Cyber Ethos

Facebook Linkedin Instagram Youtube
logo
ASD Framework · Updated 2026

Essential Eight Framework: The Complete Guide for Australian Organisations (2026)

Everything you need to understand Australia's most important cybersecurity framework — all 8 controls, maturity levels, compliance obligations, and how to implement it effectively in your organisation.

KK
Dr. Kiran Kewalramani
PhD · CISSP · CISA · GAICD · Founder, Cyber Ethos

What Is the Essential Eight? (Definition and Origin)

The Essential Eight is a cybersecurity framework developed by the Australian Signals Directorate (ASD) comprising eight prioritised mitigation strategies designed to help Australian organisations protect their IT systems against the most common and damaging cyber threats. First published in June 2017 and updated regularly, the framework is built on the ASD's direct experience in threat intelligence, incident response, and penetration testing across Australia's most critical systems.

In simple terms: the Essential Eight tells you the eight most important things you can do right now to significantly reduce your organisation's exposure to a cyber attack.

Key fact

The Australian Signals Directorate (ASD) received more than 84,700 cybercrime reports in FY2024–25 — an average of one report every six minutes. The average self-reported cost per incident was $80,850 for small businesses and $97,200 for medium businesses. The Essential Eight is the primary framework Australia uses to close that gap.

Unlike broad international standards that cover hundreds of controls, the Essential Eight is deliberately focused and practical. It does not aim to eliminate all cyber risk — it aims to make your organisation a significantly harder target than the majority, which is where most attackers will move on to easier prey.

According to Dr. Kiran Kewalramani, PhD, CISSP, and Founder of Cyber Ethos: "The power of the Essential Eight is its specificity. Australian organisations don't need a 200-control framework to start — they need to do eight things well. That's the ASD's message, and in our experience working across Queensland and nationally, it's the right place to begin."

Essential Eight Australia Consulting and Advisory CISO as a Service Application Security

The 8 Controls Explained: What Each Mitigation Strategy Does

The Essential Eight comprises eight interconnected security strategies that collectively address the most exploited attack vectors in Australian cyber incidents. Each control is designed to be implemented in combination with the others — partial implementation still reduces risk, but the full set is where the protective effect compounds.

Control 1
Application Control
Prevents unauthorised software from executing on your systems by maintaining a whitelist of approved applications. This is a fundamental shift from blacklisting — instead of trying to block all malware, you define what is allowed and block everything else.
Why it matters: Malware and ransomware rely on executing unauthorised code. Application control stops this at the source.
Control 2
Patch Applications
Regularly updating applications (browsers, Office, PDF readers, etc.) to fix known vulnerabilities. The ASD recommends patching internet-facing applications within 48 hours of a critical patch release, and all others within two weeks.
Why it matters: Unpatched applications are the most commonly exploited attack vector in Australian incidents.
Control 3
Configure Microsoft Office Macro Settings
Restricts the execution of Microsoft Office macros, which are frequently used to deliver malware via malicious email attachments. At higher maturity levels, only digitally signed macros from trusted publishers are permitted to run.
Why it matters: Macro-enabled documents remain one of the most effective phishing payloads targeting Australian businesses.
Control 4
User Application Hardening
Configures browsers and other user-facing applications to block untrusted content, disable Java, Flash, and unnecessary browser plugins, and prevent exploitation through web-based attack vectors.
Why it matters: Web browsers are the primary entry point for drive-by downloads and credential theft attacks.
Control 5
Restrict Administrative Privileges
Limits administrator-level access to only those users and accounts that specifically require it, and only for the tasks that require elevated access. Admin accounts should not be used for everyday browsing or email.
Why it matters: Attackers who compromise an admin account gain far greater damage capability than a standard user account.
Control 6
Patch Operating Systems
Keeps operating systems (Windows, macOS, Linux) updated with current security patches. Like application patching, internet-facing OS patches should be applied within 48 hours of release for critical vulnerabilities. End-of-life operating systems should be replaced.
Why it matters: OS vulnerabilities, particularly in Windows, are routinely exploited by ransomware operators targeting Australian organisations.
Control 7
Multi-Factor Authentication (MFA)
Requires more than just a password to access systems — a second factor such as an authenticator app, hardware token, or phishing-resistant passkey. MFA must be applied to internet-facing services, privileged accounts, and cloud services.
Why it matters: Password theft and phishing are the leading causes of initial access in Australian cyber incidents. MFA stops most of these attacks.
Control 8
Regular Backups
Ensures that critical data, systems, and configuration settings are backed up regularly, that backups are stored securely (including offline or air-gapped copies), and that backup restoration is tested regularly to confirm it actually works when needed.
Why it matters: Verified backups are the last line of defence against ransomware — they allow recovery without paying a ransom.
Important — MFA and session hijacking

MFA alone is no longer sufficient against sophisticated adversaries. The CyberCX 2025 DFIR Threat Report found that 75% of Business Email Compromise (BEC) incidents involved session hijacking — a technique that bypasses MFA by stealing authenticated session tokens rather than credentials. At higher maturity levels, phishing-resistant MFA (hardware tokens, passkeys) is required. Cyber Ethos can assess whether your current MFA implementation is vulnerable to bypass techniques.

Summary: Essential Eight Controls at a Glance

# Control Primary threat addressed Complexity to implement
1Application ControlMalware execution, ransomwareMedium–High
2Patch ApplicationsKnown vulnerability exploitationLow–Medium
3Office Macro SettingsPhishing payloads, malicious docsLow
4User Application HardeningBrowser-based attacks, drive-by downloadsLow–Medium
5Restrict Admin PrivilegesPrivilege escalation, lateral movementMedium
6Patch Operating SystemsOS vulnerability exploitationLow–Medium
7Multi-Factor AuthenticationCredential theft, phishing, BECLow–Medium
8Regular BackupsRansomware, data loss, extortionLow–Medium

Essential Eight Maturity Levels: ML0 to ML3 Explained

The Essential Eight Maturity Model has four levels — ML0 through ML3 — each representing an increasingly rigorous implementation of all eight controls. To achieve a specific maturity level, an organisation must effectively implement all the controls at that level and any lesser levels below it. Partial compliance at a higher level does not constitute that maturity level.

ML0
Significant weaknesses
Controls are not implemented, or implementation has significant gaps that leave the organisation highly vulnerable.
ML1
Commodity threat protection
Controls provide resilience against opportunistic attackers using widely available tools and techniques (e.g. commodity malware, broad phishing).
ML2
Targeted adversary protection
Controls provide resilience against adversaries who invest time in targeting, reconnaissance, and customising their tools for your organisation.
ML3
Sophisticated threat resilience
Controls provide resilience against sophisticated, persistent threat actors with significant resources — including state-sponsored adversaries.
2025 ASD Statistic

According to the ASD's 2025 Commonwealth Cyber Security Posture report, only 22% of Commonwealth entities achieved Maturity Level 2 or higher across all eight strategies. Additionally, 59% reported that legacy technology was a significant barrier to implementation. If government departments find ML2 challenging, most private sector organisations without a dedicated security function will find it equally demanding — which is why a guided assessment is the recommended starting point.

What maturity level should your organisation target?

The ASD is explicit that maturity selection should be a risk-based decision, not a compliance badge exercise. The correct target maturity level is the one that is proportionate to your organisation's threat profile, the sensitivity of your data, your regulatory obligations, and the resources available to you.

As a general guide:

  • ML1 is the minimum acceptable baseline for any Australian organisation with an internet presence or customer data.
  • ML2 is appropriate for most private sector businesses handling sensitive data, and is increasingly expected by cyber insurers and enterprise customers.
  • ML3 is required for organisations handling classified information, critical infrastructure, or those subject to elevated threat targeting.

Not sure which maturity level applies to you?

Book a consultation with Dr. Kiran Kewalramani. We'll review your current environment and give you a clear, honest answer — no sales pitch, no obligation.

Book your consultation →

Who Must Comply with the Essential Eight in Australia?

The Essential Eight was originally designed for Australian government agencies, but its application has expanded significantly. Understanding your specific compliance obligation — mandatory, strongly recommended, or commercially expected — is the first step in determining your implementation priority.

Organisation type Obligation Relevant authority
Non-Corporate Commonwealth Entities (NCCEs) Mandatory Australian Government policy (PSPF)
Critical infrastructure operators (SOCI Act) Strongly expected Security of Critical Infrastructure Act 2018
State and territory government agencies Strongly recommended ASD guidance + state-level cyber policy
Government contractors and suppliers Increasingly required Procurement conditions and security clauses
Private sector businesses Strongly recommended ASD, cyber insurers, enterprise procurement
Not-for-profit organisations Recommended ACSC, sector-specific funding requirements

Critical infrastructure and the SOCI Act

Australia's Security of Critical Infrastructure (SOCI) Act 2018, as amended in 2022, requires operators of critical infrastructure assets — spanning 11 sectors including energy, water, communications, health, education, financial services, food, defence industry, space technology, transport, and data storage — to implement and maintain a Risk Management Program. While the SOCI Act does not mandate the Essential Eight by name, the ASD strongly recommends Essential Eight as the baseline control set for organisations with SOCI obligations, and assessors routinely use it as the reference framework.

Energy
Electricity generation, transmission, distribution, gas, liquid fuels
💧
Water
Water service providers, sewerage, stormwater management
🏥
Health
Hospitals, pathology, medical imaging, pharmaceutical supply
📡
Communications
Carriage service providers, broadcast media infrastructure
🏦
Financial services
Banking, insurance, superannuation, financial markets
🚗
Transport
Aviation, freight, maritime, rail, road infrastructure

If your organisation operates in any of these sectors, Cyber Ethos recommends treating Essential Eight compliance as a priority obligation — not merely a best-practice recommendation. We have delivered SOCI-aligned cybersecurity programs for critical infrastructure operators across Queensland and Australia.

How to Assess Your Essential Eight Maturity: Step-by-Step

An Essential Eight assessment is a structured evaluation of your current IT environment against all eight controls at each maturity level. The outcome is a maturity scorecard — showing your current level for each control — together with a gap report and a prioritised remediation roadmap.

Here is the standard assessment process that Cyber Ethos follows, aligned with ASD methodology:

  1. Document your current state
    Inventory your systems, applications, and existing security controls. Document current patching processes, backup procedures, authentication methods, and administrative access policies. This establishes the baseline from which gaps are measured.
  2. Determine your target maturity level
    Based on your industry, regulatory obligations, threat profile, and risk appetite, determine which maturity level you are working toward. This is not one-size-fits-all — an NFP at ML1 may be entirely appropriate where a government contractor must achieve ML2.
  3. Assess each control against maturity criteria
    For each of the eight controls, evaluate your current implementation against the specific ASD criteria for your target maturity level. Identify gaps — controls that are absent, partially implemented, or implemented inconsistently across your environment.
  4. Produce the gap report and remediation roadmap
    Consolidate findings into a gap report that prioritises remediation actions by risk impact and implementation complexity. Quick wins (e.g., enabling MFA on Office 365, configuring macro settings) should be actioned first to achieve early risk reduction.
  5. Implement, monitor, and re-assess quarterly
    Essential Eight compliance is not a one-time project. The ASD recommends quarterly reviews of administrative privileges and MFA coverage, monthly backup restoration testing, and an annual comprehensive assessment including penetration testing focused on the Essential Eight controls.
"Kiran Kewalramani has provided a comprehensive ISO 27001 and Essential Eight based Right Fit for Risk (RFFR) baseline assessment for Roseberry Queensland. Based on the findings and guidance from Kiran, we have improved our Essential Eight maturity to protect our environment."
Michelle Coats — General Manager, Roseberry Queensland

Ongoing monitoring metrics to track

  • Percentage of systems with application control enabled
  • Average time to patch critical applications and OS updates
  • Percentage of user accounts with MFA enrolled
  • Number of admin accounts vs total user accounts (privilege ratio)
  • Backup restoration success rate and recovery time objective (RTO)
  • Number of macro execution attempts blocked per month

Essential Eight Implementation: Common Challenges and How to Solve Them

Despite its focused nature, implementing the Essential Eight is not without difficulty. In the ASD's 2025 Commonwealth Cyber Security Posture report, 59% of entities cited legacy technology as a barrier to implementation — and private sector organisations often face the same constraints with fewer dedicated security resources. Here are the most common challenges and practical solutions.

Challenge
Legacy systems incompatible with modern controls. Older applications may break with application control enabled, or cannot support current OS patches because they depend on outdated dependencies.
Solution
Use virtualisation or isolated environments to contain legacy applications. Implement compensating controls — enhanced monitoring, network segmentation — where the primary control cannot be applied. Document exceptions formally.
Challenge
Fear of patch-related outages. Teams delay patching because a previous patch caused a system outage, creating a culture of avoidance that leaves vulnerabilities open for months.
Solution
Implement a staged patch deployment process: test in a non-production environment first, then deploy to a subset of systems, then roll out broadly. Automate patch management where possible. The risk of not patching outweighs the risk of a managed outage.
Challenge
MFA bypass via session hijacking. Even with MFA deployed, Business Email Compromise (BEC) continues to be the most common incident type. The CyberCX 2025 DFIR Threat Report found 75% of BEC incidents involved session hijacking — up from 38.5% in 2023.
Solution
Move toward phishing-resistant MFA: FIDO2 hardware security keys or passkeys rather than SMS or app-based OTP codes. Implement token binding and conditional access policies that detect anomalous session behaviour.
Challenge
User resistance to privilege restrictions. Staff who are accustomed to local admin rights push back when those privileges are removed, and IT teams lack the bandwidth to manage exceptions effectively.
Solution
Phase the rollout: identify which roles genuinely require admin privileges and implement a just-in-time (JIT) privilege escalation process for legitimate needs. Communicate the security rationale to staff — engagement reduces resistance significantly.
Challenge
Backups that have never been tested. Many organisations run regular backups but have never attempted a restoration test. When ransomware strikes, they discover their backups are incomplete, corrupted, or infected.
Solution
Schedule quarterly restoration tests for critical systems. Maintain at least one offline or immutable backup copy that cannot be encrypted by ransomware affecting your online systems. Document the recovery time and use it to validate your RTO.
KK
Expert perspective
"In our experience delivering Essential Eight assessments across Queensland and nationally, the most common gap isn't technical — it's the absence of a structured program. Organisations have some controls in place, but they're inconsistently applied, undocumented, or not tested. The good news is that most organisations are closer to ML1 than they think. The gap analysis typically reveals 3–4 high-priority actions that have an outsized risk reduction impact."
— Dr. Kiran Kewalramani, PhD, CISSP, GAICD · Founder, Cyber Ethos · Author, Cyber Insecurity: The Silent Risk in Your Boardroom

Essential Eight vs Other Frameworks: ISO 27001, NIST, and Cyber Essentials

The Essential Eight is one of several cybersecurity frameworks available to Australian organisations. Understanding how it relates to other standards helps you make informed decisions about which frameworks to prioritise — and how they can work together.

Framework Origin Focus Mandatory in AU? Best for
Essential Eight Australia (ASD) Operational controls — specific, prioritised technical actions Yes (NCCEs) All Australian organisations as a starting baseline
ISO 27001 International (ISO/IEC) Information Security Management System (ISMS) — governance and risk No Governance framework, enterprise risk, international certification
NIST CSF United States (NIST) Risk management framework across 5 functions: Identify, Protect, Detect, Respond, Recover No Organisations with US regulatory obligations or multinational operations
Cyber Essentials United Kingdom (NCSC) 5 basic technical controls, similar scope to Essential Eight No Organisations with UK government contracts or UK-aligned clients
SOCI Risk Management Program Australia (ASD/Home Affairs) Risk-based program for critical infrastructure operators Yes (SOCI entities) Critical infrastructure operators across 11 sectors

Essential Eight and ISO 27001: complementary, not competing

The most important point about the Essential Eight vs ISO 27001 comparison: they are complementary frameworks designed to work together, not competing alternatives. The Essential Eight provides specific operational controls — the "what to do technically." ISO 27001 provides the governance structure — the "how to manage it organisationally." Many Australian organisations use Essential Eight as the operational baseline and pursue ISO 27001 certification as the governance overlay. Cyber Ethos delivers both, and our Right Fit for Risk (RFFR) assessment framework evaluates organisations against both simultaneously.

Essential Eight for SMEs and Not-for-Profits in Australia

One of the most common misconceptions about the Essential Eight is that it is only relevant to large government agencies or enterprise-scale organisations. This is incorrect. The ASD explicitly recommends that all Australian organisations, regardless of size or sector, implement the Essential Eight proportional to their risk profile.

For small-to-medium businesses and not-for-profit organisations, the framework remains the right starting point — but the implementation approach needs to be calibrated to your resources and actual risk exposure. This is where the Right Fit for Risk (RFFR) methodology becomes particularly valuable.

What is Right Fit for Risk (RFFR)?

Right Fit for Risk (RFFR) is an assessment methodology that evaluates an organisation's cybersecurity posture against both Essential Eight and ISO 27001 frameworks, scaled to the organisation's size, industry, and realistic threat profile. Rather than applying a one-size-fits-all compliance framework, RFFR produces a gap report and remediation roadmap that prioritises the actions with the highest risk reduction impact for your specific context.

For an NFP with limited IT resources, an RFFR assessment might determine that achieving ML1 across all eight controls and ML2 specifically on MFA and backups is the appropriate target — rather than pursuing ML3 across the board, which would be disproportionate to the organisation's threat profile and budget.

SME starting point

If you are a small business or NFP and do not know where to start: MFA on all internet-facing accounts (especially email), current OS and application patching, and tested backups stored offline are the three controls that provide the highest risk reduction per dollar invested. Start there, then work toward full ML1 compliance with support from Cyber Ethos.

Cyber Ethos has delivered RFFR assessments for a range of Queensland-based NFPs, government-funded service organisations, and SMEs. Our approach is designed to be practical, affordable, and proportionate — not to sell you compliance overhead you don't need.

How Cyber Ethos Helps You Achieve Essential Eight Compliance

Cyber Ethos delivers end-to-end Essential Eight assessment and implementation support for Australian organisations across government, healthcare, critical infrastructure, NFP, and private sector. Our approach is led by Dr. Kiran Kewalramani, PhD, CISSP, CISA, GAICD, and two-time international cybersecurity award winner — one of Australia's most credentialled independent cybersecurity practitioners.

Our Essential Eight service includes:

  • Baseline assessment — a structured evaluation of your current environment against all eight controls at your target maturity level, delivered remotely or on-site across Australia
  • Gap report — a clear, plain-language report identifying which controls are implemented, partially implemented, or absent, with risk ratings for each gap
  • Remediation roadmap — a prioritised action plan with timelines, resource requirements, and quick wins identified for early risk reduction
  • Implementation support — hands-on guidance for your IT team during remediation, including configuration review, policy development, and staff awareness training
  • Annual reassessment and ongoing monitoring — to ensure your maturity level is maintained as your environment evolves and threat landscapes change

Book your Essential Eight assessment

Contact Cyber Ethos today for a initial consultation. We'll assess your current environment, identify your compliance obligations, and give you a clear roadmap — no jargon, no inflated scope.

Book a Essential Eight consultation →
📞 1800 CETHOS (1800-238-467)  ·  cyberethos.com.au

Frequently Asked Questions about the Essential Eight

What is the Essential Eight? +
The Essential Eight is a cybersecurity framework developed by the Australian Signals Directorate (ASD) comprising eight prioritised mitigation strategies designed to help Australian organisations protect their IT systems against the most common cyber threats, including ransomware, phishing, and system compromise. It was first published in June 2017 and is updated regularly to reflect evolving threat landscapes.
Is the Essential Eight mandatory in Australia? +
Yes, for Non-Corporate Commonwealth Entities (NCCEs), Essential Eight compliance is mandatory under the Australian Government's Protective Security Policy Framework (PSPF). For private sector organisations, it is strongly recommended by the ASD and increasingly required as a condition of cyber insurance, government contracts, and enterprise procurement processes. Organisations operating critical infrastructure under the SOCI Act face additional obligations that align with Essential Eight.
What are the 8 controls of the Essential Eight? +
The eight controls are: (1) Application Control — restricts unauthorised software execution; (2) Patch Applications — keeps applications updated against known vulnerabilities; (3) Configure Microsoft Office Macro Settings — blocks malicious macro execution; (4) User Application Hardening — secures browsers and user-facing applications; (5) Restrict Administrative Privileges — limits elevated access to those who require it; (6) Patch Operating Systems — keeps OS software current; (7) Multi-Factor Authentication — adds a second authentication factor beyond passwords; (8) Regular Backups — ensures secure, tested backups of critical data.
What are the Essential Eight maturity levels? +
The Essential Eight Maturity Model has four levels: ML0 (significant weaknesses present — the organisation is highly vulnerable), ML1 (protection against opportunistic, commodity-level threats), ML2 (protection against adversaries who invest time targeting your organisation specifically), and ML3 (resilience against sophisticated, persistent threat actors including state-sponsored adversaries). To achieve any given level, all controls at that level and below must be fully implemented.
How long does Essential Eight implementation take? +
Implementation timelines vary significantly depending on your organisation's size, existing controls, and IT complexity. Most small-to-medium businesses can achieve ML1 within 3–6 months with dedicated effort. Reaching ML2 typically takes 6–18 months. Many organisations are closer to a target maturity level than they expect — a baseline assessment often reveals that several controls are partially in place already. Cyber Ethos recommends beginning with a gap assessment to get an accurate picture before committing to a timeline.
What is the difference between Essential Eight and ISO 27001? +
The Essential Eight is an Australia-specific, operationally focused set of eight prioritised technical controls developed by the ASD. ISO 27001 is a globally recognised information security management standard that covers governance, risk management, and over 90 controls across an Information Security Management System (ISMS). The two frameworks are complementary: Essential Eight provides the operational technical baseline while ISO 27001 provides the governance structure. Many Australian organisations implement both — using Essential Eight to address the most critical technical controls and ISO 27001 for organisational governance and international certification.
Does the Essential Eight apply to small businesses and NFPs? +
Yes. The ASD explicitly recommends that all Australian organisations implement the Essential Eight proportional to their risk profile. Small businesses and not-for-profits can adopt a Right Fit for Risk (RFFR) approach — prioritising the controls that address their most likely threat scenarios rather than targeting the highest maturity level from the outset. For most SMEs, achieving ML1 across all controls and ML2 on MFA and backups is a highly effective and achievable starting target.
What is a Right Fit for Risk (RFFR) assessment? +
A Right Fit for Risk (RFFR) assessment evaluates an organisation's cybersecurity controls against both ISO 27001 and Essential Eight frameworks, scaled to the organisation's specific size, industry, and risk appetite. It produces a gap report identifying which controls are in place and which require attention, and a prioritised remediation roadmap. The RFFR methodology is particularly suited to SMEs, NFPs, and government-funded organisations that need practical cybersecurity guidance proportionate to their resources. Cyber Ethos has delivered RFFR assessments for organisations across Queensland and nationally.
How does the Essential Eight relate to the SOCI Act? +
Australia's Security of Critical Infrastructure (SOCI) Act 2018, as amended in 2022, requires operators of critical infrastructure assets across 11 sectors to implement and maintain a Risk Management Program. While the SOCI Act does not mandate the Essential Eight by name, the ASD strongly recommends Essential Eight as the baseline control set for critical infrastructure organisations to meet their SOCI obligations. In practice, SOCI assessors routinely use the Essential Eight as a reference framework when evaluating an organisation's security posture. Cyber Ethos helps critical infrastructure operators align their security programs with both SOCI Act requirements and Essential Eight controls.
How do I get an Essential Eight assessment in Australia? +
An Essential Eight assessment involves a structured review of your current IT environment against all eight controls at each maturity level. Cyber Ethos delivers both remote and on-site assessments across Australia, producing a maturity scorecard, gap report, and prioritised remediation roadmap. Our assessments are led by Dr. Kiran Kewalramani (PhD, CISSP, CISA, GAICD) and are delivered in plain language without unnecessary technical complexity. Contact Cyber Ethos at 1800 CETHOS (1800-238-467) or visit cyberethos.com.au/contact to book an initial consultation.