Remote Support Client PortalClient Portal Report CybercrimeCall: 1300 85 99 10

ASD Essential Eight

Eight strategies. Three maturity levels. An Australian framework.

The Essential Eight is the Australian Signals Directorate’s set of mitigation strategies for defending against the most common cyber attacks. It is a technical framework, applied at three maturity levels, with a clear path from where most businesses are to where they should be.

The framework

What the Essential Eight is

The Essential Eight is a set of eight specific cyber security strategies developed by the Australian Signals Directorate and published by the Australian Cyber Security Centre. The eight strategies were chosen because, applied together, they prevent or limit the impact of the great majority of cyber attacks against Australian organisations.

Eight controls, three maturity levels. A measurable, government-derived position you can hold any IT provider accountable to.

The framework was first published in 2017 and is updated regularly to reflect changes in the threat landscape. The current guidance is maintained at cyber.gov.au/essential-eight. This page summarises the framework in plain English from a business owner’s perspective, the official source is always the authoritative reference.

The eight

The eight mitigation strategies

The first four reduce the likelihood of an incident. The next two limit the damage when something gets through. The last two support detection, response and recovery. All eight together are the framework.

01

Application control

Only approved applications are allowed to run. Stops users (and attackers) launching arbitrary executables, scripts and installers on managed devices. Removes a large category of malware from the equation entirely.

02

Patch applications

Internet-facing applications are patched against known security vulnerabilities promptly. At ML1, within two weeks of a patch being released; at ML2, within 48 hours for critical ones. Closes the windows attackers actively exploit.

03

Configure Microsoft Office macros

Office macros are blocked from the internet by default, with sanctioned exceptions for users who genuinely need them. Macros are a long-standing entry point for malware delivered via Word and Excel attachments.

04

User application hardening

Web browsers and other user applications are configured to block ads, Flash, Java in browsers and other high-risk features. Reduces the attack surface that has nothing to do with what the user actually does at work.

05

Restrict administrative privileges

Administrative accounts are separated from day-to-day user accounts and only used when administrative tasks are required. An attacker who compromises a normal account cannot escalate to admin without crossing additional barriers.

06

Patch operating systems

Operating systems are patched on the same cadence as applications: within two weeks at ML1, within 48 hours for critical vulnerabilities at ML2. Unsupported OS versions are removed from production environments.

07

Multi-factor authentication

MFA is required for users authenticating to important data repositories, remote access, and privileged systems. Phishing-resistant MFA (authenticator apps or hardware keys) is preferred at higher maturity levels.

08

Regular backups

Backups of important data, software, and configuration settings are performed and retained on a defined schedule. The backups are isolated from the network they protect, and restoration is tested at least quarterly.

The three levels

Choose the maturity level that fits your risk profile

The Essential Eight is implemented at one of three maturity levels. The right level for your business is the one that matches the threats you realistically face and the obligations you carry.

Maturity Level 1

Opportunistic attackers

Defends against unsophisticated, opportunistic actors using widely available tools and known vulnerabilities. The realistic threat for most Australian small and medium businesses, every week.

Maturity Level 2

Moderately skilled attackers

Defends against attackers willing to invest time and effort, target a specific organisation, and adapt their tactics. Typical for businesses with valuable data, supplier-chain obligations, or regulated industries.

Maturity Level 3

Well-resourced, persistent attackers

Defends against nation-state-level threats and persistent advanced threat groups. Typically only required for entities holding classified or critical-infrastructure information. Significant operational investment.

For most SMBs

Aim for Maturity Level 1 first

ML1 across all eight strategies closes the most common attack paths and is achievable as part of a standard managed service. ML2 follows when there is a specific obligation that demands it.

Essential Eight or SMB1001?

The frameworks complement each other

People sometimes ask which framework their business should follow. The honest answer is both, where appropriate. They were designed for different jobs and they fit together rather than compete.

SMB1001 is broader. It covers identity, email, endpoints, data and governance for Australian small and medium business, with a maturity progression from Bronze through to Gold. It is the framework that defines a complete SMB security posture.

The Essential Eight is deeper on the technical controls. It specifies eight specific strategies, three maturity levels, and explicit requirements for what each level demands. It is the framework cyber insurers and government supply chains reference most often.

A business pursuing SMB1001 Silver will, by default, be at or close to Essential Eight ML1 across most of the strategies. A business specifically required to demonstrate Essential Eight compliance will benefit from the broader policy and process structure SMB1001 provides.

SMB1001 defines the security posture.
The Essential Eight defines the technical controls.
Together they describe a business that takes security seriously.

How Agile IT aligns

AgileSECURE implements both frameworks as a managed service

Reading about the Essential Eight is one thing. Having eight technical controls deployed, configured to the right maturity level, and maintained week after week as the threat landscape evolves is a different exercise.

Technical implementation

Application control, OS and application patching, macro lockdown, user application hardening, restricted admin privileges, MFA enforcement and managed backups are deployed as part of AgileSECURE within a typical AgileMANAGED engagement.

Ongoing maintenance

Patches applied on the cadence the maturity level requires. Backup restorations tested quarterly. MFA enrolment monitored across the user base. The configuration does not drift over time because someone is responsible for keeping it current.

Reporting and review

Posture against the Essential Eight is reviewed as part of the quarterly business management review on AgileCOMPLETE. Movements between maturity levels are deliberate, documented, and tied to the business reasons that drove the change.

Questions

Common questions about the Essential Eight

Is the Essential Eight mandatory for my business?
It is mandatory for non-corporate Commonwealth entities. For state/territory governments, private business and not-for-profits it is recommended but not required. In practice, however, cyber insurance underwriters and large client/supplier contracts increasingly reference the Essential Eight, making it a de-facto requirement for many businesses.
What maturity level should we aim for?
Most small and medium businesses should aim for Maturity Level 1 across all eight strategies as a practical, proportionate starting point. ML1 addresses the most common attack types and is achievable within a standard managed service. ML2 is appropriate for businesses with sensitive client data, regulated industries, or supplier-chain attestation requirements. ML3 is typically only required for entities facing state-level threats.
How long does it take to reach ML1?
It varies with the starting position. A business already on Microsoft 365 with managed devices may be at or close to ML1 across most strategies, with specific gaps that take 2 to 6 weeks to close. A business with unmanaged devices, no MFA, no backup discipline and unpatched systems may need 8 to 16 weeks of remediation before ML1 is realistic. The first step is always an honest assessment of the current posture.
Does Microsoft 365 give us the Essential Eight by default?
Microsoft 365 contains the technical controls required for most of the Essential Eight at ML1, MFA, conditional access, Defender for endpoint and email, Intune for application control and patching, OneDrive for backup. Having the controls available is not the same as having them configured, enforced, and maintained. The most common gap we find in audits is M365 environments with the right tooling but the wrong configuration.
How is this different from SMB1001?
SMB1001 is a broader Australian framework built for SMBs, covering identity, email, endpoints, data, and governance with a Bronze/Silver/Gold maturity progression. The Essential Eight focuses on eight specific technical mitigation strategies with three maturity levels, derived from government practice. The two complement each other, SMB1001 gives the broader posture and process structure; Essential Eight gives the technical control depth.
Where can I read the official guidance?
The authoritative source is the ACSC at cyber.gov.au/essential-eight. The Essential Eight Maturity Model is published as a PDF that defines exactly what each maturity level requires for each of the eight strategies. Anyone implementing the framework should reference the official guidance directly.

Want to know where your business sits against the Essential Eight?

The free 30-minute Security Review assesses your current position and identifies which of the eight strategies are in place and which need work. No tools, no system access, no jargon.

Book a Security Review
1300 859 910 Book a Conversation