What is the Essential Eight?

The Essential Eight (also called Essential 8) is a set of eight cyber security mitigation strategies developed by the Australian Signals Directorate (ASD). They are designed to protect organisations against the most common cyber threats and are mandatory for Australian Government agencies.

Is Essential Eight compliance mandatory?

Essential Eight compliance is mandatory for non-corporate Commonwealth entities (Australian Government agencies) under the Protective Security Policy Framework (PSPF). It is voluntary for private sector organisations but increasingly expected in government contracts, defence industry (DISP), and cyber insurance underwriting.

What are the Essential Eight maturity levels?

The Essential Eight Maturity Model defines three levels: Maturity Level 1 (partly aligned), Maturity Level 2 (mostly aligned), and Maturity Level 3 (fully aligned, targeting sophisticated adversaries). Maturity is assessed per strategy.

What are the 8 Essential Eight strategies?

The eight strategies are: Application Control, Patch Applications, Configure Microsoft Office Macro Settings, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multi-Factor Authentication, and Regular Backups.

shield ASD Framework

The Essential Eight.

Australia's baseline cyber security mitigation strategies. 8 strategies, 3 maturity levels, 149 controls.

list Browse controls trending_up Maturity model

The 8 strategies.

Each targets a specific attack vector or reduces the impact of a security incident.

Application Control

Prevent unapproved and malicious applications from executing. Only allow trusted, approved software to run.

Patch Applications

Apply security patches to applications within defined timeframes, focusing on internet-facing and untrusted content apps.

Configure Office Macro Settings

Block macros from the internet and only allow vetted, trusted macros to execute.

User Application Hardening

Block ads, Java, Flash, and unnecessary features that attackers exploit in web browsers and productivity apps.

Restrict Administrative Privileges

Limit admin access to those who need it. Use separate accounts for administrative tasks.

Patch Operating Systems

Apply OS patches within defined timeframes. Replace end-of-life systems with supported versions.

Multi-Factor Authentication

Require MFA for VPNs, remote access, privileged actions, and all internet-facing services.

Regular Backups

Perform and test backups of important data. Store backups offline or where compromised accounts cannot reach them.

trending_up

Essential 8 Maturity Model

Three maturity levels from ML1 (basic, commodity threats) to ML3 (sophisticated adversaries including nation-state actors). Your overall maturity equals the lowest level across all 8 strategies.

View maturity model arrow_forward

Who must comply?

Australian Government agencies — Mandatory under the PSPF since July 2022. Agencies must report maturity levels to the ACSC.
Defence industry — The DISP references Essential 8 maturity as part of security requirements for contractors and suppliers.
Critical infrastructure operators — Encouraged under the SOCI Act 2018 to adopt ASD mitigation strategies.
Private sector — Voluntary, but increasingly expected in government tenders, supply chain agreements, and cyber insurance.
State and territory agencies — Many have adopted the Essential 8 as their baseline cyber security framework.

E8 vs ISO 27001 vs ASD ISM.

	Essential 8	ISO 27001	ASD ISM
Controls	149	93	1,073
Focus	8 priority mitigations	Full ISMS	Comprehensive technical guidelines
Mandatory for	AU Government	Voluntary (contractual)	AU Government
Best for	Baseline hygiene	Certification	Detailed technical
Maturity model	Yes (ML1–ML3)	No (pass/fail)	No

Control Stack maps controls across all three frameworks.

Start checking your compliance.

Use Control Stack to review your Essential 8 posture at every maturity level, with plain-English guidance and cross-framework mappings.

Browse Essential 8 Controls View Maturity Model

The Essential 8 aligns with ISO 27001 controls. Mindset Cyber offers PECB-accredited ISO 27001 training.