The Australian cyber security landscape is about to undergo one of its biggest changes in years.
According to a recent announcement from the Australian Signals Directorate (ASD), the widely used Essential Eight cyber security framework will be retired over the next two years and replaced with a broader “Essentials” series designed to better address modern IT environments, cloud services, operational technology, and emerging technologies such as AI. 12
For many organisations, this announcement raises an important question:
If Essential Eight is changing, what cyber security framework should my business be investing in today?
At Qbit IT Solutions, our answer has been consistent for several years.
For organisations pursuing defence contracts, Essential Eight remains highly relevant and often mandatory.
For everyone else, we’ve been recommending SMB1001.
And the recent ASD announcement reinforces why.
Why Essential Eight Is Being Retired
When Essential Eight was first introduced, it provided valuable guidance for securing traditional on-premises IT environments.
However, according to ASD, the framework was developed before cloud computing became the norm and its controls do not always align cleanly with modern cloud-first architectures and shared responsibility models. The new “Essentials” series aims to provide greater flexibility and broader coverage across different technology environments. 12
This shift reflects what many businesses have already experienced.
Modern organisations rely on:
- Microsoft 365
- Azure and cloud services
- SaaS applications
- Remote workers
- Mobile devices
- AI-powered tools
Cyber security today is about much more than applying eight technical controls.
The Problem With Essential Eight For Many SMBs
The reality is that Essential Eight was never designed specifically for small and medium businesses.
Many SMBs:
- Have limited IT resources
- Outsource IT to a managed service provider
- Do not employ dedicated cyber security teams
- Need practical guidance that balances security, cost and operational realities
As we’ve discussed with clients for years, Essential Eight can become a highly technical compliance exercise that doesn’t always align with how small businesses operate. 3
That doesn’t mean Essential Eight is wrong.
It simply means it was designed for a different audience.
Why SMB1001 Is Better Suited For Most Australian Businesses
SMB1001 was specifically created to address the cyber security needs of small and medium businesses.
Unlike traditional enterprise frameworks, SMB1001 provides a practical, affordable and scalable pathway for organisations to improve cyber maturity over time. 45
The framework:
- Is designed specifically for SMBs
- Provides multiple certification levels
- Covers people, processes and technology
- Supports continuous improvement
- Aligns with modern managed IT service delivery
- Provides recognised certification that can be demonstrated to customers and suppliers 46
Rather than asking businesses to achieve everything at once, SMB1001 provides a structured roadmap that allows organisations to start where they are and progressively increase their cyber maturity. 436
Cyber Security Is Becoming a “Ticket to Trade”
Increasingly, businesses are being asked to demonstrate that they take cyber security seriously.
Customers want assurance.
Partners want assurance.
Insurers want assurance.
Supply chains want assurance.
SMB1001 provides a recognised certification pathway that helps organisations demonstrate their commitment to protecting their systems, data and customers. 35
This is particularly valuable for organisations that are not required to comply with defence-specific frameworks but still need to prove they have implemented robust cyber security controls.
Qbit Doesn’t Just Recommend SMB1001. We Hold Gold Certification Ourselves.
One of the reasons we confidently recommend SMB1001 is because we’ve completed the journey ourselves.
Qbit IT Solutions has achieved SMB1001 Gold certification, demonstrating that we have implemented the controls, governance, policies and operational practices required to meet the Gold standard. 789
Our internal assessment confirmed compliance across all required Gold-level controls and requirements. 8
This means when we advise clients on SMB1001, we’re not speaking from theory.
We’ve lived the process.
We’ve completed the remediation.
We’ve built the documentation.
We’ve implemented the controls.
And we help organisations do exactly the same.
When Should You Still Consider Essential Eight?
There are absolutely situations where Essential Eight remains the right choice.
If your organisation:
- Works directly with Defence
- Supports Defence Industry contracts
- Has contractual requirements referencing Essential Eight
- Needs specific ASD maturity level compliance
Then Essential Eight is still highly relevant and likely mandatory. 3
But for the vast majority of Australian businesses, SMB1001 delivers a more practical and achievable pathway to meaningful cyber resilience.
The Bottom Line
The ASD’s decision to retire Essential Eight over the coming years is a clear recognition that cyber security frameworks must evolve to match modern technology and modern threats. 12
For organisations outside the defence sector, this announcement reinforces what Qbit has been advising for some time:
SMB1001 provides a more practical, scalable and business-friendly cyber security certification pathway for most Australian organisations.
Cyber security is no longer just an IT issue.
It’s a business requirement.
And organisations that can demonstrate certified cyber maturity will continue to have a competitive advantage.
Ready to Achieve SMB1001 Gold?
Qbit IT Solutions has already achieved SMB1001 Gold certification and can help your organisation do the same. 78
Our team can:
✅ Assess your current cyber maturity
✅ Identify gaps against the SMB1001 framework
✅ Develop a remediation roadmap
✅ Implement the required controls
✅ Prepare your organisation for certification
Whether you’re starting from scratch or already have many controls in place, we’ll help you build a practical pathway to SMB1001 Gold Certification.
Book a free cyber security assessment today and discover how close your business is to achieving SMB1001 Gold.
Qbit IT Solutions
Helping Australian businesses build cyber resilience, achieve certification, and win more business through trusted security practices.
