SecurityPolicy.com.au
Home/ Australia/ Frameworks Explained/ Essential Eight
Australia Frameworks Explained Framework Reviewed 2026-07-12

Essential Eight: A Plain-English Guide for Australian Businesses

8
prioritised mitigation strategies
4
maturity levels from zero to three
22%
Commonwealth entities at overall Maturity Level Two in 2025
Why this guide exists

Australians most often ask which maturity level they need, whether every control must be met, and how to prove compliance without excessive cost or disruption. A high-demand question missing from the fixed 10 is how to handle macOS, Linux, cloud-only, mobile, operational technology and legacy systems where the model's Windows-oriented examples do not fit neatly.

What is the Essential Eight, and who's asking me for it?

The Essential Eight is ASD's set of eight prioritised cyber security mitigation strategies, organised into maturity levels zero to three for internet-connected information technology networks. It is not a general law that automatically binds every private Australian business, and ASD describes it as a baseline rather than a complete security program. It is mandatory at Maturity Level Two for non-corporate Commonwealth entities under the current PSPF, while contractors and other providers can inherit requirements through tenders, deeds, agreements or customer contracts. Private businesses also encounter it in supplier questionnaires, board risk programs, insurance discussions and partner requirements, so the first question is always who is asking, for which maturity level, over what scope, against which model version and by what deadline.

How this differs by situation
  • non-corporate Commonwealth entity — PSPF Release 2026 requires all eight strategies to be implemented to Maturity Level Two.
  • Australian Government contractor or service provider — A deed, agreement, tender or contract may flow down selected PSPF or Essential Eight requirements even though the provider is not itself a Commonwealth entity.
  • private SME — There is no universal turnover threshold; adoption is normally risk-based unless a contract, customer, regulator or sector rule makes a target mandatory.
  • operational technology or enterprise mobility — ASD says the principles may help, but the model was not designed for these environments and alternative mitigations may be more appropriate.
ASK YOUR PROVIDER THIS, EXACTLY

Who is requiring us to implement the Essential Eight, what exact maturity level and model version are they requiring, what systems and users are in scope, what evidence or independent assessment will they accept, and what contractual deadline applies?

Does it apply to a business my size or type?

Business size alone does not decide whether the Essential Eight applies or which level is suitable. ASD's October 2024 FAQ says Maturity Level One may generally suit SMEs, Maturity Level Two may suit large enterprises, and Maturity Level Three may suit critical infrastructure and other high-threat organisations, but the target must still be chosen for the actual risks and obligations. A small supplier can be contractually required to reach Maturity Level Two or Three, while a larger private business may choose a lower target for a limited system after a documented risk decision. Legacy systems are not automatically excluded: ASD recommends prioritising upgrades and using equivalent compensating controls while uplift is underway.

How this differs by situation
  • small or medium enterprise — ASD says Maturity Level One may generally be suitable, but customer, threat and contractual requirements can justify a higher target.
  • large enterprise — ASD says Maturity Level Two may generally be suitable, subject to the organisation's environment and threat exposure.
  • critical infrastructure or high-threat organisation — ASD says Maturity Level Three may generally be suitable, but sector-specific obligations must be checked separately.
  • legacy environment — Legacy technology remains relevant; upgrades should be prioritised and compensating controls must provide equivalent protection where a requirement cannot yet be implemented.
ASK YOUR PROVIDER THIS, EXACTLY

Show us the risk, contract or tender requirement that supports the proposed target maturity level, identify every system and user in scope, list any legacy or non-standard platforms, and explain the compensating controls proposed for each gap.

What are the actual controls and maturity levels?

The eight strategies are patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening and regular backups. Maturity Level Zero means the requirements of Level One are not met; Levels One, Two and Three address progressively more capable and targeted malicious actors, and each level is cumulative. The organisation's overall maturity is limited by its least mature strategy, so seven strategies at Level Two and one at Level One does not produce an overall Level Two result. Current Level One examples include patching critical vulnerabilities or vulnerabilities with working exploits in internet-facing services and operating systems within 48 hours, patching high-risk applications within two weeks, and patching workstation and non-internet-facing operating systems within one month. Level Two adds broader application patching, phishing-resistant MFA, stronger application control and centralised logging, while Level Three extends coverage and assurance further, including drivers and firmware, non-internet-facing servers and tighter privileged administration.

How this differs by situation
  • Maturity Level Zero — One or more Level One requirements are not met, or a whole strategy is risk-accepted without suitable compensating controls.
  • Maturity Level One — Targets common opportunistic tradecraft and establishes the first complete baseline across all eight strategies.
  • Maturity Level Two — Addresses more capable actors through stronger authentication, broader control coverage, logging and incident-response integration.
  • Maturity Level Three — Targets sophisticated and adaptive actors with the broadest coverage, stronger administrative separation and deeper monitoring.
ASK YOUR PROVIDER THIS, EXACTLY

Give us a control-by-control matrix for the current November 2023 model showing our result for every requirement at Levels One, Two and Three, the evidence tested, each exception or alternate control, and the single lowest strategy that determines our overall maturity.

Which policies does it require me to have in writing?

The Essential Eight does not prescribe a universal bundle of documents with fixed policy titles; it specifies technical and operational outcomes that must be implemented and evidenced. In practice, an organisation needs controlled written material for scope and target maturity, patching and vulnerability management, access and privileged administration, MFA, application control rules, macro exceptions, hardening baselines, backups and restoration, incident response, and formal exceptions or compensating controls. The current model explicitly connects incident identification to enacting a cyber security incident response plan at higher maturity levels, and the assessment guide requires exceptions to be documented, approved and risk-owned. Written policy is necessary for repeatability and governance, but ASD rates policy or verbal intent as poor evidence unless the operating control can also be demonstrated.

How this differs by situation
  • small business — Several topics can be combined into a concise security policy set, provided ownership, procedures, exceptions and evidence remain clear.
  • large or regulated organisation — Separate standards and procedures are usually needed for patching, identity, application control, logging, backup, incident response and exception management.
  • Maturity Level Two or Three — The incident response plan, logging response pathways, formal exception records and recurring validation activities become especially important.
ASK YOUR PROVIDER THIS, EXACTLY

Map every document you say we need to the exact current Essential Eight requirement it supports, identify the document owner and review trigger, and show the live configuration or test evidence that proves the written rule is operating.

What changed in the latest revision?

As checked on 12 July 2026, the current Essential Eight maturity model remains the November 2023 release; the 2025 Commonwealth Cyber Security Posture report states that no model updates occurred during 2024–25. The November 2023 revision broadened the 48-hour patch trigger to cover vendor-rated critical vulnerabilities or vulnerabilities with working exploits and reduced the Level One patch window for high-risk applications from one month to two weeks. It also rebalanced some workstation and non-internet-facing operating-system requirements at Levels Two and Three from two weeks to one month, added Level Three driver and firmware patching, and strengthened MFA factors and phishing resistance. Cloud-service coverage, central logging, application-control validation, administrative safeguards and backup requirements were also refined, so older 2022 checklists can produce the wrong result. Organisations should assess against the latest model named in their obligation or contract and record any version-specific interpretation.

How this differs by situation
  • using a pre-November 2023 checklist — Replace or remap it before claiming a maturity result because patching, MFA, application control, cloud and logging requirements changed.
  • Maturity Level One — High-risk application patching tightened to two weeks and qualifying critical or exploited internet-facing vulnerabilities require action within 48 hours.
  • Maturity Level Two or Three — Phishing-resistant MFA, cloud coverage, logging and incident response were strengthened, while some operating-system patch windows were rebalanced.
ASK YOUR PROVIDER THIS, EXACTLY

Confirm in writing that your gap assessment, scripts, templates and evidence matrix use the November 2023 Essential Eight Maturity Model and the October 2024 Assessment Process Guide, then list every older interpretation you have replaced.

How is it assessed or certified — and by whom?

ASD publishes a maturity model, assessment guide, test plans and report template, but it does not operate a general public Essential Eight certification register for businesses. An organisation can self-assess, engage a consultant or obtain an independent assessment, unless a tender, contract, regulator or internal policy specifies who must assess it and what independence is required. The October 2024 guide uses four stages: planning, defining scope and approach, assessing the controls, and producing the security assessment report. Every control in a strategy must be rated Effective or Alternate control to claim that strategy at the target level; one Ineffective control prevents the target result. ASD and TAFEcyber offer a three-day face-to-face assessment course, but completing training should not be treated as an ACSC-issued certification of the assessed organisation.

How this differs by situation
  • internal assurance — A competent internal assessor can use ASD's guide, test plans and tools where independence is not contractually required.
  • customer or tender assurance — The requesting party should specify the acceptable assessor, scope, report format, evidence depth and recency.
  • Commonwealth system requiring broader assurance — Essential Eight assessment may sit within a wider ISM or IRAP assurance process; the two should not be treated as interchangeable.
ASK YOUR PROVIDER THIS, EXACTLY

Are you assessing us against the November 2023 model and October 2024 Assessment Process Guide, who will perform the work, what qualifications and independence do they have, what sample and tests will they use, and will the final report show every control outcome, exception and evidence item?

What evidence do I need to show?

The strongest evidence proves that a control works, not merely that somebody intended to implement it. ASD ranks a simulated control test as Excellent, inspection of a live configuration as Good, reports or screenshots as Fair, and a policy or verbal statement as Poor. A defensible evidence set usually includes dated asset and vulnerability scans, patch records, live identity and MFA settings, privileged-access approvals and reviews, application-control tests and rulesets, macro and hardening configurations, central logs, backup jobs and successful restoration tests. Evidence should cover an accurate representative sample of workstations, laptops, servers and network devices and be traceable to the assessment scope and control result. Exceptions need a named risk owner, justification, equivalent compensating controls, residual-risk acceptance and a review date no more than one year away.

How this differs by situation
  • technical control evidence — Prefer scripts, tests and live configuration over screenshots, interviews or policy statements.
  • governance evidence — Maintain scope decisions, approvals, access-review records, change tickets, exception records and management acceptance.
  • outsourced IT or MSP — The customer still needs access to provider-generated logs, configurations, test results and exception evidence for the systems in scope.
ASK YOUR PROVIDER THIS, EXACTLY

Build an evidence register that maps every current Essential Eight requirement to its system owner, evidence source, collection method, sample, date, retention location, assessment outcome and any approved exception, then demonstrate the highest-quality test available.

How does it compare to SMB1001 and ISO 27001?

The Essential Eight is a focused Australian technical mitigation maturity model: it goes deeply into eight high-value areas but does not by itself create a complete information security management system or an inherent certification scheme. SMB1001 is a five-level, certifiable cyber security standard designed specifically for small and medium businesses, covering technology, access, backup, policies and processes, and education and training. ISO/IEC 27001:2022 is a broad international, risk-based information security management-system standard spanning people, policies, processes and technology, with optional certification by an accredited conformity assessment body. The three can complement one another, but there is no automatic one-for-one equivalence: an organisation should map controls and evidence rather than claim that one achievement proves the others. For Commonwealth use, PSPF Release 2026 explicitly says standards such as ISO/IEC 27001 can be useful resources but are not an alternative authorisation-to-operate pathway in place of ASD's ISM and mitigation strategies.

How this differs by situation
  • Essential Eight — Best suited to a targeted uplift and technical maturity assessment against eight prioritised Australian mitigations.
  • SMB1001 — Provides a staged, certifiable pathway designed for SMBs and includes organisational topics beyond the eight technical strategies.
  • ISO/IEC 27001 — Provides a broad, risk-based ISMS and internationally recognised accredited certification option.
  • Commonwealth authorisation — Alternative standards may support assurance but do not automatically replace the ISM, Essential Eight or PSPF requirements.
ASK YOUR PROVIDER THIS, EXACTLY

Show us a control-by-control crosswalk between the Essential Eight, SMB1001 and ISO/IEC 27001 for our chosen scope, identify genuine shared evidence, and clearly mark every requirement that remains unique rather than claiming blanket equivalence.

What does it cost and how long does it take?

ASD does not publish a universal implementation price or duration because cost depends on target maturity, assessment scope, starting gaps, licences, device estate, legacy systems, staffing and the quality of evidence already available. Separate the work into discovery and assessment, remediation and implementation, independent reassessment, and recurring operation; a quote that combines these without assumptions is hard to compare. As one public enterprise-market example checked on 12 July 2026, Telstra lists an Essential Eight assessment at A$20,000 excluding GST, but that price covers assessment and reporting rather than the full cost of remediation or ongoing control operation. ASD's assessment course runs for three face-to-face days, but that is training duration, not an implementation estimate. A credible timetable should be set only after the scope and current maturity are established, then staged through implementation, testing, user adjustment and reassessment.

How this differs by situation
  • small cloud-first business — Existing managed-device and identity licences may reduce tooling cost, but implementation labour, user change and evidence collection still need to be budgeted.
  • legacy or mixed-platform organisation — Replacement projects, compensating controls, specialist testing and exceptions can dominate both cost and duration.
  • Maturity Level Three target — Broader coverage, phishing-resistant MFA, tighter administration, deeper logging and additional endpoint controls generally increase project and recurring costs.
  • assessment only — A fixed assessment fee does not include software licences, remediation projects, internal labour or ongoing managed services unless expressly stated.
ASK YOUR PROVIDER THIS, EXACTLY

Break the proposal into discovery, assessment, licences, implementation labour, remediation, user rollout, evidence collection, reassessment and recurring operation; state all scope assumptions, exclusions, internal effort, dependencies, milestones and the maturity result you are committing to deliver.

What's my next step?

Common misconceptions

  • The Essential Eight is a complete cyber security program that removes the need for broader governance, risk, people, supplier and incident-management controls. INFERRED
  • Every Australian business is legally required to reach Maturity Level Two. INFERRED
  • An organisation can claim overall Maturity Level Two when seven strategies are at Level Two and one remains at Level One. VERIFIED
  • A written policy, interview answer or screenshot is enough to prove a control is effective. VERIFIED
  • ASD issues a universal Essential Eight certificate and maintains a public register of every compliant Australian business. INFERRED
  • Legacy systems can simply be excluded from scope because the controls are difficult to implement. VERIFIED
  • ISO/IEC 27001 certification automatically substitutes for Essential Eight and ISM requirements in a Commonwealth authorisation process. VERIFIED
  • A 2024 or 2025 Essential Eight maturity model has replaced the November 2023 model. VERIFIED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
PSPF Essential Eight Maturity Level Two Department of Home Affairs / Australian Signals Directorate A non-corporate Commonwealth entity is required to apply the PSPF under section 21 of the Public Governance, Performance and Accountability Act 2013. Ongoing implementation of all eight strategies to Maturity Level Two; accountable authorities report PSPF compliance each financial year.
Contractual PSPF or Essential Eight requirements Contracting Australian Government entity A non-government organisation, contractor or third-party service provider is required by a tender, deed, agreement or contract to implement specified PSPF or Essential Eight controls. As stated in the applicable procurement, deed, agreement or contract.
PSPF for state and territory access to Commonwealth classified information Australian Government and relevant state or territory authority A state or territory agency holds or accesses Australian Government security classified information under agreed arrangements. Ongoing under the applicable intergovernmental or information-sharing arrangements.

Sources

  1. Essential Eight maturity model primary
  2. Essential Eight assessment process guide primary
  3. Essential Eight maturity model changes primary
  4. Essential Eight maturity model FAQ primary
  5. The Commonwealth Cyber Security Posture in 2025 primary
  6. PSPF Annual Release 2026 primary
  7. Protective Security Policy Framework Release 2026 primary
  8. SMB1001 Cyber Security Standard primary
  9. Dynamic Standards International FAQs primary
  10. ISO/IEC 27001:2022 Information security management systems — Requirements primary
  11. Essential Eight Assessment primary
  12. SQL injection: mysqli->real_escape_string enough? forum
  13. Can MSPs offer any value for Small Businesses? forum
  14. Application whitelisting for MSPs forum
  15. Essential 8 Security Standards forum
  16. Essential 8 forum
  17. Mandatory ACSC Essential Eight forum
  18. GRC Tool for mapping compliance levels forum
  19. ACSC Essential Eight forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.