Introduction to the ASD Essential Eight
The ASD Essential Eight is a prioritised set of eight mitigation strategies published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It is designed to help organisations protect their Microsoft Windows-based, internet-connected networks against the most prevalent and damaging cyber threats, including ransomware, business email compromise, credential theft and targeted intrusions by state-sponsored actors. The Essential Eight distils the broader ASD Strategies to Mitigate Cyber Security Incidents into eight foundational controls that, when implemented together and to a defined maturity level, deliver a strong baseline of cyber resilience.
Unlike prescriptive certification schemes such as PCI DSS or ISO/IEC 27001, the Essential Eight is a guidance framework accompanied by the Essential Eight Maturity Model (E8MM). The maturity model expresses each of the eight strategies across four maturity levels (Maturity Level Zero through Maturity Level Three), with each level representing an increasing degree of sophistication in the adversary that the controls are intended to withstand. Organisations self-assess or are independently assessed against a chosen target maturity level based on their threat exposure and risk appetite.
This guide provides an auditor-grade, control-by-control walkthrough of the Essential Eight and its maturity model. It is written for security leaders, GRC teams, internal auditors and assessors who need to plan, implement, evidence and independently verify an Essential Eight programme. Each of the eight mitigation strategies is examined with the specific verification points and typical evidence artefacts an assessor would expect to see at each maturity level.
What is the Essential Eight
The Essential Eight comprises eight mitigation strategies grouped into three overarching cyber security objectives. The strategies were selected by the ASD because, based on its extensive incident response experience, they are the most effective and cost-efficient controls for preventing, limiting and recovering from cyber security incidents affecting Windows environments.
The three objectives and their constituent strategies are:
- Prevent cyber security incidents (malware delivery and execution): Application Control, Patch Applications, Configure Microsoft Office Macro Settings, and User Application Hardening.
- Limit the extent of cyber security incidents: Restrict Administrative Privileges, Patch Operating Systems, and Multi-Factor Authentication.
- Recover data and system availability: Regular Backups.
The Essential Eight is deliberately holistic: the ASD's guidance is that the eight strategies should be implemented as a package rather than piecemeal, because gaps in one strategy can undermine the protection offered by others. For example, restricting administrative privileges provides limited benefit if patching of operating systems is neglected and an attacker can escalate through an unpatched kernel vulnerability. Consequently, the maturity model is assessed holistically: an organisation's overall Essential Eight maturity is generally taken as the lowest maturity level achieved across all eight strategies, discouraging cherry-picking of easy wins.
The Essential Eight primarily targets Microsoft Windows internet-connected corporate networks. While many of the underlying principles apply to other operating systems, cloud services, operational technology and mobile devices, the ACSC provides separate guidance for those environments, and the Essential Eight Maturity Model's specific technical prescriptions are Windows-centric.
Who must comply with the Essential Eight
The Essential Eight is mandatory for many Australian Government entities and is strongly recommended for the wider economy. Applicability varies by sector and by the instruments that reference it.
| Organisation type | Nature of obligation |
|---|---|
| Australian Government non-corporate Commonwealth entities (NCEs) | Mandated under the Protective Security Policy Framework (PSPF) to implement the Essential Eight (historically to Maturity Level Two as a baseline), with reporting obligations. |
| Corporate Commonwealth entities and Government Business Enterprises | Strongly encouraged to apply the Essential Eight; often adopted contractually or by policy alignment with the PSPF. |
| State and territory government agencies | Frequently mandated or recommended through state-level protective security or cyber security policies that reference the Essential Eight. |
| Critical infrastructure operators (SOCI Act sectors) | Not directly named as the Essential Eight in the SOCI Act, but Essential Eight is widely used to demonstrate risk management under Critical Infrastructure Risk Management Program (CIRMP) obligations. |
| Government suppliers and contractors | Commonly required by procurement clauses to attest to a defined Essential Eight maturity level as a condition of contract. |
| Private sector enterprises and SMEs | Voluntary but widely adopted as a recognised baseline for cyber hygiene and for cyber insurance, board assurance and supply-chain attestation. |
Even where not legally mandated, organisations adopt the Essential Eight because it provides a defensible, well-recognised benchmark. Cyber insurers, boards, regulators and large customers increasingly ask suppliers to declare their Essential Eight maturity level, making it a de facto standard of due care in Australia.
Structure of the Essential Eight
The framework is structured around eight mitigation strategies, each mapped to one of three cyber security objectives, and each assessable across four maturity levels. The table below summarises the eight strategies, their objective and the core protective outcome each delivers.
| # | Mitigation strategy | Objective | Core protective outcome |
|---|---|---|---|
| 1 | Application Control | Prevent incidents | Prevents execution of unapproved or malicious executables, libraries, scripts, installers, HTML applications and control panel applets. |
| 2 | Patch Applications | Prevent incidents | Remediates known vulnerabilities in applications (especially internet-facing and productivity software) before they can be exploited. |
| 3 | Configure Microsoft Office Macro Settings | Prevent incidents | Blocks or restricts macros to prevent malicious code delivered through Office documents from executing. |
| 4 | User Application Hardening | Prevent incidents | Reduces attack surface in web browsers and applications (e.g. blocking Flash, ads, Java, and hardening browser and Office configurations). |
| 5 | Restrict Administrative Privileges | Limit incident extent | Minimises the number and scope of privileged accounts and controls their use to limit lateral movement and escalation. |
| 6 | Patch Operating Systems | Limit incident extent | Remediates known operating system vulnerabilities to prevent exploitation and privilege escalation. |
| 7 | Multi-Factor Authentication (MFA) | Limit incident extent | Requires multiple authentication factors to resist credential theft, phishing and reuse. |
| 8 | Regular Backups | Recover data and availability | Ensures important data, software and configurations are backed up, retained, tested and recoverable after an incident such as ransomware. |
Each strategy is expressed at four maturity levels. Maturity Level Zero indicates weaknesses in an organisation's overall cyber security posture; when exploited, these could facilitate compromise. Maturity Level One is oriented to adversaries using widely available, commodity tradecraft. Maturity Level Two targets adversaries willing to invest more time and effort, including in circumventing controls and using targeted phishing. Maturity Level Three addresses more adaptive adversaries who are less reliant on public tools, and who focus effort on specific targets and on evading detection.
Master assessment checklist
This is the core of the guide. Each of the eight mitigation strategies is broken down into the verification points an assessor must confirm and the typical evidence that substantiates them. The verification points are cumulative across maturity levels: Maturity Level Two builds on Level One, and Level Three builds on Level Two. Where a control differs materially by level, the level is noted. Assessors should sample across the estate (workstations, servers, internet-facing hosts, cloud tenancies) and corroborate policy with technical configuration and operational records.
Strategy 1 — Application Control
Application control restricts execution to an approved set of applications. The strategy covers executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets, and increasingly Portable Executable rules and driver control at higher levels.
| What to verify | Typical evidence |
|---|---|
| Application control is implemented on workstations (ML1) and on internet-facing servers and other servers at higher levels, covering the defined file types (executables, libraries, scripts, installers, compiled HTML, HTML applications, control panel applets). | Application control solution deployment inventory; policy export from AppLocker/WDAC/third-party tool showing enforced (not audit-only) rules and covered file types. |
| Application control is applied to user profiles and temporary folders used by operating systems, browsers and email clients (ML1+). | Rule set showing enforcement in %TEMP%, download and profile directories; screenshots of blocked-execution attempts from these paths. |
| Allowed and blocked execution events are centrally logged (ML2) and protected from unauthorised modification and deletion; logs are monitored (ML3). | Log forwarding configuration to SIEM/central store; retention policy; sample alerts for blocked or anomalous execution; access controls on log store. |
| Microsoft's recommended application blocklist / vulnerable driver blocklist is implemented (ML2/ML3). | Configuration showing the recommended block rules and Microsoft vulnerable driver blocklist enforced; version/update records. |
| Application control rulesets are validated at least annually (ML3). | Annual review records; change tickets; before/after rule exports. |
Strategy 2 — Patch Applications
This strategy addresses timely patching of applications, prioritising internet-facing services and productivity software, and removal of unsupported applications.
| What to verify | Typical evidence |
|---|---|
| A vulnerability scanner with an up-to-date vulnerability database is used to identify missing patches at defined frequencies (daily for internet-facing services at higher levels). | Scanner configuration; scan schedules; feed/database update logs; scan reports. |
| Patches, updates or mitigations for internet-facing services are applied within 48 hours of release when an exploit exists, and within 2 weeks otherwise. | Patch deployment records with release and deployment timestamps; exception register with risk acceptance and compensating controls. |
| Patches for office productivity suites, web browsers and extensions, email clients, PDF software and security products are applied within 2 weeks (48 hours if exploited at higher levels). | Patch management reports for the specified application categories; SLA/KPI dashboards. |
| Patches for other applications are applied within one month. | Deployment reports for the broader application estate against the one-month SLA. |
| Applications that are no longer supported by vendors are removed. | Software inventory flagging end-of-life products; decommissioning/removal records. |
Strategy 3 — Configure Microsoft Office Macro Settings
This strategy controls the use of Microsoft Office macros, which are a common malware delivery vector, especially for those sourced from the internet.
| What to verify | Typical evidence |
|---|---|
| Microsoft Office macros are disabled for users who do not have a demonstrated business requirement. | Group Policy / configuration baseline showing macros disabled by default; list of users/groups with an approved business need. |
| Microsoft Office macros in files originating from the internet are blocked. | Configuration enforcing 'Block macros from running in Office files from the Internet'; Mark-of-the-Web handling settings. |
| Microsoft Office macro antivirus scanning (AMSI) is enabled (ML2+). | AMSI integration configuration; endpoint protection settings showing macro scanning active. |
| Only macros that are digitally signed by a trusted publisher, or run from a Trusted Location, are permitted where macros are required (ML2/ML3). | Trusted publisher certificate configuration; Trusted Locations list with restricted write access; signing process documentation. |
| Users cannot change Microsoft Office macro security settings, and macro settings are centrally enforced. | Locked-down GPO/Intune policy; verification that end users cannot alter the security level. |
| Allowed and blocked macro execution events are logged and monitored (ML2/ML3). | Log forwarding to SIEM; sample macro block/allow events; monitoring alerts. |
Strategy 4 — User Application Hardening
User application hardening reduces the attack surface of user-facing applications, principally web browsers, Microsoft Office and PDF software.
| What to verify | Typical evidence |
|---|---|
| Web browsers do not process Java from the internet and do not process web advertisements from the internet. | Browser policy configuration blocking Java applets and enforcing ad/content restrictions; deployment via GPO/Intune. |
| Internet Explorer 11 does not process content from the internet, and is disabled or removed where no longer required (ML1+). | Configuration disabling/removing IE11; enterprise mode/legacy browser policy. |
| Web browser security settings cannot be changed by users. | Locked browser policy; verification users cannot override protections. |
| Microsoft Office is blocked from creating child processes, creating executable content and injecting code into other processes (ML2/ML3). | ASR (Attack Surface Reduction) rules configuration in enforce mode; policy export listing enabled rules. |
| Microsoft Office is configured to prevent activation of OLE packages, and PDF software is hardened (blocked from creating child processes) (ML2/ML3). | OLE and PDF hardening configuration; ASR rule status. |
| ASD and vendor hardening guidance (e.g. ACSC hardening guides, Microsoft security baselines) is applied to browsers, Office and PDF readers (ML3). | Baseline compliance reports; configuration-as-code; deviations register. |
| Command-line process creation and PowerShell events are logged, and blocked/hardening events are monitored (ML2/ML3). | PowerShell script block/module logging config; command-line auditing; SIEM ingestion and alerts. |
Strategy 5 — Restrict Administrative Privileges
This strategy minimises privileged access, controls its use, and separates privileged from non-privileged operating environments to limit lateral movement and privilege escalation.
| What to verify | Typical evidence |
|---|---|
| Requests for privileged access are validated when first requested and revalidated on a regular basis (at least annually). | Access request and approval records; privileged access recertification/attestation reports. |
| Privileged accounts (excluding local admin) are prevented from accessing the internet, email and web services. | Configuration/network policy blocking internet and email for privileged accounts; proxy/firewall rules. |
| Privileged users use separate privileged and unprivileged operating environments; privileged accounts are not used for non-privileged tasks. | Privileged Access Workstation (PAW) design; account naming/segregation evidence; policy prohibiting dual-use. |
| Privileged and unprivileged operating environments are separated (e.g. privileged environment not virtualised within an unprivileged one) (ML2/ML3). | Architecture diagrams; tiered administration model documentation. |
| Just-in-time / time-limited privileged access is used, and unnecessary standing privileges are removed (ML2/ML3). | PIM/PAM configuration showing JIT elevation; standing-access review evidence. |
| Privileged access events, and privileged account and group management events, are centrally logged, protected and monitored (ML2/ML3). | Audit logs for privileged logons and group changes; SIEM use cases; alerting on anomalous privileged use. |
| Credentials for break-glass and service accounts are long, unique, unpredictable and managed (vaulted). | PAM vault records; break-glass procedure; secrets rotation evidence. |
Strategy 6 — Patch Operating Systems
This strategy ensures timely remediation of operating system vulnerabilities and removal of unsupported operating systems, paralleling Patch Applications but for OS components.
| What to verify | Typical evidence |
|---|---|
| A vulnerability scanner with an up-to-date database identifies missing OS patches at defined frequencies (daily for internet-facing at higher levels). | Scanner scope and schedule for OS; database update logs; OS vulnerability scan reports. |
| Patches, updates or mitigations for operating systems of internet-facing services are applied within 48 hours when an exploit exists, and within 2 weeks otherwise. | OS patch records with release/deployment timestamps for internet-facing hosts; exception register. |
| Patches for operating systems of workstations, servers and network devices are applied within 2 weeks (48 hours if exploited at higher levels). | Patch compliance dashboards for the workstation/server/network-device fleet. |
| The latest release, or a release no older than the previous release (N-1), of operating systems is used at higher levels. | Version inventory of operating systems; upgrade roadmap evidence. |
| Operating systems that are no longer supported by vendors are replaced. | EOL asset register; decommissioning/replacement records; isolation of any unavoidable legacy systems. |
Strategy 7 — Multi-Factor Authentication
MFA strengthens authentication against credential theft, phishing and reuse. Higher maturity levels require phishing-resistant MFA and broader coverage.
| What to verify | Typical evidence |
|---|---|
| MFA is used to authenticate users to internet-facing services (organisation's own and third-party services that process, store or communicate sensitive data). | MFA policy configuration for external services; enrolment reports; conditional access policies. |
| MFA is used to authenticate users of the organisation's internet-facing services and, at higher levels, to authenticate all users to systems and data. | MFA enforcement scope; coverage reports across privileged and unprivileged users. |
| MFA is used to authenticate privileged users and to authenticate users when accessing important data repositories (ML2+). | Conditional access/PAM MFA enforcement; logs of MFA challenges for privileged sessions. |
| MFA is phishing-resistant (e.g. FIDO2/WebAuthn, smartcards) at higher levels; weaker factors (e.g. SMS) are avoided. | MFA method inventory; policy mandating phishing-resistant factors; deprecation plan for SMS/voice. |
| Successful and unsuccessful MFA events are centrally logged, protected and monitored (ML2/ML3). | Authentication logs in SIEM; alerting on MFA failures, fatigue attacks and bypass attempts. |
Strategy 8 — Regular Backups
Regular backups ensure recovery of important data, software and configurations after an incident, and place strong emphasis on protecting backups from tampering and deletion by attackers.
| What to verify | Typical evidence |
|---|---|
| Backups of important data, software and configuration settings are performed and retained in accordance with business continuity requirements. | Backup policy defining scope, frequency and retention; backup job schedules and success reports; data criticality mapping. |
| Backups are synchronised to enable restoration to a common point in time. | Backup catalogue showing consistent recovery points; documented recovery point objectives (RPOs). |
| Restoration of data, applications and settings is tested as part of disaster recovery exercises. | DR test plans, run records and results; restore-verification evidence; lessons-learned actions. |
| Unprivileged accounts, and privileged accounts other than backup administrators, cannot access, modify or delete backups of other accounts. | Access control matrix for the backup system; segregation-of-duties evidence; immutability/WORM configuration. |
| Unprivileged accounts and backup administrators cannot delete or modify backups during their retention period (immutability) (ML2/ML3). | Immutable/air-gapped backup configuration; retention-lock settings; deletion-attempt monitoring. |
| Backup administration events and backup access are centrally logged and monitored (ML2/ML3). | Audit logs for backup access and deletion; SIEM alerts on anomalous backup activity. |
Scoping the Essential Eight assessment
Scoping defines which systems, users and environments the Essential Eight controls and assessment will cover. Because the Essential Eight is Windows-centric and threat-driven, scoping should be risk-based and clearly documented so that the assessed maturity is meaningful and comparable over time.
- Define the assessment boundary: identify the internet-connected corporate Windows environment(s) in scope, including workstations, servers, internet-facing services and supporting infrastructure.
- Identify systems and data of high value or high exposure (e.g. internet-facing services, important data repositories, privileged administration systems) which drive tighter SLAs at higher maturity levels.
- Determine the target maturity level per the organisation's threat model and any regulatory/contractual requirement (e.g. PSPF baseline of Maturity Level Two for Australian Government entities).
- Document out-of-scope elements and rationale (e.g. non-Windows OT, legacy isolated systems, cloud SaaS covered by separate ACSC guidance), noting compensating controls.
- Confirm sampling approach: identify representative populations of endpoints, servers, accounts and internet-facing hosts to be sampled during assessment.
- Establish the assessment period and freeze scope changes during the evidence-collection window to ensure a coherent point-in-time result.
Implementation approach
A phased approach helps organisations move from an initial baseline to a sustained target maturity level while managing operational risk (particularly for application control and patching, which can disrupt users if rushed). The following four-phase model provides activities and deliverables for each stage.
Phase 1 — Baseline assessment and planning
Establish the current state and design the target state.
- Activities: conduct a gap assessment against each of the eight strategies at each maturity level; define the target maturity level; build an asset and application inventory; identify internet-facing services and important data repositories; secure executive sponsorship and budget.
- Deliverables: current-state maturity heat map (per strategy, per level); target-state definition; prioritised remediation roadmap; RACI and governance charter; risk register.
Phase 2 — Foundational controls (Maturity Level One)
Implement the commodity-threat baseline across the estate.
- Activities: deploy application control in audit then enforce mode on workstations; stand up vulnerability scanning; enforce SLA-driven patching for applications and operating systems; disable/restrict Office macros; harden browsers (block Java/ads, remove IE11); restrict administrative privileges and remove standing admin from users; roll out MFA to internet-facing services; establish and secure backups.
- Deliverables: enforced application control policy; patch management SLAs and reporting; macro and browser hardening baselines; privileged access model v1; MFA enrolment for external services; tested backup regime; Maturity Level One attestation.
Phase 3 — Strengthening and monitoring (Maturity Level Two)
Add centralised logging, tighter SLAs and broader coverage to withstand more capable adversaries.
- Activities: extend application control to servers and enable Microsoft recommended block rules; tighten patch SLAs (48-hour for exploited internet-facing); enable AMSI and macro signing/Trusted Locations; deploy ASR rules for Office/PDF hardening; implement PAM/PIM with JIT elevation and privileged environment separation; extend MFA to privileged users and important data; make backups immutable; forward all control events to a SIEM.
- Deliverables: server-side application control; central logging and monitoring for all eight strategies; PAM deployment; immutable backups; Maturity Level Two attestation and PSPF-aligned reporting.
Phase 4 — Advanced maturity and continuous assurance (Maturity Level Three)
Optimise for adaptive adversaries and embed continuous assurance.
- Activities: enforce vulnerable driver blocklists and annual ruleset validation; sustain daily scanning and 48-hour patching for internet-facing OS/apps; mandate phishing-resistant MFA for all users; apply full ACSC/vendor hardening baselines; enforce N or N-1 OS releases; implement full privileged event monitoring and break-glass management; run regular DR restoration tests; continuously monitor and alert on control events.
- Deliverables: phishing-resistant MFA across the estate; hardening-baseline compliance-as-code; continuous monitoring dashboards; annual independent assessment; Maturity Level Three attestation.
Maturity model and scoring
The Essential Eight Maturity Model expresses each strategy across four maturity levels. Each level corresponds to the sophistication of the adversary the controls are intended to defeat. The table below describes each level, the adversary it targets and the assessment implication.
| Maturity level | Adversary profile | Description and assessment implication |
|---|---|---|
| Maturity Level Zero (ML0) | Not aligned to any tradecraft tier | Indicates significant weaknesses in the organisation's overall posture. Assigned when the requirements of Maturity Level One are not fully met for a strategy. Represents unacceptable residual risk for most organisations. |
| Maturity Level One (ML1) | Adversaries using widely available, commodity tradecraft (opportunistic, unsophisticated) | Baseline hygiene. Controls resist attackers relying on publicly available tools and known exploits. Suitable starting point for most small organisations. |
| Maturity Level Two (ML2) | Adversaries investing more time and effort, using targeted phishing and modest evasion | Adds centralised logging, tighter timeframes and broader control coverage. Historically the PSPF baseline for Australian Government non-corporate entities. |
| Maturity Level Three (ML3) | Adaptive adversaries, less reliant on public tools, focused and evasive | Strongest baseline: phishing-resistant MFA, full hardening baselines, driver blocklists, JIT privilege, immutable backups and continuous monitoring. Appropriate for high-value or high-threat environments. |
Scoring is holistic. The organisation's overall Essential Eight maturity is generally reported as the lowest level achieved across all eight strategies, and each strategy must fully meet all requirements of a level to be rated at that level. A strategy that meets some but not all requirements of Maturity Level One is rated Maturity Level Zero. This all-or-nothing approach within each level is deliberate: it prevents partial implementations from being over-stated and encourages balanced investment across the eight strategies.
Assessment and audit approach
The ACSC publishes an Essential Eight Maturity Model assessment methodology used by internal teams and independent assessors (including under government assessment programmes). A rigorous assessment follows a structured, evidence-driven process.
- Define scope and target level: agree the systems, environments and target maturity level, and confirm the assessment period and sampling approach.
- Understand the environment: review architecture, asset and application inventories, network diagrams and identity design to establish context for each strategy.
- Test control design: examine policies, configuration baselines and standards to confirm each strategy is designed to meet the target level's requirements.
- Test control implementation: inspect live configuration (GPO/Intune exports, application control policies, patch tooling, MFA and PAM settings, backup configuration) to confirm the design is actually deployed.
- Test control effectiveness and operation: sample technical evidence over the assessment period (patch timeliness records, blocked-execution logs, MFA challenge logs, DR restore tests) to confirm controls operate as intended over time.
- Perform corroborating technical validation: where appropriate, conduct hands-on checks or use assessment tooling to independently verify configuration (e.g. attempt to run an unapproved executable, confirm macros from the internet are blocked).
- Rate each strategy: assign a maturity level per strategy based on full satisfaction of that level's requirements, recording any shortfalls that cap the rating.
- Determine overall maturity: report the lowest per-strategy level as the overall maturity, with a per-strategy breakdown.
- Document findings and remediation: capture gaps, risk ratings, recommended remediation and a path to the target level.
- Report and, where required, submit attestation (e.g. PSPF reporting) and agree a re-assessment cadence.
Evidence request list
Assessors typically request the following artefacts, organised by strategy and by cross-cutting theme. Evidence should be current, dated and cover the whole assessment period, not just a point in time.
- Governance and scope: Essential Eight policy; target maturity level decision and rationale; scope statement; asset and application inventories; risk register; exception/waiver register.
- Application Control: application control policy export (enforce mode); covered file types; Microsoft recommended and vulnerable driver blocklists; blocked-execution logs; annual ruleset review records.
- Patch Applications and Patch Operating Systems: vulnerability scanner configuration and schedules; scan reports; patch deployment records with release and deployment timestamps; SLA/KPI dashboards; end-of-life asset register and decommissioning records.
- Office Macros: macro configuration baseline; list of users with business need; internet-macro blocking; AMSI status; Trusted Publisher/Trusted Locations configuration; macro event logs.
- User Application Hardening: browser, Office and PDF hardening baselines; ASR rule configuration; Java/ad blocking; IE11 disablement; PowerShell and command-line logging.
- Restrict Administrative Privileges: privileged access request/approval and recertification records; PAM/PIM configuration; PAW/tiered admin design; privileged event logs; break-glass procedures.
- Multi-Factor Authentication: MFA policy and conditional access configuration; enrolment/coverage reports; phishing-resistant method inventory; authentication logs.
- Regular Backups: backup policy; job schedules and success reports; immutability/retention-lock configuration; access control matrix; DR test plans and restore-verification results.
- Cross-cutting logging and monitoring: SIEM ingestion configuration; log retention and protection settings; monitoring use cases and sample alerts; incident records demonstrating detection.
Roles and responsibilities
Clear ownership across governance, engineering and operations is essential to reaching and sustaining a target maturity level. The following RACI-style allocation is typical.
| Role | Primary responsibilities |
|---|---|
| Board / Executive (Accountable Authority) | Sets risk appetite and target maturity level; approves funding; accepts residual risk; receives PSPF/board assurance reporting. |
| Chief Information Security Officer (CISO) | Owns the Essential Eight programme; defines target level and roadmap; reports maturity to executives; oversees independent assessment. |
| Security Governance / GRC team | Maintains policy, scope and risk register; manages exceptions; coordinates assessments and attestations; tracks remediation. |
| IT Operations / Platform Engineering | Implements and maintains technical controls (application control, patching, hardening, backups, identity/MFA, PAM). |
| Identity and Access Management team | Owns MFA, privileged access management, JIT elevation, recertification and account segregation. |
| Security Operations Centre (SOC) | Centralises logging, monitors control events, detects bypass/failure and manages incidents. |
| Backup / Business Continuity team | Owns backup regime, immutability, retention and disaster recovery restoration testing. |
| Internal Audit / Independent Assessor | Independently verifies design and operating effectiveness; rates maturity; reports findings to the audit committee. |
KPIs to track
Metrics help demonstrate progress towards the target maturity level and sustain it operationally.
- Overall Essential Eight maturity level and per-strategy maturity level (trended over time).
- Percentage of endpoints and servers with application control in enforce mode.
- Patch compliance: percentage of internet-facing services patched within 48 hours / 2 weeks; percentage of applications and operating systems patched within SLA.
- Mean time to patch (MTTP) for critical and exploited vulnerabilities.
- Number of unsupported (end-of-life) applications and operating systems remaining in the environment.
- Percentage of users and privileged users covered by MFA, and percentage using phishing-resistant MFA.
- Number of standing privileged accounts vs just-in-time elevations; privileged access recertification completion rate.
- Macro policy coverage: percentage of endpoints enforcing macro restrictions; number of macro-block events.
- Backup success rate; number of successful DR restoration tests; percentage of backups configured as immutable.
- Percentage of Essential Eight control events forwarded to and monitored in the SIEM; mean time to detect control bypass.
- Number of open exceptions/waivers and their ageing against remediation dates.
Readiness checklist
Use the following checklist to confirm readiness before an internal or independent Essential Eight assessment.
- Target maturity level is defined, approved and documented, with scope and rationale.
- Asset and application inventories are current and cover all in-scope Windows systems and internet-facing services.
- Application control is deployed in enforce mode on workstations (and servers for higher levels) covering all required file types.
- Vulnerability scanning runs at the required frequency and patch SLAs for applications and operating systems are met and evidenced.
- Unsupported applications and operating systems have been identified and are being removed or isolated.
- Office macros are disabled by default, internet macros are blocked, and AMSI/signing controls are in place where required.
- Browsers, Office and PDF software are hardened (Java/ads blocked, IE11 disabled, ASR rules enforced as applicable).
- Administrative privileges are restricted, segregated and, at higher levels, granted just-in-time with full logging.
- MFA is enforced for internet-facing services, privileged users and important data, and is phishing-resistant where required.
- Backups are performed, retained, protected (immutable), and restoration has been successfully tested.
- All eight strategies forward events to a central, protected log store and are monitored with alerting.
- Evidence for each strategy is collected, dated and covers the full assessment period.
- An exception register documents any gaps with risk acceptance and remediation timelines.
Common gaps
The following gaps recur in Essential Eight assessments and frequently cap an organisation's maturity at Level Zero or One despite significant investment.
- Application control deployed in audit-only mode, or only on workstations, so unapproved executables can still run (particularly from user profile and temp directories).
- Patching SLAs met for workstations but not for internet-facing services or for the harder-to-patch application categories, breaching the 48-hour/2-week timeframes.
- Unsupported operating systems and applications lingering in the environment without isolation or a decommissioning plan.
- Office macro settings configurable by end users, or internet-sourced macros not actually blocked despite policy.
- MFA limited to email/VPN, not extended to privileged users or important data repositories, and reliance on phishable factors such as SMS.
- Standing administrative privileges with no just-in-time model, dual-use admin accounts browsing the internet, and no separation of privileged environments.
- Backups that are not immutable or air-gapped, allowing ransomware or a compromised admin to delete them; restoration never actually tested.
- Logging enabled locally but not centralised, protected or monitored, so control bypass goes undetected (a common blocker for Maturity Level Two).
- Treating the eight strategies in isolation and reporting an inflated overall maturity rather than the lowest per-strategy level.
- No annual validation of application control rulesets or hardening baselines, causing configuration drift over time.
Essential Eight mapped to other frameworks
The Essential Eight aligns with the controls of many international frameworks, which is useful for organisations operating multiple compliance obligations. The mapping below is indicative and shows where each strategy conceptually corresponds; it is not a certified crosswalk.
| Essential Eight strategy | ISO/IEC 27001:2022 (Annex A) | NIST CSF 2.0 function | CIS Controls v8 | PCI DSS v4.0 |
|---|---|---|---|---|
| Application Control | A.8.19 Installation of software; A.8.7 Malware protection | Protect (PR.PS) | CIS 2 (Software asset management) | Req 5 (malware) / Req 2 (secure config) |
| Patch Applications | A.8.8 Management of technical vulnerabilities | Identify/Protect (ID.RA, PR.PS) | CIS 7 (Continuous vulnerability management) | Req 6 (Develop and maintain secure systems) |
| Configure Office Macro Settings | A.8.7 Malware protection; A.8.19 | Protect (PR.PS) | CIS 9/10 (Email/web, Malware defenses) | Req 5 (malware protection) |
| User Application Hardening | A.8.9 Configuration management; A.8.7 | Protect (PR.PS) | CIS 4 (Secure configuration) | Req 2 (Apply secure configurations) |
| Restrict Administrative Privileges | A.8.2 Privileged access rights; A.5.15 Access control | Protect (PR.AA) | CIS 5/6 (Account and access management) | Req 7 / Req 8 (Access control) |
| Patch Operating Systems | A.8.8 Management of technical vulnerabilities | Identify/Protect (ID.RA, PR.PS) | CIS 7 (Continuous vulnerability management) | Req 6 (Secure systems and software) |
| Multi-Factor Authentication | A.8.5 Secure authentication; A.5.17 Authentication information | Protect (PR.AA) | CIS 6 (Access control management) | Req 8 (Multi-factor authentication) |
| Regular Backups | A.8.13 Information backup; A.5.29 Continuity | Recover (RC.RP) | CIS 11 (Data recovery) | Req 12 / continuity practices |
Frequently asked questions
Need help with Essential Eight?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
