SMB1001: Practical Cybersecurity Maturity Framework Built for New Zealand Businesses
SMB1001 is the international cybersecurity maturity framework designed specifically for small and medium-sized businesses. It gives you a clear, achievable pathway to strengthen your controls and prove your security posture – without the complexity or cost of enterprise frameworks.
What is SMB1001?
Developed by Dynamic Standards International (DSI) and certified through CyberCert, SMB1001 is a tiered, certifiable framework that helps Kiwi businesses:
-
Protect against common cyber threats
-
Meet insurer and regulator expectations
-
Build confidence with clients and supply chain partners
-
Demonstrate real resilience
​
In short, it provides a practical, achievable pathway to stronger governance without the complexity or cost of traditional enterprise frameworks.
Why SMB1001 Matters to Your Business
Cyber threats are a daily reality for New Zealand businesses. Recent research shows that nearly half (44%) of mid-to-large Kiwi businesses were subjected to an attack in the past 12 months, even as overall incidents have fluctuated.
At the same time, AI-driven cyber threats have more than doubled year-on-year, fuelling smarter phishing, automated attacks and new vulnerabilities that traditional defences often miss. When an incident hits, the cost can quickly run into hundreds of thousands or even millions in downtime, recovery, legal fees, and lost revenue. Add the stress, damaged client trust, and potential reputation harm, and it’s clear why “it won’t happen to us” is a risky mindset.
​
Most businesses operate on hope and basic checklists. SMB1001 changes that by giving you something most companies never achieve:
-
Proof that your controls actually work backed by structured evidence, not just good intentions.
-
A clear, recognised way to meet insurer and regulator expectations helping with smoother renewals and stronger positioning.
-
Real confidence from clients, partners, and your own team because you can demonstrate a recognised standard of care.
-
Protection for what you’ve built so one incident doesn’t threaten your business, your livelihood, or your peace of mind.
SMB1001 turns good intentions into measurable, certifiable resilience - the kind that grows with your business and gives you a genuine edge in today’s environment.
The 3 Certification Levels (most relevant for NZ SMBs)
The essential starting point – Basic security controls and compliance fundamentals that any business can achieve quickly.
​
Focus: Basic security controls and compliance fundamentals, including reliable technical support, firewalls, antivirus, patching, strong passwords, and data backups.
Who it’s for: Businesses taking their first structured step in cybersecurity or needing a quick, achievable baseline.
Key Benefits: Improved protection against common threats, a structured baseline assessment output, and alignment with common insurer and regulatory expectations.
Building on Bronze with stronger operational practices for better day-to-day resilience.
​
Focus: Enhanced controls such as multi-factor authentication, access management, employee training, incident response readiness, supplier risk oversight, and ongoing risk tracking.
Who it’s for: Growing businesses with moderate risk exposure that want more than the basics and improved visibility.
Key Benefits: Stronger security posture, improved risk visibility, better incident readiness, and clearer engagement with clients, suppliers, and insurers.
Advanced maturity with proven governance and strategic oversight – the highest self-attested level.
​
Focus: Comprehensive security practices including evidence-based control validation, continuous monitoring, formal policies, executive attestation, and alignment with global standards.
Who it’s for: Organisations in higher-risk sectors or those seeking to demonstrate advanced cyber maturity and structured governance practices.
Key Benefits: Enhanced stakeholder confidence, stronger positioning with cyber insurance providers, executive-level visibility into control maturity, and a structured pathway toward frameworks such as ISO 27001 readiness.
Why Choose Infoways as Your SMB1001 Partner?
When it comes to cybersecurity, organisations need more than checklists - they need structured governance, clear visibility of controls, and confidence in how those controls are managed and evidenced.
​
We have achieved SMB1001 Gold level certification, the 3rd highest maturity level within the SMB1001 framework below that of Diamond and Platinum. This experience underpins how we support clients in building structured, evidence-led governance and control environments.
​
Our approach supports organisations from Bronze through to Silver and Gold maturity levels, with ongoing guidance to help maintain and evolve their SMB1001 alignment over time. Our Governance & Control Platform integrates SMB1001 with broader governance, risk, and compliance activities, helping connect policies, controls, and evidence into a structured operational model.​
