Australian small businesses now have three cybersecurity frameworks to consider: the Essential Eight, the ACSC Security Principles, and SMB 1001. Each takes a different approach, covers different ground, and suits different situations. The question most business owners ask is simple: do I need all three, or can I pick just one?
This guide compares all three frameworks side by side and gives you a clear recommendation based on your business situation.
The Three Frameworks at a Glance
The Essential Eight is a set of eight technical mitigation strategies from the ACSC. It focuses on preventing the most common cyber attacks through specific, prescriptive controls like patching, MFA, application control, and backups. It uses three maturity levels (ML1–ML3) and is the Australian Government’s baseline cybersecurity standard. 152 controls across 8 domains.
The ACSC Security Principles provide strategic guidance on how to protect your systems and data. Published as part of the Information Security Manual (ISM), they cover six functional areas — Govern, Identify, Protect, Detect, Respond, and Recover. They focus on organisational capability rather than specific technical implementations. 34 controls across 6 domains.
SMB 1001 is a cybersecurity standard developed by Dynamic Standards International specifically for small and medium businesses. It covers both technical controls and broader areas like governance, employee training, and incident response. It offers formal tiered certification from Bronze to Diamond, and is updated annually.
Essential Eight
Security Principles
SMB 1001
Developer
ACSC / ASD
ACSC / ASD (ISM)
Dynamic Standards Intl
Focus
8 technical controls
Strategic governance
Technical + governance + training
Controls
152 across 8 domains
34 across 6 domains
Varies by tier
Maturity model
ML1, ML2, ML3
Incomplete → Optimising
Bronze → Diamond (5 tiers)
Certification
No formal cert
No formal cert
Formal tiered certification
Covers governance?
No
Yes
Yes
Covers incident response?
Limited (backups)
Yes (Respond/Recover)
Yes (higher tiers)
Covers detection?
No
Yes (Detect domain)
Limited
Gov. contract recognition
High — often required
Moderate
Growing
Insurer recognition
High
Moderate
Growing
Best for
Technical hardening
Strategic planning
Certification + breadth
Cost with CS360
$49/mo
$49/mo (same platform)
Varies by certifier
So Which Do You Need?
The answer depends on your business situation, but here’s the practical guidance:
Start Here: Essential Eight
✓ Every Australian SMB should start here
✓ Stops 85%+ of common cyber attacks
✓ Required for government contracts
✓ Recognised by cyber insurers
✓ Achievable in weeks, not months
✓ CyberSmart360: $49/mo
Add Next: Security Principles
✓ Fills the gaps E8 doesn’t cover
✓ Governance, detection, response
✓ Shows organisational maturity
✓ Prepares you for ISO 27001 if needed
✓ Both frameworks on CyberSmart360
✓ Same $49/mo — no extra cost
Consider: SMB 1001
✓ When you need formal certification
✓ When clients want proof of compliance
✓ Broader than E8, more accessible than ISO
✓ Good entry point via Bronze tier
✓ Complements E8 + Security Principles
✓ Separate certification cost
The Recommended Path for Most Australian SMBs
For the majority of Australian small businesses, the optimal approach is:
Step 1: Essential Eight ML1. Implement the eight technical controls at Maturity Level 1. This is your immediate defence — it stops the most common attacks, satisfies government and insurer expectations, and gives you a measurable security baseline. Complete your assessment in under 2 hours with CyberSmart360.
Step 2: ACSC Security Principles. Assess your governance, detection, and response capabilities. This ensures you’re not just preventing attacks but can also detect and respond to the ones that get through. Both frameworks are available on CyberSmart360 at no extra cost.
Step 3: SMB 1001 (if needed). If your business needs formal certification to win clients, satisfy supply chain requirements, or demonstrate compliance credentials, pursue SMB 1001 certification. The work you’ve already done on the Essential Eight and Security Principles maps directly to SMB 1001’s requirements.
This layered approach gives you the best coverage at the lowest cost. You start with the most impactful framework (Essential Eight), add strategic depth (Security Principles), and formalise if your business requires it (SMB 1001). Nothing is wasted — each framework builds on the previous one.
Do You Need All Three?
Most small businesses need the Essential Eight and the Security Principles. Together, these two ACSC frameworks give you both the technical controls that stop attacks and the organisational capabilities to detect, respond to, and recover from the ones that get through. Both are available on CyberSmart360 for $49/month — one subscription, two frameworks, complete coverage.
SMB 1001 is valuable but optional for most SMBs. Consider it when you need formal certification for client or supply chain requirements, or when you want a recognised credential to differentiate your business. It’s complementary to the ACSC frameworks, not a replacement.
You don’t need to choose just one. These frameworks aren’t competing — they’re layered. The Essential Eight is your technical foundation. The Security Principles are your strategic governance layer. SMB 1001 adds formal certification and additional breadth. Together, they create genuine defence in depth.
Start with the Essential Eight Today
CyberSmart360 supports both the Essential Eight (152 controls) and the ACSC Security Principles (34 controls) in a single platform. Assess against either or both frameworks, get AI-powered gap analysis, and build a prioritised remediation plan — all in plain language, all from $49/month.
CyberSmart360 — the Australian cybersecurity compliance platform that supports Essential Eight and ACSC Security Principles in one dashboard. Because comprehensive protection needs more than one framework.
