What is the Essential Eight?

The Essential Eight (also called Essential 8) is a set of eight cyber security mitigation strategies developed by the Australian Signals Directorate (ASD). They are designed to protect organisations against the most common cyber threats and are mandatory for Australian Government agencies.

Is Essential Eight compliance mandatory?

Essential Eight compliance is mandatory for non-corporate Commonwealth entities (Australian Government agencies) under the Protective Security Policy Framework (PSPF). It is voluntary for private sector organisations but increasingly expected in government contracts, defence industry (DISP), and cyber insurance underwriting.

What are the Essential Eight maturity levels?

The Essential Eight Maturity Model defines three levels: Maturity Level 1 (partly aligned, targeting commodity threats), Maturity Level 2 (mostly aligned, targeting more capable adversaries), and Maturity Level 3 (fully aligned, targeting sophisticated adversaries including nation-state actors). Maturity is assessed per strategy.

What are the 8 Essential Eight strategies?

The eight strategies are: Application Control, Patch Applications, Configure Microsoft Office Macro Settings, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multi-Factor Authentication, and Regular Backups.

Framework guide

The ASD Essential Eight — Australia's Baseline Cyber Security Framework

The Essential Eight (also known as the Essential 8) is a set of eight cyber security mitigation strategies developed by the Australian Signals Directorate (ASD). Originally part of ASD's broader Strategies to Mitigate Cyber Security Incidents, the Essential Eight focuses on the most effective mitigations against common attack vectors. They replaced the earlier "Top 4" mitigations as the recommended baseline for all Australian organisations.

Essential Eight compliance is mandatory for non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). However, private sector organisations, state and territory agencies, critical infrastructure operators, and defence industry participants are increasingly adopting the Essential 8 as their baseline cyber security standard. The framework's practical, technical focus makes it a natural starting point for organisations that need to strengthen their security posture without the overhead of a full management system.

Control Stack provides a free Essential Eight control library covering all 149 controls across Maturity Levels 1 to 3, with plain-English explanations, implementation tips, and cross-framework mappings to the ASD Information Security Manual and ISO/IEC 27001.

The 8 Strategies

Each strategy targets a specific attack vector or reduces the impact of a security incident. Together, they form a layered defence that covers prevention, limitation, and recovery.

1

Application Control

Prevent unapproved and malicious applications from executing. Only allow trusted, approved software to run on workstations and servers, reducing the risk of malware and unauthorised tools.
2

Patch Applications

Apply security patches to applications within defined timeframes. Focus on internet-facing applications and those that process untrusted content, such as web browsers, email clients, and PDF viewers.
3

Configure Microsoft Office Macro Settings

Block macros from the internet and only allow vetted, trusted macros to execute. Macros remain one of the most common delivery mechanisms for malware in Australian organisations.
4

User Application Hardening

Configure web browsers and productivity applications to block ads, Java, Flash, and other unnecessary features that attackers exploit. Lock down security settings so users cannot change them.
5

Restrict Administrative Privileges

Limit admin access to only those who need it for their role. Use separate privileged accounts for administrative tasks and prevent privileged accounts from browsing the internet or reading email.
6

Patch Operating Systems

Apply OS patches and updates within defined timeframes. Replace end-of-life operating systems that no longer receive vendor support with current, supported versions.
7

Multi-Factor Authentication

Require MFA for VPNs, remote desktop connections, privileged actions, and all internet-facing services. MFA significantly reduces the risk of compromised credentials being used to access systems.
8

Regular Backups

Perform and test backups of important data, software, and configuration settings. Store backups offline or in a way that prevents modification or deletion by compromised accounts, including ransomware.

Essential Eight Maturity Model

ASD publishes an Essential Eight Maturity Model that defines three levels of implementation maturity for each strategy. Maturity Level 1 (ML1) represents basic implementation targeting commodity threats. Maturity Level 2 (ML2) extends coverage to more capable adversaries with additional logging and verification. Maturity Level 3 (ML3) targets sophisticated adversaries including nation-state actors with strict enforcement and automation.

An organisation's overall Essential 8 maturity equals the lowest maturity level across all eight strategies. Maturity is assessed per strategy, so an organisation might be ML2 for application control but only ML1 for multi-factor authentication. Use the Essential Eight control library to browse all 149 controls across maturity levels.

Who Must Comply with Essential Eight?

Essential 8 compliance requirements vary by organisation type. Mandatory adoption applies to Australian Government agencies, while many other sectors are adopting the framework voluntarily or as a contractual requirement.

Australian Government agencies — mandatory under the PSPF since July 2022. Agencies must report their maturity levels to the Australian Cyber Security Centre.
Defence industry — the Defence Industry Security Program (DISP) references Essential Eight maturity as part of its security requirements for contractors and suppliers.
Critical infrastructure operators — encouraged under the Security of Critical Infrastructure Act 2018 (SOCI Act) to adopt ASD's mitigation strategies.
Private sector — voluntary, but increasingly expected in government tenders, supply chain agreements, and cyber insurance underwriting.
State and territory agencies — many have adopted the Essential Eight as their baseline cyber security framework, either fully or in part.

How to Assess Your Essential Eight Maturity

Assessing your Essential 8 maturity involves reviewing your implementation of each strategy against the maturity model requirements. There are several approaches depending on your organisation's needs and reporting obligations.

1
Self-assessment — use ASD's maturity model guidance and a tool like Control Stack to review each control at your target maturity level. Start with ML1 across all eight strategies.
2
Third-party assessment — engage an IRAP-certified assessor or security consultancy to independently evaluate your maturity. This is often required for government contracts.
3
Continuous monitoring — use vulnerability scanners, configuration management tools, and event logging to track compliance with each strategy on an ongoing basis.

Refer to ASD's official Essential Eight assessment guidance for the authoritative methodology.

Essential Eight vs ISO 27001 vs ASD ISM

Australian organisations often need to comply with multiple security frameworks. The table below compares the three frameworks available in Control Stack.

	Essential Eight	ISO 27001	ASD ISM
Controls	149	93 (Annex A)	1,073
Focus	8 priority mitigations	Full ISMS	Comprehensive technical guidelines
Mandatory for	AU Government	Voluntary (contractually required)	AU Government
Best for	Baseline cyber hygiene	Certification	Detailed technical controls
Maturity model	Yes (ML1-ML3)	No (pass/fail certification)	No

Control Stack maps controls across all three frameworks, so you can see which Essential Eight strategies align with ISO 27001 Annex A requirements and ASD ISM guidelines.

Start Checking Your Compliance

Use Control Stack to review your Essential Eight posture at every maturity level, with plain-English guidance and cross-framework mappings.

Browse Essential Eight Controls View Maturity Model

Need help? Mindset Cyber offers professional cyber security consulting and training to help Australian organisations improve their Essential Eight maturity.