Essential Eight Maturity Model.
Three levels of implementation maturity for each Essential 8 strategy. Your overall maturity equals the lowest level across all eight.
Last updated: March 2026
The four levels.
Requirements by strategy.
Each strategy has specific requirements at each maturity level. For full control-level detail, use the Essential 8 control library.
1 Application Control expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Block unapproved executables on workstations | Extend to internet-facing servers; implement Microsoft's recommended blocklist | Cover all servers and workstations; restrict drivers; validate rulesets annually |
Block unapproved executables on workstations
Extend to internet-facing servers; implement Microsoft's recommended blocklist
Cover all servers and workstations; restrict drivers; validate rulesets annually
2 Patch Applications expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Patch internet-facing apps within two weeks; use vulnerability scanner | Apply critical patches within 48 hours for exploited vulnerabilities | Patch all applications within 48 hours for critical vulnerabilities; remove unsupported software |
Patch internet-facing apps within two weeks; use vulnerability scanner
Apply critical patches within 48 hours for exploited vulnerabilities
Patch all applications within 48 hours for critical vulnerabilities; remove unsupported software
3 Configure Office Macro Settings expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Disable macros for users who do not need them; block macros from the internet | Block macros from making Win32 API calls; enforce AV scanning of macros | Only allow vetted, trusted macros with valid digital signatures from trusted publishers |
Disable macros for users who do not need them; block macros from the internet
Block macros from making Win32 API calls; enforce AV scanning of macros
Only allow vetted, trusted macros with valid digital signatures from trusted publishers
4 User Application Hardening expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Block web ads, Java from the internet, and IE11; lock down browser settings | Harden Office and PDF software using ASD guidance; log PowerShell events | Disable .NET 3.5; constrain PowerShell language mode; remove legacy runtimes |
Block web ads, Java from the internet, and IE11; lock down browser settings
Harden Office and PDF software using ASD guidance; log PowerShell events
Disable .NET 3.5; constrain PowerShell language mode; remove legacy runtimes
5 Restrict Administrative Privileges expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Separate privileged and unprivileged accounts; block privileged accounts from internet access | Use jump servers; enforce strong passphrases; disable inactive accounts after 45 days | Just-in-time administration; secure admin workstations; enable Credential Guard |
Separate privileged and unprivileged accounts; block privileged accounts from internet access
Use jump servers; enforce strong passphrases; disable inactive accounts after 45 days
Just-in-time administration; secure admin workstations; enable Credential Guard
6 Patch Operating Systems expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Patch internet-facing OS within two weeks; replace unsupported operating systems | Apply critical patches within 48 hours for exploited vulnerabilities | Patch all operating systems within 48 hours for critical vulnerabilities; use latest or previous release |
Patch internet-facing OS within two weeks; replace unsupported operating systems
Apply critical patches within 48 hours for exploited vulnerabilities
Patch all operating systems within 48 hours for critical vulnerabilities; use latest or previous release
7 Multi-Factor Authentication expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Require MFA for internet-facing services and third-party providers | MFA for all users including privileged accounts; log MFA events centrally | Phishing-resistant MFA for all users; disable legacy authentication protocols |
Require MFA for internet-facing services and third-party providers
MFA for all users including privileged accounts; log MFA events centrally
Phishing-resistant MFA for all users; disable legacy authentication protocols
8 Regular Backups expand_more
| ML1 | ML2 | ML3 |
|---|---|---|
| Backup important data; test restoration; prevent unprivileged modification | Prevent privileged accounts from modifying or deleting backups | Prevent all accounts (including backup admins) from modifying backups during retention period |
Backup important data; test restoration; prevent unprivileged modification
Prevent privileged accounts from modifying or deleting backups
Prevent all accounts (including backup admins) from modifying backups during retention period
How to determine your maturity level
Start by self-assessing against ML1 for all eight strategies. Use the Essential 8 control library to review each control's requirements — filter by ML1, ML2, or ML3.
For formal reporting, engage an IRAP-certified professional. Most organisations should target ML2 minimum. Government agencies handling sensitive data should aim for ML3.
Refer to ASD's official Essential Eight Maturity Model documentation.
Maturity model vs certification
Unlike ISO 27001, the Essential 8 Maturity Model is a self-assessment and reporting tool — there is no formal "Essential 8 certification" issued by ASD.
Government agencies report maturity levels through internal assessments. Private sector organisations may have maturity assessed by IRAP assessors as part of broader security reviews.
Check your Essential 8 controls.
Review every control at your target maturity level with plain-English guidance and cross-framework mappings.
Mindset Cyber offers PECB-accredited ISO 27001 training.