier-signed email exceptions. The standard explicitly notes that implementing a DMARC enforcement policy of p=reject or p=quarantine is a “complex process” that requires careful monitoring to avoid blocking legitimate email and getting business users offside.
- Password posture shifts from cadence to quality. Move clients from routine rotation to passphrase + breach-detection + central password manager (2.4.1.1) with MFA and auditing.
- Backups must include offline isolation. Confirm backup architecture provides an immutable or air-gapped copy and test restores then document these tests for certification evidence (3.1.0.1).
- Insurance needs earlier attention. Bring cyber/business insurance conversations forward. Capture required evidence and discuss policy scope and exclusions (3.2.0.0).
- Company policies must cover AI and third parties. Update your templates to include AI governance, expand NDAs to contractors/third parties, and implement invoice fraud controls.
- Training is now foundational. Implement basic awareness at onboarding/Bronze and run continuous campaigns for Gold clients. We shouldn’t need a standard to make us do this, it’s basic CYA and it’s good for everyone.
Final note
SMB1001:2026 raises technical and governance expectations.
For Australian MSPs this is both an opportunity (new managed services) and a responsibility (helping clients avoid compliance gaps).
Manage Protect can help you create and deliver SMB1001 compliance packages: managed EDR + backups assurance + DMARC + policy templates + training according to your clients’ requirements. Speak to one of our team to get started.
