The Australian Signals Directorate’s Essential Eight is, in our experience, the most useful starting point for an Australian organisation that wants to materially reduce cyber risk without ending up in a multi-year transformation programme. Eight controls. Three maturity levels. Designed for the threat landscape we actually face.

The eight controls

The Essential Eight is published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It groups eight mitigation strategies that, together, address the majority of cyber incidents seen across Australian organisations.

  1. Application control — only approved applications can execute.
  2. Patch applications — security updates for applications applied within defined windows.
  3. Configure Microsoft Office macro settings — macros disabled by default; only signed or trusted macros allowed.
  4. User application hardening — browsers, PDF readers, and email clients configured to reduce attack surface.
  5. Restrict administrative privileges — admin rights granted explicitly, time-bound, and reviewed.
  6. Patch operating systems — security updates for operating systems applied within defined windows.
  7. Multi-factor authentication — MFA for users, particularly for remote access and privileged actions.
  8. Regular backups — backups taken, tested, and protected from compromise of the production environment.

Maturity levels: where to start

The Essential Eight defines three maturity levels (1 through 3), each indicating progressively higher resilience against more sophisticated adversaries. The ASD broadly aligns these with adversary capabilities:

  • Maturity Level 1 — mitigates opportunistic attacks using commodity tradecraft.
  • Maturity Level 2 — mitigates more capable adversaries who invest time in particular targets.
  • Maturity Level 3 — mitigates well-resourced, persistent adversaries operating at the edge of public capability.

Most Australian SMEs realistically need to land at Maturity Level 1 across all eight first, before chasing Level 2 in any single control. Uneven maturity profiles — Level 3 backups beside Level 0 application control — do not provide proportionate protection.

Where Essential Eight programmes typically stall

Application control. The control with the largest impact tends to be the hardest to operationalise. Modern application control tooling has improved dramatically, but it still requires discipline to maintain allowlists without breaking the business.

Patching cadence. Patching is not technically hard. It is organisationally hard. The constraint is rarely the tooling; it is the change-management process and the lack of an authoritative inventory.

Privileged access. Many organisations declare success on this control by enabling MFA on Domain Admin accounts, but leave standing local admin everywhere. Just-in-time, just-enough administration with proper logging is the destination.

How Essential Eight relates to ISO 27001

The Essential Eight is a set of technical mitigations. ISO 27001 is a management system that decides, among other things, which technical mitigations to implement. They are complementary. An organisation pursuing ISO 27001 certification will almost always identify the Essential Eight as required controls during risk assessment, and the audit evidence for ISO control areas (Annex A) maps neatly to Essential Eight artefacts.

A pragmatic 12-month programme

  1. Baseline assessment against all eight controls. Be honest; auditors and adversaries both will be.
  2. Address quick wins (MFA, OS patching cadence, admin privilege review) in the first quarter.
  3. Stand up application control in monitoring mode in the second quarter; cut over once allowlists are stable.
  4. Improve backup verification and test restoration end-to-end in the third quarter — not just the existence of the backup.
  5. Re-assess at month 12. Decide whether to invest in Level 2 maturity in any specific control based on the threats you actually face.

If you would like an independent Essential Eight assessment that produces a costed remediation plan rather than a rating spreadsheet, we can help.