Reference
Essential Eight Maturity Model
The Essential Eight Maturity Model helps Australian organisations measure how effectively they have implemented the ASD Essential Eight cyber security mitigation strategies. Published alongside the Essential Eight by the Australian Signals Directorate (ASD), the maturity model defines three levels of implementation maturity for each of the eight strategies. It gives security teams a structured way to benchmark their current posture, identify gaps, and plan targeted uplift work.
Maturity is assessed per strategy, not as a single global score. An organisation might achieve Maturity Level 2 for patching applications but only Maturity Level 1 for multi-factor authentication. Your overall Essential Eight maturity level equals the lowest maturity across all eight strategies, which encourages organisations to lift weaker areas rather than focus only on strengths.
Maturity Levels Explained
The ASD defines three formal maturity levels. Maturity Level Zero (ML0) is sometimes referenced informally to describe organisations that have not yet started implementing a strategy, but it is not an official ASD level.
| Level | Name | Description |
|---|---|---|
| ML0 | Not aligned | The strategy is not implemented or only partially in place. Not a formal ASD level but commonly referenced in assessments. |
| ML1 | Partly aligned | Basic implementation targeting commodity threats and opportunistic adversaries. Covers the fundamentals of each strategy. |
| ML2 | Mostly aligned | Standard implementation that extends coverage to more capable adversaries. Adds logging, verification, and broader scope. |
| ML3 | Fully aligned | Advanced implementation targeting sophisticated adversaries including nation-state actors. Includes automation, strict enforcement, and comprehensive logging. |
Maturity Requirements by Strategy
Each of the eight strategies has specific requirements at each maturity level. The tables below summarise what changes as you progress from Maturity Level 1 through to Maturity Level 3. For full control-level detail, use the Essential Eight control library and filter by maturity level.
Application Control
| ML1 | ML2 | ML3 |
|---|---|---|
| Block unapproved executables on workstations | Extend to internet-facing servers; implement Microsoft's recommended blocklist | Cover all servers and workstations; restrict drivers; validate rulesets annually |
Patch Applications
| ML1 | ML2 | ML3 |
|---|---|---|
| Patch internet-facing apps within two weeks; use vulnerability scanner | Apply critical patches within 48 hours for exploited vulnerabilities | Patch all applications within 48 hours for critical vulnerabilities; remove unsupported software |
Configure Microsoft Office Macro Settings
| ML1 | ML2 | ML3 |
|---|---|---|
| Disable macros for users who do not need them; block macros from the internet | Block macros from making Win32 API calls; enforce AV scanning of macros | Only allow vetted, trusted macros with valid digital signatures from trusted publishers |
User Application Hardening
| ML1 | ML2 | ML3 |
|---|---|---|
| Block web ads, Java from the internet, and IE11; lock down browser settings | Harden Office and PDF software using ASD guidance; log PowerShell events | Disable .NET 3.5; constrain PowerShell language mode; remove legacy runtimes |
Restrict Administrative Privileges
| ML1 | ML2 | ML3 |
|---|---|---|
| Separate privileged and unprivileged accounts; block privileged accounts from internet access | Use jump servers; enforce strong passphrases; disable inactive accounts after 45 days | Just-in-time administration; secure admin workstations; enable Credential Guard |
Patch Operating Systems
| ML1 | ML2 | ML3 |
|---|---|---|
| Patch internet-facing OS within two weeks; replace unsupported operating systems | Apply critical patches within 48 hours for exploited vulnerabilities | Patch all operating systems within 48 hours for critical vulnerabilities; use latest or previous release |
Multi-Factor Authentication
| ML1 | ML2 | ML3 |
|---|---|---|
| Require MFA for internet-facing services and third-party providers | MFA for all users including privileged accounts; log MFA events centrally | Phishing-resistant MFA for all users; disable legacy authentication protocols |
Regular Backups
| ML1 | ML2 | ML3 |
|---|---|---|
| Backup important data; test restoration; prevent unprivileged modification | Prevent privileged accounts from modifying or deleting backups | Prevent all accounts (including backup admins) from modifying backups during retention period |
How to Determine Your Maturity Level
Start by self-assessing your organisation against Maturity Level 1 for all eight strategies. Use the Essential Eight control library to review each control's requirements — filter by ML1, ML2, or ML3 to see the exact obligations at each level.
For formal reporting, consider engaging a third-party assessor. IRAP-certified professionals can evaluate your Essential Eight maturity as part of a broader security assessment. Most organisations should target Maturity Level 2 as a minimum. Government agencies handling sensitive data and critical infrastructure operators should aim for Maturity Level 3.
ASD publishes detailed guidance on assessing each strategy at each maturity level. Refer to the official Essential Eight Maturity Model documentation for the authoritative reference.
Essential Eight Maturity Model vs Certification
A common point of confusion is whether Essential Eight maturity is a certification. It is not. Unlike ISO 27001, where organisations undergo a formal certification audit and receive a certificate, the Essential Eight Maturity Model is a self-assessment and reporting tool. There is no formal "Essential Eight certification" issued by ASD or any accredited body.
Australian Government agencies report their maturity levels through internal assessments aligned with ASD guidance. Private sector organisations may have their maturity assessed by IRAP assessors as part of broader security reviews, particularly when working with government clients. The maturity model remains a practical benchmark rather than a pass-or-fail accreditation.
Check Your Essential Eight Controls
Use Control Stack's free control library to review every Essential Eight control at your target maturity level.
Need help? Mindset Cyber offers professional cyber security consulting and training to help Australian organisations improve their Essential Eight maturity.