The Australian Essential Eight Explained: A Practical Guide
The Essential Eight is a set of baseline mitigation strategies developed by the Australian Signals Directorate (ASD) to help organisations protect themselves against cyber threats. Originally designed for Commonwealth government entities, the framework has become the de facto cybersecurity standard for Australian businesses of all sizes. This guide explains each of the eight strategies, the maturity levels you can aim for, and practical steps to improve your organisation's security posture.
What Is the Essential Eight?
The Essential Eight is a prioritised list of mitigation strategies published by the Australian Signals Directorate (ASD) as part of its broader Strategies to Mitigate Cyber Security Incidents. The ASD originally identified 37 mitigation strategies; the Essential Eight represent the most effective subset for preventing malware delivery and execution, limiting the extent of cyber incidents, and recovering data and system availability.
While Australian Government agencies covered by the Protective Security Policy Framework (PSPF) are required to implement the Essential Eight, the framework is strongly recommended for all Australian organisations, including state and local government bodies, critical infrastructure operators, and private enterprises. Many cyber insurance providers and government procurement processes now reference Essential Eight maturity as a baseline requirement.
The Essential Eight Maturity Model was last updated by the ASD in November 2023. Always refer to the official cyber.gov.au page for the most current guidance.
The Eight Strategies Explained
1. Application Control
Application control (sometimes called application whitelisting) restricts which software can execute on a system. Rather than relying solely on antivirus to detect known threats, application control ensures that only approved applications can run. This is one of the most effective strategies for preventing malware execution. In practice, it involves maintaining a list of authorised executables, software libraries, scripts, and installers, and blocking everything else. Tools such as Microsoft AppLocker or Windows Defender Application Control (WDAC) are commonly used to enforce these policies on Windows endpoints.
2. Patch Applications
Vulnerabilities in applications such as web browsers, PDF readers, Microsoft Office, and Java are frequently exploited by attackers. Patching these applications promptly, ideally within 48 hours for critical vulnerabilities, significantly reduces the attack surface. At higher maturity levels, organisations must also use vulnerability scanners to identify missing patches and remove applications that are no longer supported by their vendor.
3. Configure Microsoft Office Macro Settings
Office macros are a common delivery mechanism for malware. The Essential Eight recommends that organisations block all macros from the internet and only allow vetted, digitally signed macros where a genuine business requirement exists. At Maturity Level 3, macros must be blocked in files from the internet entirely, and only macros running from trusted locations with restricted write access are permitted.
4. User Application Hardening
This strategy focuses on reducing the attack surface of user-facing applications. Specific actions include disabling Flash content (now end-of-life), blocking Java from the internet, disabling unnecessary features in web browsers, and blocking web advertisements. At higher maturity levels, organisations should also disable .NET Framework 3.5 and PowerShell 2.0, and ensure browsers do not process Java or web advertisements.
5. Restrict Administrative Privileges
Administrative accounts are high-value targets for attackers. The Essential Eight requires organisations to limit who has admin access, enforce the principle of least privilege, and ensure that privileged accounts are not used for everyday tasks like reading email or browsing the web. Privileged access should be regularly revalidated, and credentials for break-glass accounts should be stored securely. At Maturity Level 3, privileged access workstations (PAWs) are required for administrative tasks.
6. Patch Operating Systems
Operating system vulnerabilities are just as dangerous as application flaws. Organisations must patch operating systems on workstations, servers, and network devices promptly. At Maturity Level 1, patches for internet-facing services should be applied within two weeks. At Maturity Level 3, critical patches must be applied within 48 hours, and unsupported operating systems must be replaced entirely.
7. Multi-Factor Authentication (MFA)
MFA requires users to present two or more authentication factors before gaining access: something they know (password), something they have (a token or phone), or something they are (biometrics). The Essential Eight mandates MFA for all users accessing internet-facing services and for privileged accounts. At higher maturity levels, phishing-resistant MFA such as FIDO2 security keys or certificate-based authentication is required, and SMS-based one-time codes are no longer considered acceptable.
8. Regular Backups
Backups are your last line of defence when all other controls fail. The Essential Eight requires that backups of important data, software, and configuration settings are performed and retained in accordance with business continuity requirements. Backups must be tested regularly to confirm they can be restored, and at least one copy must be stored offline or in a manner that prevents it from being modified or deleted by an attacker who has compromised the network. At Maturity Level 3, unprivileged accounts must not be able to access or modify backups.
Understanding the Maturity Levels
The Essential Eight Maturity Model defines four maturity levels (0 through 3) for each strategy. Each level builds upon the previous one, increasing the rigour and scope of implementation. The table below summarises what each maturity level represents.
Essential Eight Maturity Levels
| Feature | Maturity Level 0 | Maturity Level 1 | Maturity Level 2 | Maturity Level 3 |
|---|---|---|---|---|
| Overall posture | Significant weaknesses | Partly aligned | Mostly aligned | Fully aligned |
| Threat actor target | Opportunistic attackers | Opportunistic attackers | Moderately capable attackers | Highly capable attackers (e.g. nation-state) |
| Patching timeframe | No defined timeframe | Within one month (two weeks for internet-facing) | Within two weeks (48 hours for critical) | Within 48 hours for all critical patches |
| MFA requirement | Not implemented | MFA for internet-facing services | MFA for all users; phishing-resistant preferred | Phishing-resistant MFA mandatory |
| Backup testing | No regular testing | Backups performed; restoration tested periodically | Backups tested regularly; stored offline | Backups tested regularly; unprivileged access restricted |
| Application control | Not implemented | Implemented on workstations | Implemented on workstations and servers | Implemented with Microsoft-recommended block rules |
How to Assess Your Current Level
The ASD provides a detailed self-assessment guide that maps specific controls to each maturity level for every strategy. To assess your organisation, work through each strategy and determine whether your current implementations meet the requirements for Level 1, then Level 2, and so on. Your overall maturity level is determined by the lowest maturity level across all eight strategies. For example, if seven strategies are at Level 2 but one is at Level 1, your overall maturity is Level 1.
Many managed service providers (MSPs) and cybersecurity consultancies offer Essential Eight assessments as a service. If your organisation lacks internal security expertise, engaging a third party can provide an objective baseline and a prioritised remediation roadmap.
Frequently Asked Questions
The Essential Eight is mandatory for Australian Government entities covered by the PSPF. For private businesses it is not legally required in most cases, but it is increasingly referenced in government procurement, cyber insurance assessments, and industry best-practice frameworks. Adopting it voluntarily demonstrates due diligence and significantly improves your security posture.
Not necessarily. Level 3 is designed to protect against highly capable adversaries, including nation-state actors. Most small and medium businesses should aim for Maturity Level 1 as a starting point and work towards Level 2 over time. The appropriate target depends on your risk profile, industry, and the sensitivity of the data you handle.
The timeline varies widely depending on your starting point. Organisations with modern infrastructure and existing security tooling may achieve Level 1 within three to six months. Those with legacy systems, limited IT staff, or no prior security framework may need 12 months or more. Prioritise the strategies that address your greatest risks first.
Yes. The Essential Eight applies to all systems that process, store, or communicate an organisation's data, including cloud services. For cloud-hosted environments, you must ensure that your cloud provider supports the required controls (such as MFA and patching) and that you configure them appropriately within your tenancy.
The Essential Eight is complementary to frameworks like ISO 27001 and the NIST Cybersecurity Framework. ISO 27001 provides a broad information security management system, while the Essential Eight focuses on specific technical controls. Many organisations use the Essential Eight as a practical starting point and later pursue ISO 27001 certification for a more comprehensive governance structure.
