Overview
The Essential Eight is a set of baseline cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) to help organizations protect against common cyber threats. Originally part of the broader "Strategies to Mitigate Cyber Security Incidents" list, the Essential Eight were identified as the most effective controls against the majority of targeted cyber intrusions. Since July 2022, compliance with the Essential Eight at Maturity Level 2 is mandatory for all Commonwealth (federal government) entities, with Maturity Level 3 increasingly expected for high-risk environments.
The Essential Eight Strategies
| Strategy | Category | Purpose |
|---|---|---|
| Application Control | Prevent Malware | Only approved applications can execute on systems |
| Patch Applications | Prevent Malware | Apply security patches to applications within defined timeframes |
| Configure Microsoft Office Macros | Prevent Malware | Block or restrict macros from untrusted sources |
| Application Hardening | Prevent Malware | Disable unnecessary features in web browsers and other applications |
| Restrict Administrative Privileges | Limit Extent | Minimize the number and scope of privileged accounts |
| Patch Operating Systems | Limit Extent | Apply OS security patches within defined timeframes |
| Multi-factor Authentication | Limit Extent | Require MFA for privileged access and internet-facing services |
| Regular Backups | Recover Data | Maintain and test backups to enable recovery from incidents |
Maturity Level Progression
The Essential Eight Maturity Model defines four maturity levels (0 through 3). Maturity Level 0 means there are weaknesses that an adversary could exploit. Maturity Level 1 is partly aligned with the intent of the strategy and focuses on defense against commodity threats using publicly available tradecraft. Maturity Level 2 is mostly aligned and defends against adversaries with modest investment in targeting and tradecraft. Maturity Level 3 is fully aligned and defends against adversaries with significant capability targeting the organization. Organizations should assess their current maturity across all eight strategies and develop a roadmap to reach the target level consistently across all controls, since addressing only some strategies while ignoring others leaves gaps that sophisticated attackers will find.
Implementation Priorities
- Conduct a baseline assessment across all eight strategies to determine your current maturity level
- Deploy application control on all workstations and servers, starting with user-facing systems
- Implement automated patch management for both applications and operating systems with 48-hour SLAs for critical patches
- Disable Microsoft Office macros for users who do not have a demonstrated business need
- Harden web browsers by disabling Flash, Java, and unnecessary add-ons
- Audit and restrict administrative privileges to only personnel who require them for their role
- Deploy multi-factor authentication across all privileged accounts, remote access, and internet-facing services
- Implement a 3-2-1 backup strategy with regular testing of backup restoration procedures
- Automate compliance monitoring to track maturity level across all strategies continuously
Patching Timeframes by Maturity Level
| Maturity Level | Internet-facing Applications | Non-internet Applications | OS Patches |
|---|---|---|---|
| Level 1 | Within 1 month | Within 1 month | Within 1 month |
| Level 2 | Within 2 weeks | Within 1 month | Within 2 weeks |
| Level 3 | Within 48 hours | Within 2 weeks | Within 48 hours |
Assessment and Reporting
Commonwealth entities must undergo independent assessment against the Essential Eight Maturity Model as part of their annual cyber security posture reporting. The assessment results feed into the Australian Government's overall cyber resilience reporting. Organizations using the Essential Eight voluntarily should still conduct regular self-assessments using ASD's published assessment guide. Track maturity across each strategy individually rather than averaging scores, because a single strategy at Maturity Level 0 can undermine the effectiveness of the others.
Frequently Asked Questions
Is the Essential Eight mandatory for private sector organizations?
The Essential Eight is mandatory for non-corporate Commonwealth entities at Maturity Level 2. For private sector organizations, it is a recommended framework rather than a regulatory requirement. However, some industry regulations (such as APRA CPS 234) reference ASD guidance, making it effectively expected for regulated financial institutions.
Should we aim for Maturity Level 3 across all strategies?
Not necessarily. The target maturity level should be based on your organization's threat profile and risk appetite. Maturity Level 2 is appropriate for most organizations. Level 3 is designed for organizations facing sophisticated, targeted attacks, such as government agencies, critical infrastructure, and defense contractors.
How does Essential Eight relate to NIST CSF?
The Essential Eight focuses on eight specific technical controls, while NIST CSF is a broader governance and risk management framework. They complement each other well. Many Australian organizations use NIST CSF for overall cybersecurity governance and the Essential Eight as the core technical control set.
What is the biggest challenge in implementing application control?
Application control (whitelisting) is consistently rated as the hardest strategy to implement because it requires a thorough inventory of all approved applications, ongoing maintenance of the whitelist, and change management processes. Starting with user workstations rather than servers helps build experience before tackling more complex environments.
How often should we reassess our maturity level?
Conduct a formal assessment at least annually. Additionally, reassess whenever there are significant changes to your IT environment, new threat intelligence indicating changes in the threat landscape, or after a security incident that reveals control gaps.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.