Essential Eight: Australian Cybersecurity Maturity Model

The Essential Eight is a set of prioritized mitigation strategies published by the Australian Signals Directorate (ASD) to help organizations protect against cybersecurity incidents. Based on ASD's experience responding to real-world incidents, these eight strategies address the most common attack vectors targeting Australian organizations.

What the Essential Eight Covers

The eight mitigation strategies are:

1. Application control — Only approved applications can execute, preventing malware and unauthorized software
2. Patch applications — Security patches for applications applied within prescribed timeframes
3. Configure Microsoft Office macro settings — Block macros from the internet, only allow vetted macros
4. User application hardening — Configure web browsers and other applications to block ads, Java, Flash, and unneeded features
5. Restrict administrative privileges — Limit admin access to those who need it, regularly revalidate
6. Patch operating systems — Security patches for operating systems applied within prescribed timeframes
7. Multi-factor authentication — MFA for all users accessing important data and internet-facing services
8. Regular backups — Perform and test backups of important data, software, and configuration settings

Maturity Model

Each strategy is assessed across four maturity levels:

• Maturity Level Zero — Weaknesses exist that could be exploited
• Maturity Level One — Partly aligned with the intent of the strategy
• Maturity Level Two — Mostly aligned, providing greater protection
• Maturity Level Three — Fully aligned, providing the highest level of protection

Australian government entities are expected to achieve Maturity Level Two as a baseline, with critical systems targeting Level Three.

Who Needs the Essential Eight

The Essential Eight is mandatory for Australian federal government entities under the Protective Security Policy Framework (PSPF). State and territory governments have adopted similar requirements. Beyond government, organizations in critical infrastructure, finance, healthcare, and education increasingly use the Essential Eight as their cybersecurity baseline.

The framework's strength lies in its simplicity and practicality. Eight clearly defined strategies with measurable maturity levels make it accessible even to organizations with limited cybersecurity expertise.

Implementation Strategy

1. Baseline assessment — Determine current maturity level for each of the eight strategies
2. Set target — Choose a target maturity level appropriate for your risk profile
3. Prioritize gaps — Focus on the strategies where you have the largest gap between current and target
4. Implement incrementally — Achieve Maturity Level One across all eight before advancing individual strategies
5. Test and verify — Use ASD's assessment guidance to validate your maturity level claims
6. Report and iterate — Document maturity levels and continuously improve

The Essential Eight works well as a complement to broader frameworks like ISO 27001 or NIST CSF, providing tactical, measurable cybersecurity controls within a strategic governance structure.