ASD Essential Eight

What Is the ASD Essential Eight?

The Essential Eight is a set of eight cyber security mitigation strategies developed by the Australian Signals Directorate (ASD). Designed to protect organisations against the most common cyber threats, the strategies cover application control, patching, macro settings, user application hardening, administrative privileges, operating system patching, multi-factor authentication, and regular backups.

Essential Eight compliance is mandatory for Australian Government agencies under the Protective Security Policy Framework (PSPF) and increasingly adopted by private sector organisations, defence contractors, and critical infrastructure operators. For a comprehensive overview, read the full Essential Eight guide.

Essential Eight Maturity Levels

ASD's Essential Eight Maturity Model defines three levels of implementation maturity for each strategy. Maturity Level 1 (ML1) covers basic implementation targeting commodity threats. Maturity Level 2 (ML2) extends coverage to more capable adversaries with additional logging and verification. Maturity Level 3 (ML3) targets sophisticated adversaries including nation-state actors.

Use the maturity level filter in the sidebar to view controls at your target maturity level. Your overall Essential Eight maturity equals the lowest level across all eight strategies.

How to Use This Page

• Filter by strategy — use the quick filters in the sidebar to narrow controls to a specific Essential Eight strategy (e.g. Application Control, Patch Applications).
• Filter by maturity level — select ML1, ML2, or ML3 to see only the controls required at that maturity level.
• Control detail — click any control for a plain-English explanation, implementation tips, audit evidence requirements, and cross-framework mappings to ISM and ISO 27001.