Essential Eight Guide
The Complete Guide to the Essential Eight for Australian Small Businesses
The ACSC Essential Eight is Australia's most widely recommended cybersecurity framework for businesses of all sizes. This guide explains what it is, why it matters, how the maturity levels work, and how to assess your business against it — for free.
What is the Essential Eight?
The Essential Eight is a set of eight cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). First published in 2017 and regularly updated, it represents the minimum baseline of controls that the ACSC recommends every Australian organisation implement to protect against the most common and damaging cyber threats.
The eight strategies were selected because, if implemented correctly, they mitigate the majority of cyber intrusions. The ACSC's analysis of real-world incidents shows that most successful attacks — from ransomware to business email compromise — could have been prevented if the targeted organisation had implemented even the basic level of the Essential Eight.
Unlike frameworks such as ISO 27001 or SOC 2 (which are primarily aimed at large enterprises and require significant audit overhead), the Essential Eight is designed to be practical and achievable for organisations of any size, including small businesses with no dedicated IT staff.
Why Does the Essential Eight Matter for Small Businesses?
Many small business owners assume they're too small to be targeted by cybercriminals. This is a dangerous misconception. Attackers don't primarily target businesses based on size — they target them based on vulnerability. An unpatched small business is just as easy to compromise as an unpatched large one, and SMBs often have weaker defences.
Cyber insurance: Most cyber insurance policies in Australia now ask about Essential Eight controls. Businesses that can demonstrate compliance typically receive lower premiums and fewer claim disputes.
Government tenders: Australian government agencies and large enterprises increasingly require suppliers to demonstrate Essential Eight compliance before awarding contracts.
Customer and partner trust: Clients in healthcare, legal, finance, and accounting are increasingly asking their suppliers about cybersecurity practices. The Essential Eight provides a recognised, credible standard to point to.
Real risk reduction: The ACSC estimates that implementing Essential Eight Maturity Level 2 prevents the vast majority of cyber intrusions, including most ransomware attacks.
Essential Eight Maturity Levels Explained
Each of the eight controls is assessed at one of four maturity levels (ML0 through ML3). Your overall Essential Eight maturity level is the lowest level at which you've fully implemented all eight controls.
ML0 — Initial
The organisation has not implemented the control, or the implementation has significant gaps. Vulnerable to most attacks.
ML1 — Basic
Foundational controls are in place. Reduces exposure to common opportunistic attacks (mass-distributed malware, credential stuffing, unpatched systems).
ML2 — Intermediate
Controls are applied consistently and comprehensively. Significantly reduces exposure to more targeted attacks. This is the recommended target for most SMBs.
ML3 — Advanced
Hardened implementation designed to protect against sophisticated, targeted attackers. Typically required for high-value targets and government agencies.
Practical target for SMBs: Aim for ML1 across all eight controls as your first milestone, then work towards ML2. Full ML2 compliance significantly reduces your risk and satisfies most insurance and tender requirements.
The Eight Controls — What They Mean in Practice
Here's a plain-English breakdown of each control, why it matters, and what implementation looks like for a typical Australian SMB.
Application Control
Only allow approved applications to run on your systems. Prevents malware and ransomware from executing.
Why it matters
Malware can only run if it can execute. Application control blocks unapproved programs — including malware that slips through email filters.
What it looks like for SMBs
Use Windows Defender Application Control (WDAC) or AppLocker on workstations. Block execution from user profile folders (AppData, Downloads, Temp).
Patch Applications
Keep all software up to date. Apply critical patches within 48 hours.
Why it matters
Most successful cyberattacks exploit known vulnerabilities that already have patches available. Slow patching is one of the most common causes of breaches.
What it looks like for SMBs
Enable auto-updates for browsers, Office, Adobe Reader, and other common applications. Use Microsoft Intune or a similar tool to enforce patching across all devices.
Configure Microsoft Office Macros
Disable Office macros for users who don't need them. Block macros from the internet.
Why it matters
Macros in Word and Excel documents are one of the most common ways malware is delivered via phishing emails. A single click on a malicious document can compromise a network.
What it looks like for SMBs
In Microsoft 365 admin settings, disable macros for most users. Only enable for staff with a legitimate need, and only from trusted, signed sources.
User Application Hardening
Remove or disable risky software like Flash, Internet Explorer, and Java in browsers.
Why it matters
Legacy software with known vulnerabilities creates easy entry points. Attackers actively target systems running end-of-life software.
What it looks like for SMBs
Remove Flash, disable IE, disable Java in browsers, block unnecessary browser extensions, and configure PDFs to block JavaScript.
Restrict Administrative Privileges
Limit admin access to only those who need it. Use separate accounts for admin tasks.
Why it matters
If an attacker compromises an admin account, they have the keys to your entire network. Limiting who has admin access limits the damage of any breach.
What it looks like for SMBs
Audit who has admin rights. Remove it from anyone who doesn't need it day-to-day. Require admins to use a separate account for privileged tasks and enable MFA on all admin accounts.
Patch Operating Systems
Keep Windows, macOS, and other operating systems current. Replace end-of-life systems.
Why it matters
OS vulnerabilities are frequently targeted. Systems running Windows 7 or other unsupported versions cannot receive security patches and are effectively undefendable.
What it looks like for SMBs
Enable Windows Update and don't delay updates. Replace any devices still running Windows 7, 8, or Server 2008/2012. Use Intune or Group Policy to enforce update schedules.
Multi-Factor Authentication
Require MFA for all remote access, cloud services, and admin accounts.
Why it matters
Stolen passwords are the number one cause of account compromise. MFA means a stolen password alone isn't enough to break in.
What it looks like for SMBs
Enable MFA on Microsoft 365, Google Workspace, banking portals, and VPN. Use authenticator apps (not SMS) where possible. Make MFA mandatory — not optional.
Regular Backups
Back up important data daily. Store at least one copy offline. Test your backups.
Why it matters
Ransomware's only leverage is your data. If you have clean, tested, offline backups, a ransomware attack becomes a recovery exercise instead of a catastrophe.
What it looks like for SMBs
Use cloud backup (Microsoft 365 Backup, Backblaze) plus an offline or air-gapped copy. Test restoration at least quarterly — an untested backup is an assumption, not a safety net.
Common Mistakes Australian SMBs Make with the Essential Eight
Treating it as a one-time exercise
The Essential Eight is not a box to tick — it's an ongoing practice. Software changes, new staff join, systems get added. Your maturity level needs regular reassessment, ideally quarterly.
Focusing on the easy controls and ignoring the hard ones
Application control and restricting admin privileges are the hardest to implement but among the most effective. Many businesses score well on backups and patching but leave application control unaddressed — creating a significant gap.
Conflating "we have antivirus" with "we're secure"
Antivirus is not in the Essential Eight for good reason — it's necessary but not sufficient. Modern ransomware regularly evades antivirus. Application control, patching, and backups are more effective defences.
Not having documented policies
Technical controls without policy documentation can't be audited, trained to, or enforced consistently. Insurance claims and tender assessments often require written policies — not just technical evidence.
How to Assess Your Essential Eight Maturity
The ACSC provides guidance documents and a self-assessment spreadsheet, but these are designed for security professionals and are difficult for non-technical staff to complete accurately.
EssentialScore provides a free, plain-English self-assessment tool that guides you through 71 questions covering all eight controls. Your answers are scored in your browser — nothing is sent to a server. You'll get an overall maturity score, a radar chart showing your strengths and gaps, and a list of the specific policies your organisation needs.
Assess Your Essential Eight Score — Free
Takes about 15 minutes. No account required. Your data stays in your browser.
Start Free Assessment →Frequently Asked Questions
Is the Essential Eight mandatory for small businesses?
Not in most cases. It is mandatory for non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). However, cyber insurers, large enterprise customers, and government procurement increasingly treat it as a de facto requirement even for private sector SMBs.
How long does it take to implement the Essential Eight?
For a typical 10-50 person business using Microsoft 365, achieving ML1 across all controls can be done in 4-8 weeks with focused effort. ML2 typically takes 3-6 months. The biggest time investments are application control configuration and admin privilege remediation.
Do I need a consultant to implement the Essential Eight?
Not necessarily. ML1 implementation is achievable with a capable IT person (internal or MSP) and the right documentation. However, application control and privileged access management can be technically complex, and many businesses engage an IT security specialist for those components.
How often should I reassess my Essential Eight maturity?
The ACSC recommends at least annually for most organisations, but quarterly is better practice. Any significant change to your IT environment (new software, new staff, new systems) should trigger a reassessment of affected controls.
What's the difference between the Essential Eight and ISO 27001?
ISO 27001 is a comprehensive information security management standard that covers governance, risk management, and 93 controls. It requires formal auditing and certification. The Essential Eight is a practical, operational framework focused on 8 specific technical controls. For most Australian SMBs, the Essential Eight is the right starting point; ISO 27001 is appropriate if you need international certification or work with enterprise customers who require it.
Ready to find out where you stand?
Take the free EssentialScore assessment — 71 questions, ~15 minutes, no signup required. Get your score, identify your gaps, and see exactly which policies you need.