Achieving SMB1001 Platinum Level: Nearing the Peak of Cybersecurity Excellence

In today’s rapidly evolving threat landscape, small and medium enterprises (SMEs) need a robust and comprehensive cybersecurity strategy to safeguard their assets, data, and reputation. The SMB1001 Platinum level is one of the highest tiers in the framework, designed to provide unparalleled security measures and governance. This article outlines the Platinum level controls, the steps to achieve compliance, and the benefits your organisation can expect.

What is SMB1001 Platinum Level?

The Platinum level represe

nts a benchmark of advanced cybersecurity maturity within the SMB1001 framework. Building on the foundational controls of the Bronze, Silver, and Gold levels, it introduces advanced, highly detailed requirements to ensure maximum protection against cyber threats. Unlike the previous tiers, compliance with the Platinum level requires an external audit by a certified body, ensuring rigorous validation of your cybersecurity practices.

It needs to be highlighted that the technical services organisation supporting the client obtaining Platinum (or Diamond), must also hold the certification at that level (or higher). This means if your MSP holds a Gold level, they need to hand off the work to a firm such as Aegis to finalise the requirements. This has been implemented to ensure that the technical experts are providing advice are at a knowledge level that aligns to the risks, and ensures the client firms are receiving correct and proper advice.

Platinum Level Requirements

The controls for the Platinum level span across five comprehensive categories:

Category 1: Technology Management

Your organisation must engage a technical support specialist, Managed Service Provider (MSP), or IT specialist to handle day-to-day cybersecurity requirements. Firewalls must be installed and configured for all networks and devices, including personal devices used for business purposes. These firewalls

should be reviewed by a qualified individual to ensure secure configurations. Anti-virus software must be installed and automatically updated on all organisational devices. Software updates and patches must be applied automatically to all devices. Critical updates should be managed within 14 days if automatic updates are not possible. TLS certificates must be installed on all public internet-facing websites, ensuring encryption for data transmissions. Servers should follow a strict maintenance routine for updates and patching, addressing critical issues within 14 days. Additionally, all public internet-facing resources must be regularly scanned for vulnerabilities, including web servers, APIs, and VPN authentication sites.

Category 2: Access Management

Passwords must be changed routinely and align with best practices for complexity and uniqueness. Employees who do not require administrative access must not have it. Each employee should use individual user accounts, ensuring accountability. A password manager system must be implemented to securely store and manage passwords. Multi-factor authentication (MFA) is mandatory for all employee email accounts, business applications, and cloud-hosted services. Access to systems where critical data is stored, as well as VPN and Remote Desktop Protocol (RDP) connections, must also be prote

cted with MFA. Finally, your organisation must adopt robust management practices for remote access cloud credentials to minimise risks.

Category 3: Backup and Recovery

Your organisation must implement a comprehensive backup and recovery strategy for critical digital assets. This includes maintaining a backup schedule with a maximum interval of seven days between backups and retaining sufficient history for at least six months. Annual testing of recovery processes is required to ensure readiness. Additionally, purchasing and maintaining cyber liability insurance or business insurance is mandatory to provide financial coverage in the event of a cyber-related incident.

Category 4: Policies, Processes, and Plans

All employees must sign confidentiality agreements before beginning work. A policy to prevent invoice fraud must be implemented, outlining procedures to verify invoices and prevent payment scams. A visitor register should be maintained to track physical access to restricted areas. A comprehensive cybersecurity policy must be developed, detailing responsibilities, technical controls, and procedures for protecting digital assets. An incident response plan must outline the steps to address and recover from cyber incidents, including key contact information for personnel and external support. Secure methods for physical document destruction and the disposal of digital devices containing sensitive data must also be established. A digital asset register must be maintained to document the locations of all critical and sensitive data, along with access permissions and an annual audit to ensure accuracy.

Category 5: Education and Training

Cybersecurity awareness training must be conducted regularly for all employees, addressing topics such as social engineering, phishing, email safety, invoice fraud, and physical security. This training should include an annual review of cybersecurity policies and equip employees to recognise and respond to cyber threats effectively.

Achieving SMB1001 Platinum Level Compliance

To meet the Platinum level requirements, your organisation must:

  1. Understand the Requirements: Familiarise yourself with the Platinum-level controls and assess your organisation’s current practices.
  2. Conduct a Gap Analysis: Identify areas where your organisation falls short and prioritise improvements.
  3. Implement Advanced Controls: Work with a technical support specialist to ensure all Platinum-level requirements are met, including firewalls, MFA, and secure backup strategies.
  4. Develop Policies and Training: Draft and enforce detailed policies while conducting regular cybersecurity training for employees.
  5. Engage an External Auditor: Arrange for an external audit by a certified body to validate compliance with the Platinum-level requirements.
  6. Maintain Ongoing Compliance: Regularly test and update your controls to ensure they remain effective and meet evolving cybersecurity threats.

The Benefits of SMB1001 Platinum Level Compliance

Achieving Platinum-level compliance positions your organisation as a leader in cybersecurity, offering unparalleled protection and resilience. Key benefits include:

  1. Maximum Security: Advanced controls minimise the risk of breaches and ensure comprehensive protection for critical assets.
  2. Enhanced Trust: Demonstrating a commitment to the highest cybersecurity standards builds trust with clients, partners, and stakeholders.
  3. Operational Continuity: Detailed recovery plans and robust controls ensure your organisation can recover quickly from incidents.
  4. Regulatory Readiness: Platinum-level compliance aligns with stringent legal and industry requirements, preparing your organisation for future challenges.

Secure Your Future with SMB1001 Platinum

The SMB1001 Platinum level represents a significant milestone in cybersecurity readiness. By achieving compliance, your organisation will not only protect itself against advanced cyber threats but also demonstrate its commitment to excellence and trustworthiness.

Start your journey to SMB1001 Platinum level compliance today. Review your current practices, address gaps, and engage an external auditor to validate your efforts. If you need guidance, reach out to us at info@aegiscyber.com.au and as experienced cybersecurity professionals we can tailor solutions to your organisation’s needs.

In an increasingly digital world, achieving the Platinum level isn’t just about security—it’s about securing your organisation’s future.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *