Essential Eight Guide for Australian Businesses
The Essential Eight is Australia's primary cybersecurity framework. This guide explains the 8 controls, the 3 maturity levels, who needs to comply, and how to assess your organisation — from a standing start.
What is the Essential Eight?
The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) and recommended by the Australian Cyber Security Centre (ACSC). First published in 2017 and updated most recently in October 2024, it is the baseline cybersecurity standard for Australian organisations across government and the private sector.
The framework is designed to be prioritised: implementing all eight strategies to at least Maturity Level 1 makes a business significantly harder to compromise than one that has implemented none. The strategies were selected because they address the most common attack vectors used against Australian organisations.
Compliance with the Essential Eight is mandatory for all non-corporate Commonwealth entities. For private sector businesses, it is increasingly required by government clients, enterprise procurement teams, and Australian cyber insurers — and strongly recommended by the ACSC for all organisations regardless of size.
Who developed the Essential Eight?
The Australian Signals Directorate (ASD) — Australia's national cybersecurity and intelligence agency — developed the Essential Eight as part of its Strategies to Mitigate Cyber Security Incidents. The framework is endorsed and promoted by the Australian Cyber Security Centre (ACSC), which is part of the ASD. It is regularly reviewed and updated based on the threat landscape facing Australian organisations.
The Eight Controls Explained
The eight mitigation strategies cover application security, patching, access control, and data protection. Here's what each control covers and why it matters.
Application Control
Prevents unapproved and malicious programs from executing on workstations and servers. Only explicitly permitted applications can run — blocking ransomware, malware, and unapproved software from gaining a foothold.
Patch Applications
Requires that security vulnerabilities in internet-facing services and applications are patched within defined timeframes. At ML1, critical patches must be applied within one month; ML2 tightens this to two weeks for critical internet-facing systems.
Configure Microsoft Office Macro Settings
Office macros are one of the most common delivery mechanisms for malware in Australia. This control requires macros to be disabled or restricted to trusted, digitally signed macros only.
User Application Hardening
Configures web browsers, Office applications, and PDF readers to reduce their attack surface — disabling features like Flash, Java, and web advertisements that are commonly exploited by attackers.
Restrict Administrative Privileges
Limits administrator accounts to those who genuinely need them, with admin accounts used only for admin tasks and not for browsing or email. Privileged access workstations (PAWs) are required at higher maturity levels.
Patch Operating Systems
Requires timely patching of operating systems on workstations, servers, and network devices. Critical vulnerabilities in internet-facing systems must be patched within 48 hours at ML2 and ML3.
Multi-Factor Authentication
Requires MFA for remote access, privileged accounts, and internet-facing services. At ML3, MFA must be phishing-resistant (hardware tokens or passkeys) — not just SMS or authenticator app codes.
Regular Backups
Requires regular, tested backups of important data, software, and configuration settings. Backups must be stored offline or in a way that prevents ransomware from encrypting them — and must be tested to confirm they can actually be restored.
The Three Maturity Levels
Each of the eight controls has three maturity levels. Your overall Essential Eight maturity score is the lowest maturity level you have achieved across all eight controls — you can't claim ML2 if even one control is only at ML1.
Maturity Level 1
Targets adversaries using commodity techniques — scripted attacks, phishing, and publicly available exploit tools. ML1 is the minimum level all Australian organisations should achieve.
Maturity Level 2
Targets adversaries using more advanced techniques — spear phishing, credential theft, and targeted exploitation of known vulnerabilities. Required for organisations handling sensitive client or financial data.
Maturity Level 3
Targets sophisticated adversaries using zero-days, living-off-the-land techniques, and advanced persistent threats. Phishing-resistant MFA is required at this level.
Where do most Australian SMBs sit?
Most Australian SMBs that have never formally assessed their cybersecurity posture are operating at ML0 — below Maturity Level 1 — across at least two or three controls. The most common gaps are application control (rarely implemented in SMBs), privileged access management (admin accounts used for everyday tasks), and backup testing (backups exist but have never been verified). A self-assessment takes 15 minutes and identifies these gaps immediately.
Who Needs to Comply?
The Essential Eight applies to a broader set of Australian organisations than most business owners realise.
Commonwealth agencies
Mandatory. All non-corporate Commonwealth entities must implement the Essential Eight under the Protective Security Policy Framework (PSPF). Agencies must report their compliance level annually.
Government contractors
Increasingly required. Federal and state government procurement processes now commonly require vendors to demonstrate Essential Eight compliance — particularly for contracts involving data access or ICT systems.
Cyber insurance applicants
Effectively required. Australian cyber insurers — Coalition, Chubb, Beazley, and others — assess Essential Eight controls during underwriting. Gaps in MFA, patching, and backups directly affect premiums and coverage.
Private sector SMBs
Strongly recommended. The ACSC recommends all Australian organisations implement the Essential Eight as their cybersecurity baseline. Enterprise clients increasingly require it from their supply chains.
How to Get Started with Essential Eight Compliance
The ACSC recommends a four-step approach for organisations beginning their Essential Eight journey.
Assess your current maturity level
Before you can plan remediation, you need to know where you stand. A structured self-assessment across all eight controls gives you a baseline maturity score and identifies the specific gaps driving your score down. This is the step most organisations skip — and the reason so many cybersecurity projects go in circles.
Set a target maturity level
Choose a realistic target based on your obligations and risk profile. Most SMBs should target ML1 as a first priority, with ML2 as a secondary goal if you handle sensitive data. Don't try to jump to ML3 — the complexity and cost are disproportionate for most businesses.
Prioritise the gaps
Not all gaps are equal. Focus first on controls that are easy to implement and have high impact — MFA is typically the highest ROI fix, followed by patching and backups. Application control and privileged access take more time and planning.
Implement and document
Implement the fixes in priority order and document your progress. For government contract and insurance purposes, you'll need to be able to demonstrate your compliance level — not just assert it. A gap report generated from your assessment provides this evidence.
Start with a free self-assessment
71 questions covering all eight controls. Get your maturity score, identify your top gaps, and generate a remediation roadmap — free, no account required.
Take the free Essential Eight assessment →October 2024 Essential Eight Updates
The ASD updated the Essential Eight Maturity Model in October 2024. The key changes affect organisations targeting ML2 and ML3 and reflect the evolving threat landscape — particularly around phishing-resistant authentication and patch management timelines.
Phishing-resistant MFA now required at ML2
The 2024 update moves phishing-resistant MFA (hardware tokens or passkeys) from ML3 to ML2 for privileged accounts. SMS and authenticator app codes are no longer sufficient at ML2 for admin accounts.
Tightened patch timelines
ML2 now requires critical patches on internet-facing services to be applied within 48 hours (down from two weeks). Organisations with internet-facing infrastructure need automated patch management to meet this requirement.
Clarified backup requirements
The update provides clearer guidance on backup isolation requirements — backups must be demonstrably protected from modification and deletion by ransomware, not just "offline".
Expanded application control scope
ML1 now includes driver-based control requirements to address the growing use of vulnerable signed drivers in ransomware attacks.
Essential Eight FAQs
What is the ACSC Essential Eight?
The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) and recommended by the Australian Cyber Security Centre (ACSC). It is the primary cybersecurity baseline framework for Australian organisations, covering application control, patch management, multi-factor authentication, and five other controls.
Is the Essential Eight mandatory for Australian businesses?
The Essential Eight is mandatory for all non-corporate Commonwealth entities under the Protective Security Policy Framework. For private sector businesses it is strongly recommended and is increasingly required by government contractors, enterprise clients, and cyber insurers.
What are the three Essential Eight maturity levels?
Maturity Level 1 targets adversaries using commodity techniques and is the minimum baseline for most organisations. Maturity Level 2 targets adversaries using more advanced techniques and is required for organisations handling sensitive data. Maturity Level 3 targets sophisticated adversaries and represents the highest level of Essential Eight implementation.
How long does it take to implement the Essential Eight?
Timeline varies significantly by starting point and target maturity level. Organisations starting from scratch typically take 3–6 months to reach ML1, and 6–18 months to reach ML2. The first step is always a gap assessment to understand where you stand.
What is the difference between ASD and ACSC?
The Australian Signals Directorate (ASD) is Australia's national cybersecurity and foreign intelligence agency. The Australian Cyber Security Centre (ACSC) is a part of the ASD that focuses on improving cybersecurity across Australia. Both names are used in Essential Eight documentation — they refer to the same organisation for practical purposes.
Know where your business stands
71 questions. Free. No account required. Get your Essential Eight maturity score and top gaps in 15 minutes.
Start free assessmentPaid gap report and policy templates available after assessment