Discover more about the SMB1001 framework and how it can be leveraged to strengthen your service offerings geared towards SMBs.
Discover more about the SMB1001 framework and how it can be leveraged to strengthen your service offerings geared towards SMBs.
Speakers: Raul, Director, inforcer ANZ · Ryan Etridge, Co-founder & CEO, Cybersert · Nathan, Head of Cloud Enablement, inforcer ANZ
Raul
Hello everyone. We've got a few people still joining, but for everyone that's here, let's get going. We'll do some intros first, and that will let the stragglers come on in.
Thanks so much for joining. First of all, some intros. Myself — I'm the Director for inforcer ANZ, based out of Melbourne. I first came across SMB 10001 when we ran a Microsoft event earlier this year in Sydney, and a lot of partners were coming up to us asking about this framework. Naturally, the more partners that ask us to build baselines to align their 365 environments to a certain framework, the more likely we are to investigate it.
So we had Nathan, who's our Head of Cloud Enablement, reach out to try and understand what this framework is. Then a person by the name of James Davis, who a lot of you are probably familiar with, introduced us to Ryan from Cybersert. He really helped us along in building out the standards and understanding what SMB 10001 is, and how we can help partners align their 365 environments to that framework.
Then we thought, why don't we run a webinar, because we're getting more and more interest in this space? And that brings us here. So, Ryan, I'll let you do a quick intro to yourself.
Ryan
Thanks, Raul, nice intro. Good to be here, and good to see plenty of people on the call. I'm keen to get the questions and answers happening.
So, Ryan Etridge, Co-founder and CEO of Cybersert. Almost 21 years in cyber security, with the first 18 years of that in enterprise cyber security — contributing to some of the standards that exist in regulation and legislation, as a PwC partner for seven years. Techie background.
I jumped into the SMB space a couple of years ago and noted very quickly that whatever was developed for enterprise actually isn't working for small businesses, because they don't have the desire to be cyber experts. They don't have the resources or the budget. So really the approach has to change, and that's the power of SMB 10001 and the certification that goes along with it, which is 100% community powered. So, pleasure to be here. I'm looking forward to the Q&A. Thanks, Raul.
Raul
Brilliant. And Nathan.
Nathan
Yeah, thanks, Raul. So I'm the Head of Cloud Enablement for Australia and New Zealand for inforcer. My background is very much in the MSP space. I worked for a couple of different MSPs and ended up as a Solutions Architect before moving into inforcer and making the jump into vendor land.
Very much keen on cyber security — I know Essential 8 inside out and back to front, and a lot of the other frameworks. I've enjoyed getting to know SMB 10001, and hopefully I can help make SMB 10001 adoption a lot easier for you.
Raul
Brilliant. There are only three or four slides, so really the agenda is a lot of open Q&A: with Ryan on the fundamentals of the framework — what is it, why should an MSP consider it, and how can you use it to differentiate your services — then we'll bring Nathan in around how to standardize and protect your customers' 365 environments. There's a little live demo in there as well, and then we'll leave time for Q&A.
For everyone, a bit of housekeeping: there's a chat and Q&A in this Teams webinar. It's always better when it's a bit more interactive, so don't be shy — fire questions away as you go and we'll try to get to them as and when they come up. The first question usually is: will there be a recording? Yes, there'll be a post-webinar summary where we'll send the recording through as well.
Okay, let's get into it. So, Ryan, why was SMB 10001 developed, and what makes it different from all the other cyber security standards out there?
Ryan
SMB 10001 is specifically designed for the SMB. And the SMB is not one-size-fits-all. There's an S and there's an M in SMB, and there are lots of different S's and lots of different M's. The definition ranges from the sole trader that has an ABN in Australia, an NZBN, and so on, who turns over revenue — that can be the sole trader, the hairdresser, the very low-risk, low-digital-maturity business — through to 200 seats, 250 seats, a hundred million turnover, medium-sized business.
Across the range of that in Australia, for example, of the two and a half million small businesses that are registered, about a million of them turn over revenue. So there's a million small businesses in the addressable market in Australia alone. And there needs to be a standard and a model that actually allows small businesses to find a fit-for-purpose list of cyber capabilities that suits them, proportionate to their risk profile, their industry, and the sector they work in.
So SMB 10001 has five tiers in it — tier 1, 2, 3, 4, 5 — and they translate at Cybersert, which is the certification body against the standard, to bronze, silver, gold, platinum and diamond.
Now, small businesses are not cyber experts. It's not their job, it's not their intention, it's not their desire to become cyber security experts. It's like operating a washing machine: they are the operators of the washing machine, not the technicians. They have a responsibility to know how to use it, but it's not their responsibility to know how to fix it, or to build it in the first place.
So SMB 10001, requirement number one at all of the levels, is that you must have someone who can spell cyber. You must have a technical support specialist who can help you build, implement, and verify that the cyber controls are doing what they're supposed to be doing to the standard. Only then will Cybersert issue the certification to the small business.
The first three levels are company-director attested — self-attested, but a legal instrument that says, "Yes, hand on heart, as a legal instrument, we have done the six controls in bronze, 14 in silver, 23 in gold," and so on.
If you think about the role of the standard and certification, it's to remove subjectivity. Across the range of SMBs there are thousands of MSPs — depending on who you talk to, 9,000 across Australia and New Zealand — that also have a maturity of readiness and cyber security expertise. If you talk to one expert versus another, there's a little bit of subjectivity: "I prefer this blue one," "I prefer the firewall first," "I prefer the awareness training first."
So the standard, with 20 experts who represent cyber security and SMBs on the steering committee of DSI, the standards body — their job is to set the rules. We know at bronze the six fundamental controls will shut the front door to the most common cyber threats to SMBs. We know at silver it's the 14 controls that are the most common cyber insurance underwriting criteria. At gold, the 23 controls are the most common and effective controls that will help a small business demonstrate compliance to the most common compliance criteria in privacy, reasonable steps, and so on.
So what it does is remove the subjectivity away from the "what do I need to do?" It defines the program of work for the MSPs to help the SMBs, and then certification shows the SMB that the standard has been met. It's a demonstrable way that the SMB can know it's being done, but doesn't need to know how it's being done.
Raul
Okay. I think you've somewhat answered my next question, but just to be clear: so many partners that we speak to might be launching a new compliance service, and then they're trying to decide what to align their customers to. If someone put that question to you — why would you pick SMB 10001 and not something like the Essential 8, for instance — what would you say?
Ryan
Essential 8 was never designed for the small business at the centre. It was designed for government agencies, typically with a Windows-based environment. But it has been the de facto for small businesses because there hasn't been anything else, until SMB 10001.
However, if there is a contractual mandate that still requires an SMB to meet the Essential 8 as part of DISP or some other government agency requirement, then SMB 10001 isn't going to replace that. It is up to the receiving agency — the enterprise, the government, and so on — to actually recognize SMB 10001 certification, and more and more are doing it. But until that happens, Essential 8 is a contractual mandate that SMBs actually need to follow. So rule number one: if there is a contractual mandate for something else, do that until the recipient has actually accepted something else.
The second rule is, when you get a bit larger and more sophisticated and complex than 200, 300, 400 seats, often there are multiple risk profiles — marketing, technology, finance, sales, executive committee. That's what ISO is designed for. It's a risk-based risk-management system. You certify the management system, and you have the skills within that size organization, usually, to assess the risk, accept the risk, treat the risk, and so on.
Below that, however — this is like everything else. If you can imagine those standards, which I love, by the way; I used to do ISO for many years — SMB 10001 is the sand in the jar that surrounds all the other mandates. It fills the gaps. It can act as the bridge towards those for some of the businesses that are moving towards a larger, more complex environment. But for all of those that don't have a contractual mandate and are not enterprises, SMB 10001 often fills the gap, and if they are moving, can provide the pathway to other standards and even alignments.
If you go onto the DSI website, there's a standards mapping section under the menu item now, which shows you how the five different SMB 10001 levels map to Essential 8, the different maturity levels in Essential 8, CIS, CMMC, Singapore, and so on. So that's how I would position it.
Raul
Okay. Let's say you've convinced me — I run an MSP. What's the process? How do I get certified? How do I get my customers certified?
Ryan
SMB 10001 defines the requirements to get to each of the levels, so you can guide your clients to certification readiness — only Cybersert issues them. The MSP doesn't issue the certification; you just guide them to readiness.
You sign up at partners.cybersert.ai/msp. It doesn't cost you anything to sign up. Follow the bouncing ball — all of the resources are inside the dashboard once the MSP signs up. That's the toolkits, the branding resources to help you market, the academy we call Cybersert Learn — eight modules in there to help you explain the difference between Cybersert and DSI, the standards body versus the certification body, and how SMB 10001 differs from the other standards. All of that is provided to our partners at no cost. You join and get started, because our main job is to certify the SMB, powered by the partners.
The only ask is that you certify yourself — the MSP — to at least the level you want to guide your clients to. You don't want to be the weakest link in the supply chain. We recommend strongly that you aim for gold as an MSP, because you've got multiple clients. Gold has incident response and a bunch of other things that show you're ready for a breach. A more hardened and qualified MSP will definitely want to move through to platinum and diamond, because that's an independently verified level — we have BSI and Assurely as our two external auditors that come in and audit environments at platinum and diamond.
So, partners.cybersert.ai to sign up for zero dollars, and inside there there's a bunch of other offers and promos to get you started, including how to structure your service offering and where inforcer fits into that. If there are 23 controls and you've got a 365 environment, how does inforcer help you do that? It gives you the baseline to then have the conversation with the likes of you guys.
Raul
Okay. So let's say you've decided SMB 10001 is the way to go. We share quite a lot of partners — can you give some examples of how MSPs are opening up new revenue streams or using this as a competitive differentiator? What have you seen? What's worked?
Ryan
Yes, we have heaps of examples. We've got just under 400 partners now, something like that, across Australia, New Zealand, the US, UK, and Canada.
Part of the challenge for MSPs and even technology partners to date has been this competition of "why would I pick X vendor over Y? Tell me why I need backups." There is still that question, we know that. So what certification does is remove the subjectivity, not just away from the outcome, but from the conversation. There's an international steering committee, an international standard that says, if you have an internet connection, the six fundamental controls are these. So it really removes this question about why I ought to do this stuff.
The second thing — one of the opportunities that opens up with certification is better cyber insurance premiums, business and liability insurance. We have 20 insurance partners now that recognize certification, and they don't ask any more technical questions. Cybersert even captures the contextual questions; we send those through if you want to connect with the insurer. We make nothing off the insurance policies — the only revenue Cybersert sees is through certification. So it's up to you to engage with any of the collaborations that we make available to you as partners and SMBs, but we facilitate the connection.
Silver and above — silver being the most common underwriting criteria — makes it really easy to get a fit-for-purpose cyber insurance policy. On average, and it's even increased with the last threat report from the federal government, it's at least 50,000 bucks average cost per breach. If you can get that financial risk insured — and it's actually more than that by the time you take into account the lost revenue, the time it takes to rebuild connections and sales processes, and even the psychological harm — then cyber insurance at least covers the financial downside of those breaches. If you can get a fit-for-purpose policy at silver, that becomes a really easy conversation to have with a small business.
There are about 160,000 to 170,000 small businesses of the million in Australia — if I just talk about AU — that turn over 3 million dollars or more. That means they have a ransomware reporting obligation, a notifiable data breach obligation, and a Corporations Act obligation to demonstrate reasonable steps that they've met their obligations as a company director. Cybersert — we have endorsements and recognitions from law societies, law councils, and enterprises for supply chains — demonstrates reasonable steps for some of those companies. It's not the safe harbour, it doesn't get them out of jail, but it shows they haven't been negligent through that process.
So it shortens the sales conversation. You're not talking about widgets and colours and flavours; you're talking about the specific outcomes that certified cyber security actually provides.
The second thing is it removes the subjectivity away from the programs of work. If you've got a silver, it's already predefined for you — just go and do it. Pick your architecture and your stack that's going to suit the SMB most appropriately. It's 23 for gold — get them to gold. You might even use that as the gap analysis that says, "Hey, you're four controls away from getting a gold certification. If we just do the incident response, the fraud policy, and the confidentiality agreement — the tech stack's already there — we can actually give you a gold certification that gives you this cool badge you can put on your website, showing you've taken reasonable steps and given your stakeholders confidence."
So it removes the subjectivity away from the conversation, predefines the program of work, and with the help and alignment of the likes of inforcer, the stacks are pre-mapped for the MSPs. It's like, "Hey, you don't have to use this stuff, but here are some proven stacks that actually help you roll out SMB 10001 certification programs of work."
Raul
Brilliant. And within that, are there any industries or types of businesses that would be more receptive to SMB 10001? When MSPs go to, let's say, a law firm, would they be more aware of this framework? Where have you seen the most success?
Ryan
Of the thousands that are moving through it now, professional services generally have picked this up the most — even health care, so health and professional services. Accountants, law firms for sure.
Why? Because the likes of the Queensland Law Society and some others — I had a session yesterday with the LPLC — have demonstrated that this is a really helpful pathway. People go to lawyers for advice when the proverbial hits the fan, and so the law firms have grabbed this with confidence, which is both humbling but also a powerful show of leadership from that industry.
So, professional services, but we also have golf clubs, shooting associations, schools, councils, kindergartens — who else have we got in that mix? Manufacturing for sure, retail, and a bunch of others.
But here's the thing: it's who they serve that really helps them close the decision about whether or not they do it. The more the enterprises recognize it for their supply chains, the easier it becomes on the SMB. You certify once and show to many. You can look up the certification at verify.cybersert.ai — it's the public registry of certified entities — and that gives them confidence. You don't need to answer the 400-page subjective questionnaires in the supply chain; just show us your certification. So more and more, we get to add the logos that are recognizing this, making it easier for SMBs and giving MSPs a really clear pathway.
Raul
Nice. By the way, we've got our first question — thanks, Chris. Where can he find the mapping documents on the DSI website to the other frameworks you mentioned?
Ryan
Yeah — can I chuck that in the chat?
Raul
Please do. I've seen it, it's pretty good. And then, you showed us the changes for 2026, which look quite extensive. Can you talk us through what, in your mind, are the key changes to the standard coming up? What are you most excited about there? And also, how does that affect partners that are already in the process of obtaining certification?
Ryan
So, what happens with the steering committee? Again, I'm the CEO of Cybersert, the certification body, not the standards body. DSI — Dynamic Standards International — is the standards body. The DSI steering committee's job is to work through the feedback and requests and, essentially, the continuous improvement. The D in DSI is dynamic, which means it updates annually.
Throughout the year, the feedback from the partners, the SMBs, and the steering committee is that, okay, this control — albeit not brand new, 12, 24, 36 months old — is now actually fit for purpose and accessible for small businesses in Vanuatu, noting that this is an international standard based on the most common cyber threats to SMBs worldwide. If it works for the hairdresser, then it's okay to be recommended at a particular level — okay to be recommended at bronze. So that's some of the thinking that goes through the steering committee, for which I don't have a vote, by the way — that would be a conflict of interest.
One of the movements at bronze is that basic, introductory awareness training is now available at bronze. There's a whole bunch of awareness training programs out there for SMBs, but now, for a small business to get a bronze certification, they must have done that as well as the other five or six controls that are in there.
Silver introduces email security specifically now. That wasn't necessarily specifically called out before, but because the feedback was it needs to be explicit, that's now called out at level two. So that's one of the main changes at silver. Silver still needs to be accessible to the majority of SMBs that aren't ready to get to gold.
Gold is gold — it's the gold standard. It is not easy, it's not too difficult, it's the Goldilocks that gets small businesses confident that they've done enough to be compliant, and confident that if the poo hits the fan, they know how to respond and they've got coverage. One of the coverage things I'm talking about is cyber insurance — cyber insurance was one of the requirements at platinum in 2025, and that's now moved down to gold. Endpoint detection and response is now specifically called out in gold — so EDR — and more and more email security is added. One of the last cool things is that there's now an AI policy requirement for small businesses at gold: responsible and secure use of AI. It doesn't get too much more specific than that, because it's still an evolving space for small businesses, but I would expect to see more detail added throughout the 2026–27 updates.
So that's released on the 1st of September every year by DSI. That gives Cybersert and the partner community four months to prepare for the certification changeover, which happens on the 1st of January every year.
But here's the thing: when you hit the "start our certification journey" button in the Cybersert platform, you actually have 12 months to finish that certification. You could claim a bronze certification credit, and you can take 12 months before Cybersert drops the bomb and says, "You've taken too long, the credit's now gone, there's a new standard, you need to get the new one." And when you get that certification, it's valid for 12 months.
The point of emphasizing this is that our partners can actually help certify small businesses in December on the 2025 version. They can take up to 12 months to get them ready to certify, and then the 2025 version is valid for 12 months from the certification issuance date. So does 2026 make 2025 obsolete? No, it doesn't — not during that one-year handover or transition process.
People say, "Okay, should I wait till the 1st of December to get my gold?" That's up to you, I'm not going to tell you what to do. If the client needs a certification now for cyber insurance, a better policy, supply chain, or whatever else, then you get it whenever you need to get it. Is 2026 a more modern and current standard? Of course — it's the latest one. Does it mean you can't do the stuff in 2026 now? No, you should do it. Does it mean you can't mix and match with Essential 8? No, you should do that too if you need to. So the flexibility still rests within the MSP's hand. And when I say MSPs, I'm also talking about consultants — some of our partners are not specifically MSPs, they're technical solution specialists, which are also consultants.
Raul
Okay. Got a question from David on what the breakdown or percentage of companies is that are achieving levels 1 to 5. I think he means what percent have bronze, silver, gold, platinum?
Ryan
Above gold is less than 10%, and we expect that to be consistent across the globe, even as we get to 100,000 or a million certifications over the years, because there are so many SMBs — let's say 1.2 to 1.4 million across Australia and New Zealand — that are really just starting out this journey. Bronze is so accessible, so achievable. Cybersert has even made bronze available for zero dollars on the website for the first 50,000 worldwide to claim, just to show that you've shut the front door. This is the main thing — we need to get people moving on the certification journey, for their benefit, your benefit, everybody's.
So the percentage is about 30 to 40% are going to get to gold, and that's about the reflection we have today. We definitely aim for our technology partners to get to gold themselves, at least, to have that confidence that you've got incident response and readiness. But there's a good 30, 50, 60% that will be below gold. Will they ever get to gold? Maybe. Do they need to? Maybe not. Maybe silver is the destination — they get insurance, and their hairdresser's covered.
Raul
Okay. Look, that's been really interesting, to learn the fundamentals and the whys. Now that we've explored the fundamentals, I think it's good to understand how MSPs can use the framework to align M365, and how M365 helps on the SMB side.
With that in mind, one of our partners recently said, "All I do is delegate." So on that note, Nathan, bringing you in — we were talking about this the other day. So many of our partners have aligned their baseline on the 365 side to the Essential 8. What's your advice there, moving forwards technically, with building out the baseline for SMB?
Nathan
Well, the good news is that because SMB 10001 has been created to be, I suppose, generic in its wording, it doesn't actually tell you "this is how you need to configure it." It's, as long as you meet this overall goal or objective for your 365 security standards. So by that very nature, if you've met the Essential 8 controls, you've met the SMB 10001 controls as well, for the most part. You might need a little bit more for a couple of them, but if you've achieved that goal, with a few little extra best-practice policies — things like EDR, which is not part of Essential 8 but is part of SMB 10001 — then for the most part, SMB 10001 is fairly achievable once you've already got that Essential 8 in place.
Raul
Do you have the visual of the mapping that you've done on what's covered with SMB and in Microsoft 365?
Nathan
I do. I should have had that ready to go, shouldn't I?
Raul
And while you get that up, I think what'll be really interesting is to get your thoughts on what's missing. The same way with the Essential 8, we built the Essential 8 Plus — inforcer best practice — where something like the Essential 8 doesn't have email security in there. Ryan said email security is coming for SMB 10001. Just keen to get your thoughts on what else you would be adding, I guess, for MSPs to build their own secret sauce around this framework.
Nathan
Yeah. So what's missing a little bit from the SMB is things around user application hardening, which you might see in the Essential 8. Some of you would be familiar with aspects around Chrome hardening, Edge hardening — the actual end-user device application management. I think that could do with achieving those, adding those extra policies in there to help supplement what the SMB is trying to achieve.
So here we can see a bit of a breakdown, broken into the Cybersert arrangement of bronze, silver, gold, platinum, and diamond. There's absolutely nothing wrong with, if you're wanting to chase the gold standard and accreditation, I would actually recommend chasing diamond from a security perspective — so deploying your 365 policies in line with what a diamond level is, because that covers more security in your 365 tenant, but you can still achieve that gold certification. It means that if you ever want to chase those platinum or diamond controls, you've already got them in place, which is really helpful from that perspective of the 365, and then you can focus on the other areas in terms of process and business arrangements.
From an inforcer perspective, we have this baseline built. We've got it mapped out according to the different standards. Unfortunately, I don't really have a diamond colour in our platform that we could use, so I went with blue — apologies. But effectively, what we can cover off is things like your multi-factor authentication, patching for your devices, BitLocker encryption for removable devices and operating system drives, Defender policies for your EDR protection. Obviously, some of these things might be covered off by other products you're using — even though you might not be using Microsoft Defender, you might be using something like Sophos or CrowdStrike, or who knows what product — they can still all be achieved outside of that. But in terms of inforcer, anything you're using in that 365 stack to help achieve your SMB certifications, we can help push that out from the 365 side, and more.
Raul
And with regards to Microsoft licensing, how can MSPs use this framework to justify moving their partners that are reluctant to move to the higher tiers of licenses? Which ones would you recommend?
Nathan
If you're wanting to achieve SMB 10001, even just for the bronze standard, from those requirements you really need to have, at a minimum, your Microsoft Business Premium licensing — that would be the recommendation. You could do a Business Standard with some add-ons, but once you're starting to put in an Entra P1 or an Intune add-on, you're pretty much at the price of what a Business Premium license is anyway. So that Business Premium tier is really where you see the value in working towards achieving your bronze, silver, gold, and so on from there.
Raul
Great. Okay, a quick question for you, Ryan, from Joel as well. We're going through the SMB path on our journey to ISO. How many extra controls are there between SMB and ISO? It's quite particular, but I don't know if you know the answer.
Ryan
You can actually have a look on the DSI mapping page as well. It'll show you the coverage across that, and then it shows you the percentage of coverage and how it's calculated on the DSI website.
The quick answer, though: forget about numbers and percentages. ISO certifies the management system, not the controls that are inside them. It doesn't prescriptively say what you need to have in your statement of applicability and risk register. The ISMS's job is to determine the statement of applicability. Now, for a small business, they will generally always accept the risk — the risk appetite will be super high, because their job is to make profit and grow that small business. Which is the point of SMB 10001: to say you can only get to diamond if you've done the 36 controls, and they've been independently verified.
So, to move towards ISO — ISO is not backwards compatible, that's point number one — unless you've got all of the diamond controls in your statement of applicability and you can demonstrate that you're able to attest to the diamond controls. But SMB 10001 has some specific details about what is required for MFA that might not be specifically called out as MFA in 27002. Does it get you ready, mature, and confident to talk about risk-management systems? Absolutely, that's what it's used for. We've got many SMBs moving towards ISO, but because that can be an 18-month or 24-month journey, they've got nothing to show in between. So they get gold now, they get diamond in six months, and all of that is planned as part of the ISMS. Then, of course, in 18 months' time, they're able to show that. So yes, it's a pathway; no, they're not the same. It's like having a karate black belt versus a jiu-jitsu black belt — same idea, different arts.
Raul
Nice, not a car-based analogy, which is nice. Nathan is going to do a quick demo now on how you can bring a new partner's 365 environment in line with SMB 10001. So, over to you, Nathan, and then we'll have a Q&A at the end.
Nathan
Lovely. So basically what we've got here is the tenant alignment section of inforcer. I'm just going to do a quick little demonstration.
Let's say we've brought this customer in. They're a new customer wanting to assess where they are in terms of SMB alignment. So what I can do is come up here to my report and generate a new report. I'm going to call it an SMB 10001 assessment, and I'm going to do an alignment by tag. I'm going to select my SMB 10001 diamond, which I've got here, as well as tenant settings — just looking at overarching themes. I've got all of these different options here that I'm going to report on. This is also brandable, so you can put your own MSP logo here, your own colours, and so on. I'm just going to leave it blank.
So what it's showing here is how closely aligned this tenant is to the SMB 10001 diamond. We can see that overall it's 86%, so that's pretty good. Based on the policies we have available in our baseline, we can see there are eight aligned policies and six that are not currently in alignment. We can see tenant settings mostly aligned, but again, a little bit not quite in place. So we get this nice report, and we can give it to the customer to highlight it.
So now the question is, how do we fix this alignment? This is what we need to look at now. In this tenant, I can filter by my tags — I'm going to find my SMB diamond tag and my tenant settings tag. What you can see in these tags is a number of policies that are suggested. Suggested policies are policies that exist in our SMB policy library that we want to bring into our customer; we want to make sure these are in alignment.
So what inforcer can do here — this particular one is MFA for all admins. It's actually picked up that there are two policies already existing in our customer's tenant. This customer currently has some Essential 8 policies by the look of it, but we're wanting to make sure it's got that naming convention of SMB 10001 — MFA for all admins. I would suggest this policy is the one we're most closely looking at. So I can drop down my little arrow here and it'll show me any deviated data that's different. In this instance, it's purely just the name that is different between these two policies. So I can select that one and rename it. Then I can see there's another one here, MFA for all users. In this instance, I can also reselect that one, because it's trying to achieve the same goal. So I can do these bulk renames. And I know there's a policy here, all macros disabled — again, another rename, very similar. You can see the baseline description is slightly different, and the name is slightly different. So I select them, hit bulk rename, and hit confirm.
What that's going to do now is rename those policies in our customer's tenant to match the baseline. This means we're going to see our little score here jump up a little bit once this refreshes in a sec. Effectively, we'll have now dealt with some policy deviations that we have. So we're just working through this flow to get this customer up to 100% alignment with the SMB 10001 diamond.
We can see now that the ones we've dealt with have jumped into a deviation, and we can see some more settings that are different. We can see there's a difference in included roles, a difference in the groups that are included. So what we can do as a second step is actually deal with any configuration change. We've only dealt with a name change so far, but now for these we'll deal with any differences in terms of configuration. So we hit align, we hit next. It gives me the options on how I want to deploy it — I want these policies enabled, I want to overwrite because there's the same name; we don't want to end up with a conflict of a policy, which is what can happen if you deploy a policy with the same name but you're not overwriting that function. I want the groups deployed, because I want those groups matching, so inforcer will deploy those groups whether they are dynamic or assigned groups. I'm just going to leave the rest of these options as is. Hit next, hit submit. I'll let that refresh for a second or two.
In my other suggested policies here, I'm just going to align these ones — we know these are needed. I'm going to do the same steps for these and have them refresh as well.
And just as that refreshes, guys, of course the diamond alignment does not cover the procedural controls. As an MSP, you still have to make sure there's a supply chain process in place, a policy in place, an incident response, awareness training. This is the coverage of the controls, and it still rests with you as the MSP to check that. You can't delegate that level of responsibility into a technology platform. It's your job to make sure the policy is actually doing what it's supposed to do, not just rely on the platform. That's the little caveat — this is only purely looking at the 365 side of all of the policy sets, making sure they're configured, in place, and protected.
Obviously, as you build out your baseline — and this is what baseline configuration is all about — the main goal is achieving your SMB certification and protection. But this is where you have your own tenant with your policies in there, and you want to build them out. You can start to add extra things in there, especially things coming in for SMB 2026 — things like Defender for Office protections, your anti-spam, anti-phishing. If you're in 2025 certification territory, you'd need to be adding those extra bits in manually; they're now going to be part of 2026. Also things like your Chrome hardening and Edge hardening. This is where you can pick and choose from different frameworks to build it up into being that baseline that you want to see, covering off lots of different areas from that end-to-end security.
Especially things like Mac OS devices — if you have customers who utilize Macs, if you've got customers that need iOS and Android protections. A lot of these same controls that you might think only exclusively apply to Windows, like Essential 8 — Essential 8 only really admits that everyone uses Windows devices, so you're sort of missing out on some of those security controls. A lot of those policies can be converted to look after and cover a lot of those other platforms as well, and they can fully be compliant with the SMB too, which doesn't just look at Windows devices.
So I'll do that same report again. We'll just go SMB 10001 assessment, alignment by tag, pick my same tags again. Obviously I didn't do anything with the tenant settings in this example, but we can see now that our alignment score is 96%. We're now fully aligned with that SMB 10001 diamond.
All in all, those policies — to actually build and configure each one would have taken four or five minutes to build on their own, at least. So to be able to deploy those policies that quickly means that if you're doing an SMB 10001 project to get your customers in alignment, you can charge for your 15 or 20 hours of work to actually develop and build that policy set, but in reality it's only taking you 15 or 20 minutes of configuration to push those policies out and then run those reports. You can give that customer a tangible report to show their before state and then their after state — this is the work we've done, you're now compliant. And then you can talk to Ryan about getting that nice badge.
Raul
Brilliant, thanks a lot, mate. I think now's a good time to open things up to questions. So any questions, I guess, on the framework or Microsoft 365, please fire away in the chat.
We've got — is there a specific company size range that would fit into the SMB 10001 standard? In particular, what is the upper limit, either by user count or turnover?
Ryan
Yeah, it's around 200 to 300. The reason is you cannot descope SMB 10001 controls. It's not a risk-based decision — the risk-based decision is what level you need to get to. You can't "not applicable" it. Of course, if there are no visitors, then you don't need the visitor register policy — that's the only way to get rid of one. So when you have too many seats, it actually becomes quite difficult to do that everywhere and be compliant, at which point you need to have a management system of sorts in place, which is where the NISTs and the ISOs come through.
Is it a turnover? The actual definition of SMB is about 100 million US as well, so that tends to be the upper limit. But could you have a 10-seat, 200-million-dollar organization? Why not. And is ISO fit for them? Maybe not — they don't have a governance committee, they don't have a compliance... maybe they do, they've got enough money to build it in there and hire someone to look after that and get some external auditors. But the revenue per se doesn't always dictate what particular standard is required.
Raul
Okay, one for you, Nathan. How quickly after a new SMB standard is released will inforcer support them?
Nathan
It's pretty much very much straight away. We're planning to have the 2026 standards ready for January 1st. At the moment the compliance is still around 2025, so they'll be ready to go for January when that new standard kicks in — slash a little bit before, just so it'll be ready to go. But as soon as that standard is released, we can reflect those changes.
Raul
Beautiful. I don't have the answer in terms of the Pax8 link, but if someone has the SMB training link, please send it over.
Another question. How does SMB 10001 accommodate organizations with different IT environments, like cloud, hybrid, and on-prem? What challenges or considerations should we be aware of as an MSP when applying the framework? You want to take that, Nathan?
Nathan
I can, yeah, definitely. Effectively, it absolutely can still work with those. Because the framework is not M365-focused or Windows-only focused, it can absolutely work with hybrid, it can work with on-prem. The idea being — and, I suppose, from a management perspective — it's a lot easier when it's in 365. So if they are a hybrid or on-prem type arrangement, it would be ideal if you can offload the end-user management, the device workloads, into Intune, which you can do if you've got that Azure sync and some group policy settings that get changed. You can offload those workloads even though the devices are still joined to an on-prem infrastructure — those workloads can be managed through the cloud, and that will make SMB 10001 management a lot easier than trying to do it through the old on-prem way.
Ryan
Yeah, very good, thank you. And also, it doesn't prescribe what the architecture is — it's designed to have you, as the experts, MSPs and consultants, work out what the appropriate stack is based on the client's architecture. Usually the scale comes when you have clients that are relatively similar, so your ideal client profile will be copy and paste, in a certain sense.
Now, the other thing to mention: any questions that you have that you're not sure of, send them to register@dsi.org. That is to say, "Hey, we believe we've met this requirement here with X, Y, and Z. Can you just confirm that we've actually met the obligation?" DSI will respond to that. That's the evidence you also want to store, so that you can help the client attest, and get ready for the external audit for the two higher levels. Register at DSI.org.
Raul
Beautiful. We can add that in the follow-up email as well, if we remember.
Doug had a question — this is probably for you, Ryan. Does DSI collate any region-specific information to show where Australia generally sits in their SMB maturity model? I.e., do Australian companies generally just scrape in at bronze, or do they sit in the higher maturity levels?
Ryan
Not yet. There are thousands that we have in there at the moment. This is something Cybersert is likely to release, because it's the certification levels — DSI doesn't necessarily correlate that; the job is to develop the standard, not necessarily provide all the certification and maturity levels. But at some point we'll have enough data across each of the regions to show the leaders and the laggards, even by sector, by size, all of that stuff. That's the information that's available through the verification registry as well.
Raul
There's also a question from Chris about the policies. Is there an intention to have a template library set that could be leveraged with some of the key information, that can be expanded or customized for a customer's needs?
Nathan
Certainly within inforcer itself, we will have that policy set and baseline library to be able to pick and choose what you might want to do. But we're also going to have an assessment engine. We've got our own assessment engine which can assess based on a number of controls, and you can actually pick and choose what parts — whether it's your diamond, platinum, gold, silver, bronze — you'll be able to pick those checks that are labelled according to that and run your assessments on your tenants to actually see where they match up against that. It'll be agnostic of any naming conventions or anything like that; it'll just be looking at the pure configuration. So that'll be coming soon, to give you those remediation steps to fix any policy gaps that are identified, but also giving that customer information to say, "You have met this particular control." It'll be a much more granular report to showcase that. So that'll be coming very soon, and the plan is to allow that to be run on prospects as well.
Raul
Absolutely. Nice catch, I missed that question. One from David: do any of the levels require the uploading of evidence, i.e. data relating to the client's setup? Do you have a security or privacy policy that states where this uploaded data sits and is handled?
Ryan
No. If you can imagine, Cybersert is the attestation platform — the legal, non-repudiable platform that says the certification has been met. At platinum and diamond, that's only issued once an external audit is taken over the SMB, with the help of their partner. There's an open text field. Can you type some sensitive stuff in there? Can you type a credit card in there? Can you type your password? Of course you can — so don't do that; don't filter for those sorts of things. The terms and conditions are available on the Cybersert website. Ultimately, the partner's role is to help the SMB get certification ready.
There are GRC and third-party risk-management platforms — inforcer and others — that have been designed to hold that sensitive information, specifically based on configuration information and evidence. We can introduce you to many of our technology partners that have integrated SMB 10001, that would complement the inforcer stack and others, to help you manage compliance journeys over and above just 365. It is not designed to be taken within the Cybersert platform.
Raul
Lovely. A question from Chris — this is quite an interesting one. We would typically expect most customers to have a Google Analytics account or Google My Business alongside a 365 tenant, as an example. For SMB, will the expectation be to cover all third-party apps?
Nathan
Yeah, I would say the idea — all frameworks really do take in everything. So it's really taking in your technology stack, no matter what it is. If you're using 365 for part of it and Google for another part, you really should assess all of those platforms where that data is being held or stored, in line with the SMB controls. So if the requirement is for MFA, there should be MFA on any of those platforms that those users interact with.
Raul
Beautiful. Look, really great questions, guys — I didn't even have to consult my bank of made-up questions to keep the conversation going, so I really appreciate the interaction.
Just finishing up, then. I guess the final thing on the SMB and inforcer side of things: we did have a promotion that Ryan has helped us put forward. If you sign up with inforcer for 30 tenants before the end of 2025, we'll fund the first year's gold certification for 20 of those partners, which would usually be about 8,000 dollars.
We can't see your screen — or is it just me? Can you see the screen?
Nathan
Can you see the screen?
Raul
No, Nathan, we can just see a gray screen. And you've actually gone black.
Nathan
Yeah, my computer did crash in the middle of this, so that could be — that's very likely.
Raul
Well, look, we'll send that in the summary. But if you are interested in that offer, just express your interest in the chat, or reply to the post-event email, or just book a demo online.
I guess, finishing up, Nathan and Ryan — just some key takeaways from each of you. Starting with you, Ryan: what would you hope partners take away from this webinar?
Ryan
Certification removes the subjectivity, and it predefines the list of things that you can do confidently to give to your clients, that gives them an outcome. And inforcer helps you get to gold and beyond yourself, so that you can have confidence that you've met the minimum requirements as a service provider to clients who look to you for expertise. And that last point — it doesn't cost you anything for gold if you claim, of course, the gold sponsored pathway there from inforcer. Roll it out to your tenants if it makes sense for you and you determine it's part of your stack. And then, small businesses — they prefer to spend 95 dollars for a bronze or 395 on a stack instead of on a certification. So now there's no excuse, with the zero-dollar gold pathway, that you can actually give them a demonstrable outcome. So that's my summary. Thanks, Raul.
Raul
Thanks.
Nathan
And I suppose my takeaway summary as well would be that policy deployment — actually getting certified and deploying those policies to be compliant with gold, silver, and bronze — doesn't have to be as scary or as complicated as it might seem, or as hard as it can be, because using a tool like inforcer can achieve that goal nice and quickly and easily for your clients. But then, chasing that certification — everyone knows Essential 8 is great, but there's no easy way to actually showcase the information that you've joined it and that you're part of it. So I think that's where Cybersert is great, to actually have that badge you can show your customers and help them achieve that certification.
So that's great. We've lost Raul, so I might just finish up this one, then. Thank you, Ryan, thank you everyone for joining, and yeah — enjoy. Thank you so much.
Ryan
Yes, all the details will be sent out. Reach out to any one of us for more information on how to get started, get moving, get certifying, and we'll see you inside. Thanks, Nathan, and thanks to you as well for your support in that.
Nathan
Amazing, my pleasure. Thanks very much, guys, we'll see you all later.