Skip to content
Get started

SMB1001 Cyber Security Certification for Aged Care Providers

Aged care providers face growing cyber risks and under the new Aged Care Act, the SMB1001 standard offers a practical certification path to protect sensitive resident data while meeting regulatory demands.

Microsolve is your guide through certification without disrupting care operations.

Microsolve guides you through the SMB1001 certification

Is SMB1001 Right for You?

Aged care organisations handle highly sensitive health records, financial details, and personal information protected by the Privacy Act 1988. The new Aged Care Act 2024 introduces stricter enforcement, higher civil penalties up to millions, and reputational damage from breaches that disrupt care or expose data. SMB1001 certification proves to regulators, families, insurers, and partners that your cyber defences meet Australian SMB standards, building trust without overwhelming your team.

The new Aged Care Act has raised the bar on how providers manage cyber risk, evidence, and accountability. SMB1001 certification gives you a practical, staged way to prove your systems, people, and processes are protecting resident data every day – not just at audit time.

Regulatory Risk

The strengthened Aged Care Act brings higher civil penalties, continuous evidence expectations, and tougher ACQSC oversight. SMB1001 helps you put structure around cyber security so you can show regulators exactly how you manage access, backups, and incident response, with certifications to prove it.

Data Protection

Aged care providers hold highly sensitive health and financial information that must be protected under the Privacy Act and Australian Privacy Principles. SMB1001 aligns with the Essential Eight and mandates practical controls like multi-factor authentication, patching, and immutable backups so resident and staff data stays secure.

Family Confidence

Families increasingly ask how their loved one’s information is stored, who can see it, and what happens if something goes wrong. SMB1001 certification gives you a clear, non-technical way to reassure them that cyber security is not an afterthought, but is baked into how your organisation operates.

SMB1001 is EXACTLY what I need - What do I do next?

Great question!  Let us guide you through a review of your current situation and setup a personalised engagement.

Book your review meeting now!

Why Cyber Security Matters Now

The Aged Care Act strengthens Quality Standards, mandating continuous compliance evidence including cyber resilience – no more "audit prep only." Providers unable to show robust controls face ACQSC sanctions, while ransomware like recent strata attacks shows real disruption risks to clinical systems. Cyber incidents now trigger Notifiable Data Breaches, eroding family trust and inviting scrutiny from supply chains.

Higher Penalties

Civil fines scaled to revenue for non-compliance.​

Perpetual Audits

Live evidence required anytime, not just inspections.

Reputational Hit

Breaches damage referrals and funding confidence.

What is SMB1001?

Screenshot 2025-08-11 152947

SMB1001 is Australia's tiered cyber security framework for SMBs, covering five pillars: Technology Management, Access Control, Data Protection, Incident Response, and Staff Awareness – directly mapping to ACSC Essential Eight.

Tiers range from self-assessed Bronze (basics like firewalls, MFA) to audited Gold/Diamond for advanced governance. Unlike complex ISO 27001, it's practical for non-IT teams, annually updated, and certifiable via CyberCert.

Read More on the SMB1001 Cybersecurity Certification

SMB1001 vs Essential 8 - At a Glance

You’ve seen how SMB1001 works as a practical, tiered standard for aged care – but it sits alongside another key requirement: the ACSC’s Essential Eight. Before you decide where to start, it helps to see how these two frameworks complement and differ from each other.

SMB1001

Focus

SMB1001 covers technology plus governance, policies, and ongoing staff training.

Tiers/Levels

SMB1001 has 5 certifiable tiers (Bronze through to Diamond) designed for staged improvement.

Best Suited For

SMB1001 is purpose-built for Australian small and medium businesses, including aged care providers

Certification Approach

SMB1001 has a formal certification pathway, including external audit for Gold tier and above.

Essential 8

Focus

Essential 8 focuses on 8 core technical controls (patching, MFA, app control, etc.).

Tiers/Levels

Essential 8 has 4 maturity levels to indicate how well each control is implemented

Best Suited For

Essential 8 was originally designed with government and larger organisations in mind.

Certification Approach

Essential 8 is typically self-assessed, with no formal external certificate by default.

SMB1001 in Aged Care

Aged care's sensitive data demands "reasonable steps" under Privacy Act APPs; SMB1001 delivers via backups, access controls, and training tailored to high-turnover staff. It aligns with Aged Care Data Strategy for secure digital foundations, proving protection to ACQSC, families, and vendors like clinical software providers. Achieve Gold tier to signal maturity without enterprise costs.

  • Protects resident PHI from phishing/ransomware.
  • Supports multi-site ops with consistent policies.
  • Evidence for complaints/incident reviews.

Microsolve's 36-Month program

Microsolve manages your full journey: initial gap analysis, control implementation (MFA, patching, backups), staff training sessions, documentation, and certification audits – all without burdening clinical teams. Phased over 36 months: Year 1 Bronze/Silver, Year 2 Gold, Year 3 maintenance. Integrates with Microsoft 365, AWS, and clinical systems for seamless uplift.

Current State Assessment

We map your existing Microsoft 365 security, backups, access controls, and policies against SMB1001 requirements. In 2 weeks we'll identify quick wins and certification gaps without disrupting care delivery.

Bronze/Silver Implementation

Microsolve configures firewalls, multi-factor authentication, patching, and basic governance tailored for aged care high staff turnover, high sensitivity data so you achieve Bronze or Silver self-attestation within 6 months.

Gold Certification Preparation

We add formal policies, staff training programs, and advanced controls like immutable backups plus prepare your evidence portfolio for external Gold audit, typically achieved in 18-24 months.

Ongoing Compliance Management

Annual reassessments, control monitoring, and tier progression support keep you certified and continuously improving without adding IT burden to your leadership team.

Frequently asked questions

Is SMB1001 certification mandatory for aged care providers?

No, SMB1001 is voluntary but aligns directly with Essential Eight Maturity Level 1, which became the regulatory baseline for residential aged care from November 2025 under the Aged Care Act. It provides stronger proof of compliance than self-assessment alone, reducing ACQSC scrutiny during audits or incidents.

How long does it take to achieve Gold certification through Microsolve?

Microsolve's 36-month guided program delivers Bronze in 6 months, Silver by 12 months, and Gold by 24 months – fully managed without burdening care staff. This phased approach builds real capability while fitting around operational cycles like flu season or accreditation visits.

Will SMB1001 burden our clinical or admin teams?

No – Microsolve handles 90% of the work including assessments, configurations, documentation, and audits. Your team only attends short, practical awareness sessions (30-45 mins quarterly) and follows simple daily policies like reporting phishing.

What's the difference between SMB1001 and Essential Eight?

Essential Eight focuses on 8 technical controls with 4 maturity levels; SMB1001 adds governance, training, policies, and tiered certification (Bronze-Diamond) designed for SMBs without dedicated security teams. Microsolve maps both for dual compliance, starting with Bronze/Eight Level 1 quick wins.

Does SMB1001 meet Privacy Act requirements for resident data?

Yes – controls like access management, backups, and staff training satisfy "reasonable steps" under Australian Privacy Principles for protecting health information. Certification provides verifiable evidence for regulators, families, and Notifiable Data Breach reporting.