Essential Eight Assessments

Expert reviews and roadmaps to help you reach the right ASD Essential Eight maturity level for compliance and insurance needs

Why Australian Businesses Need Essential Eight Compliance

If you work with government agencies, are renewing your cyber insurance, or are pursuing contracts with larger organisations, you may have come across the Essential Eight framework.

While it is not a legal requirement for most businesses, it has become a recognised benchmark that certain clients, insurers, and partners reference when assessing who they work with.

Developed by the Australian Signals Directorate, the Essential Eight is a set of eight practical security controls designed to protect against the most common cyber threats facing Australian organisations.

Originally created to guide federal government agencies, its value as a clear and measurable framework has seen it gain broader recognition across the private sector.
For businesses that do need to meet it, the challenge is usually the same.

Most do not have a clear picture of where they currently sit or what is needed to reach the maturity level required. That gap can slow down insurance renewals, create friction in tender processes, or raise questions from enterprise clients who want confidence in their partners.

Understanding the Eight Controls and What They Actually Do

Application Control: Stopping Malware Before It Runs

Most ransomware infections succeed because malicious software executes freely on unprotected systems. Application Control prevents this by allowing only approved applications to run.

When an employee accidentally downloads a file from a phishing email or visits a compromised website, any malicious executable simply won’t run. At Maturity Level 1, Application Control is required on workstations only. Level 2 extends this to internet-facing servers. Level 3 adds non-internet-facing servers.

Patch Applications: Closing Vulnerabilities Attackers Exploit

Attackers don’t need to break through your defences if they can exploit known vulnerabilities in unpatched software. Web browsers, PDF readers, and office applications are common targets because they handle external content.

At all maturity levels, critical vulnerabilities in online services must be patched within 48 hours when assessed as critical by vendors or when working exploits exist, otherwise within two weeks. Commonly targeted applications such as office productivity suites, web browsers, email clients, PDF software, and security products must be patched within two weeks of release. Other applications must be patched within one month.

Configure Microsoft Office Macro Settings: Neutralising a Common Attack Vector

Macros in Microsoft Office documents remain one of the most effective ways attackers deliver malware. A seemingly legitimate Excel spreadsheet arrives via email, the user enables macros, and malicious code executes with full system access.

At Maturity Level 1, macros are disabled by default for users without a demonstrated business need, macros in files originating from the internet are blocked, and antivirus scanning of macros is enabled. At Maturity Level 3, only macros running from a sandboxed environment, a Trusted Location, or digitally signed by a trusted publisher are permitted to run.

User Application Hardening: Reducing Attack Surface in Everyday Tools

Web browsers, PDF readers, and email clients handle external, potentially malicious content constantly. User Application Hardening reduces risk by disabling features attackers commonly exploit, including preventing Java execution in browsers, blocking web advertisements from untrusted sources, and restricting potentially malicious web content.

Restrict Administrative Privileges: Limiting Damage When Accounts Are Compromised

If an attacker compromises a user account with administrative privileges, they gain control of the entire system. Restricting administrative privileges follows the principle of least privilege.

At Maturity Level 1, privileged users must use a separate unprivileged account for standard tasks like email, web browsing, and office productivity work. Administrative accounts are used only when performing administrative functions. At higher maturity levels, privileged users operate from separate, hardened workstations when performing administrative tasks.

Patch Operating Systems: Protecting the Foundation

Unpatched operating systems are a primary target for attackers. Vulnerabilities in Windows, macOS, or Linux give attackers a foothold to install malware, escalate privileges, and compromise the entire environment.

At all maturity levels, critical vulnerabilities in operating systems of internet-facing servers and network devices must be patched within 48 hours when assessed as critical by vendors or when working exploits exist, otherwise within two weeks. Operating systems of workstations and non-internet-facing servers must be patched within one month.

Multi-Factor Authentication: Defending Against Credential Theft

Passwords alone no longer provide adequate protection. Phishing attacks and credential stuffing regularly compromise passwords, and once attackers have valid credentials, they appear as legitimate users.

Multi-factor authentication adds a second verification step beyond passwords. At Maturity Level 1, MFA is required for users accessing online services that process, store or communicate sensitive data. Level 2 requires phishing-resistant MFA such as FIDO2 security keys, Windows Hello for Business, or smart cards that cryptographically bind authentication to the legitimate site and cannot be intercepted or replayed. Level 3 extends phishing-resistant MFA to data repositories, requires privileged users to authenticate to their workstations using a phishing-resistant method, and mandates that MFA event logs from all systems including workstations and non-internet-facing servers are centrally logged and actively monitored.

Regular Backups: Ensuring Recovery When Everything Else Fails

Backups are your last line of defence when prevention fails. Ransomware attacks, hardware failures, and accidental deletions happen despite best efforts, and reliable backups allow you to recover without catastrophic data loss or paying ransoms.

At Maturity Level 1, backups of data, applications and settings are performed and retained in accordance with business criticality and continuity requirements, stored securely, and synchronised to enable restoration to a common point in time.

Understanding Maturity Levels

The Essential Eight Maturity Model defines three progressive levels:

Maturity Level 0

Means the controls haven’t been effectively implemented or are implemented so poorly they provide no meaningful protection. Systems remain unpatched, administrative privileges are excessive, multi-factor authentication isn’t enforced, and backups are incomplete or untested. This level leaves businesses highly vulnerable to even basic attacks and typically disqualifies you from cyber insurance coverage. Most businesses start here before implementing structured security controls.

Maturity Level 1

Establishes foundational security through consistent application of essential controls. Application control is enforced on workstations, vulnerability scanning and patching happen on defined schedules, privileged users have separate accounts for standard tasks and multi-factor authentication is required for users accessing sensitive online services. Backups are performed and retained according to business criticality and tested as part of disaster recovery exercises.

Maturity Level 2

Represents comprehensive, consistently applied controls across all systems. Application control extends to internet-facing servers, vulnerabilities are patched on tighter schedules, risky features are hardened across all applications, and multi-factor authentication uses phishing-resistant methods and is centrally logged and reviewed for suspicious activity. Backups are regularly tested and restoration procedures are documented. Security events are analysed and incidents trigger established response processes. This level is typically required for government contracts and regulated industries.

Maturity Level 3

Delivers advanced protection against sophisticated, persistent threats through fully integrated, automated, and centrally managed controls. Application control extends across all servers including non-internet-facing servers, patching happens rapidly following vendor releases, user application hardening is strictly enforced, and multi-factor authentication uses phishing-resistant methods with comprehensive logging. Backups are encrypted, routinely restored, and access-controlled. All systems are continuously monitored with prompt incident response. This level is generally required for organisations handling highly sensitive information.

How Long Does Essential Eight Implementation Actually Take?

Implementation timelines vary based on your target maturity level and starting point.

Reaching Maturity Level 1 from Level 0 typically takes one to two months. This involves configuring application control policies on workstations, establishing patch management processes, implementing multi-factor authentication for users accessing sensitive online services, hardening user applications, restricting administrative privileges, and setting up tested backup procedures.

Progressing from Level 1 to Level 2 requires two to four months of systematic improvement. This includes extending controls more comprehensively, tightening patching timelines, implementing more sophisticated monitoring and logging, and establishing documented incident response procedures.

Achieving Level 3 represents a six to twelve month commitment requiring comprehensive security program maturity. This level demands phishing-resistant MFA, rapid vulnerability response, extensive logging and monitoring, and rigorous testing of all controls.

At I.T With You, we help Australian businesses reach Essential Eight compliance using the Microsoft security tools they may already have.

Assessment and Planning – We identify exactly where you sit across all eight controls and create a clear roadmap to your target maturity level with realistic timelines and effort estimates.
Hands-On Implementation – We configure policies, deploy controls, and establish processes rather than just providing documentation and leaving you to figure out the technical details.
Ongoing Monitoring and Improvement – Essential Eight isn’t a one-time project. We monitor compliance continuously, address drift, and help you maintain or progress maturity levels as requirements change.
Business-Focused Reporting – You get clear visibility into your security posture through reports that explain compliance status, gaps, and improvements in plain language your leadership and insurers actually understand.

From initial assessment through ongoing monitoring and improvement, we help Australian businesses reach appropriate maturity levels for their insurance, regulatory, and security requirements.

Ready to get started or need more information? Contact us today

Related Services

Get A Free Health Check Today

Is your business at risk from cyber threats? Our free IT health check reveals what’s working, what’s vulnerable, and what needs attention in your technology environment.

Get started