ASD Essential Eight

The Essential Eight is a prioritised set of eight mitigation strategies published by the Australian Signals Directorate (ASD). They are drawn from the broader Strategies to Mitigate Cyber Security Incidents and represent the most effective baseline controls ASD recommends for Australian organisations.

The Essential Eight was first published in 2017 and is maintained via the Essential Eight Maturity Model (most recent major update: November 2023). It targets Microsoft Windows–based, internet-connected IT networks — it was not designed for enterprise mobility or operational technology environments.

Implementing the Essential Eight as a baseline is described by ASD as more cost-effective in time, money and effort than responding to a large-scale cybersecurity incident.

The eight strategies work together to prevent attacks, limit the extent of incidents when they occur, and support recovery. They must be planned and implemented as a whole, not picked individually.

• 1. Patch applications — keep office productivity suites, web browsers, email clients, PDF software and security products up to date; remove unsupported software
• 2. Patch operating systems — patch internet-facing servers, workstations and network devices; replace operating systems no longer supported by vendors
• 3. Multi-factor authentication (MFA) — require MFA for access to online services, organisational systems and customer-facing services; prefer phishing-resistant methods
• 4. Restrict administrative privileges — separate privileged from unprivileged accounts, validate privileged access requests, prevent privileged accounts from browsing the internet or reading email
• 5. Application control — only allow an organisation-approved set of executables, scripts, installers, libraries and drivers to run on workstations and servers
• 6. Restrict Microsoft Office macros — block macros by default, block macros from the internet, enable antivirus scanning, prevent users from changing macro settings
• 7. User application hardening — disable or remove risky features (Internet Explorer 11, Java from the internet, web ads, Office child processes) and lock browser security settings
• 8. Regular backups — perform, retain and test backups of data, applications and settings; protect backups from modification or deletion by unprivileged accounts

ASD groups the eight strategies under three goals: prevent attacks (patching, application control, user app hardening, macro restrictions), limit the extent (MFA, admin privileges) and recover (backups).

Maturity Level Zero indicates weaknesses in an organisation's overall cybersecurity posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality, integrity or availability of systems and data.

Many organisations sit at Maturity Level Zero across one or more strategies before beginning a structured Essential Eight program. Reaching Maturity Level One requires implementing every requirement listed in Appendix A of the maturity model for all eight strategies.

ML1 focuses on defending against malicious actors content to simply leverage commodity tradecraft that is widely available. These actors opportunistically target any victim — typically using publicly available exploits against unpatched internet services, or authenticating with stolen, reused, brute-forced or guessed credentials.

At ML1, attackers commonly use social engineering to trick users into weakening the security of a system or to launch malicious applications. If they land on an account with special privileges, they will exploit it. They may also destroy data (including backups) depending on intent.

• Suitable baseline for most small-to-mid private sector organisations that are not specifically targeted
• Prevents the bulk of opportunistic, script-kiddie-grade attacks and ransomware delivered via commodity phishing
• Relatively achievable with well-managed Microsoft 365 tenants, modern EDR and disciplined patching

ML2 defends against malicious actors with a modest step-up in capability. They are willing to invest more time and effort in the effectiveness of their tools — for example, actively targeting credentials using phishing and using technical and social engineering techniques to circumvent weak multi-factor authentication.

ML2 attackers are more selective in targeting but still conservative in investment. Phishing is more refined. They will seek accounts with special privileges and, once in, may destroy all data (including backups) accessible to a privileged user account.

• Typically appropriate for medium and large enterprises, critical service providers and regulated industries
• Introduces phishing-resistant MFA, centralised logging of authentication events, stricter application control, and hardening of Microsoft Office parent/child process behaviour
• Significantly reduces risk from targeted ransomware and business email compromise campaigns

ML3 is aimed at adaptive adversaries who are much less reliant on public tools and techniques. They exploit weaknesses in a target's posture — such as older software or inadequate logging and monitoring — to both extend their access and evade detection.

These actors make swift use of exploits when they become publicly available and will social-engineer users not only into opening malicious documents but also into unknowingly bypassing controls. They may circumvent stronger MFA by stealing authentication token values.

Once a foothold is gained, ML3 actors seek privileged credentials or password hashes, pivot laterally, cover their tracks, and may destroy all accessible data (including backups).

• Appropriate for government agencies handling classified information, defence industry, critical infrastructure and high-value targets
• Adds requirements such as automated asset discovery, execution event logging, application-layer protocol logging, centralised SIEM, and Microsoft Office being blocked from creating child processes and writing executable content
• Maturity Level Three will not stop determined, well-resourced adversaries — ASD states organisations must still consider the full Strategies to Mitigate Cyber Security Incidents and the Information Security Manual

There is no 'Maturity Level Four'. ML3 is the highest level in the Essential Eight Maturity Model.

Your overall Essential Eight maturity is not an average — it is the lowest maturity level achieved across all eight strategies. If seven strategies are at ML2 and one sits at ML1, the organisation is at ML1 overall.

• ASD requires organisations to achieve the same maturity level across all eight strategies before moving up to the next level
• Every requirement listed in the relevant appendix (A for ML1, B for ML2, C for ML3) must be met in full for that strategy to be considered at that level
• Exceptions must be documented, approved through an appropriate process, and compensated for — but appropriate use of exceptions does not preclude meeting a maturity level
• There is no ASD-run certification scheme for the Essential Eight; assessments are conducted internally or by independent parties as required by policy, regulation or contract

The Essential Eight is legally or contractually required in some Australian contexts, and voluntarily adopted as best practice in many others.

• Australian Government non-corporate Commonwealth entities — directed under the Protective Security Policy Framework (PSPF) to implement the Essential Eight at a minimum of ML2 (rising requirements over time)
• Defence Industry Security Program (DISP) members — align to Essential Eight as part of cyber security membership requirements
• State and territory government agencies — many jurisdictions require or strongly encourage Essential Eight adoption
• Critical infrastructure operators — the SOCI Act risk management program expects baseline cyber hygiene; E8 is the most common interpretation
• Private sector organisations — increasingly adopted voluntarily as a recognised Australian benchmark, often specified by enterprise procurement and cyber insurance questionnaires

Even where the Essential Eight is not mandated, many cyber insurance underwriters now use E8 maturity questions to inform premiums and coverage decisions.

ASD's stated approach is to pick a target maturity level suitable for your environment, then progressively implement each maturity level across all eight strategies before moving higher.

• 1. Select a target maturity level based on the adversaries and tradecraft you realistically need to defend against
• 2. Conduct a gap assessment against Appendix A (ML1) first, regardless of target — you must pass ML1 before ML2
• 3. Prioritise the strategy with the largest gaps, but do not skip ahead — all eight must reach the current target level together
• 4. Document exceptions with compensating controls and an approval process; review them regularly
• 5. Progress through ML1 → ML2 → ML3 in sequence, not in parallel
• 6. Treat E8 as a baseline — supplement it with additional mitigation strategies and ISM controls suited to your specific threat model

A common mistake is trying to achieve ML3 on one strategy (e.g. MFA) while other strategies remain at ML0. This provides negligible real-world uplift because attackers pivot to the weakest control.

Patching timelines are one of the most prescriptive and most commonly failed areas of the Essential Eight. They differ by maturity level, asset class, and criticality.

• Online services (internet-facing services you operate) — critical vulnerabilities or working exploits: within 48 hours (all maturity levels)
• Online services — non-critical, no working exploits: within 2 weeks (all maturity levels)
• Office productivity, browsers, email, PDF, security products: within 2 weeks (all maturity levels)
• Other applications: within 1 month at ML2 and ML3
• Internet-facing servers and network devices — critical / working exploits: within 48 hours
• Workstations, non-internet-facing servers and network devices — operating system patches: within 1 month
• Vulnerability scanning frequency rises at higher maturity levels (weekly → daily for some asset classes)

End-of-life operating systems and applications that are no longer supported by vendors must be removed or replaced — patching timelines do not apply because no patches exist.

The Essential Eight sits inside a broader family of Australian security guidance. Knowing how it relates helps avoid duplicated work.

• Strategies to Mitigate Cyber Security Incidents — the full catalogue (37 strategies) from which the Essential Eight is drawn
• Information Security Manual (ISM) — the comprehensive control catalogue published by ASD; E8 is a prioritised subset addressing a narrow set of domains
• Protective Security Policy Framework (PSPF) — whole-of-government framework that references E8 as a required cyber baseline for Commonwealth agencies
• ISO/IEC 27001:2022 — international ISMS standard; Essential Eight strategies align with several Annex A technological controls (patching, malware, authentication, backups)
• SOCI Act Risk Management Program — critical infrastructure obligation that expects baseline cyber hygiene; E8 is widely used as the reference baseline

Essential Eight is a minimum set of preventative measures. Organisations need controls beyond it.

• Scope is internet-connected Microsoft Windows IT networks — not purpose-built for mobile devices, macOS, Linux fleets or operational technology (OT / ICS)
• Does not address governance, risk management, information classification, personnel security or physical security in depth
• Provides little guidance on cryptography, network segmentation, software supply chain, or cloud-specific controls beyond patching and MFA
• Does not cover third-party risk management or supplier assurance
• Does not replace an ISMS — organisations requiring a certifiable information security program need ISO 27001 or equivalent

ASD explicitly states the Essential Eight will not mitigate all cyberthreats. Additional mitigation strategies and controls from the ISM should be considered.

There is no ASD-issued certification for individuals or organisations against the Essential Eight. However, formally trained information security professionals are typically responsible for planning and assessing E8 implementations.

Mindset Cyber offers PECB-accredited ISO/IEC 27001 training that directly supports Essential Eight implementation work. The Essential Eight maps cleanly onto ISO 27001 Annex A technological controls (A.8.7 malware, A.8.8 vulnerability management, A.8.23 web filtering, A.8.13 backups), so the skills and terminology transfer directly.

• ISO 27001 Foundation — introductory course; useful for E8 implementation team members and stakeholders ($399)
• ISO 27001 Lead Implementer — five-day course for those designing and running ISMS programs, including teams treating E8 as part of a broader ISMS ($849)
• ISO 27001 Lead Auditor — five-day audit course; valuable for internal auditors assessing E8 maturity claims ($849)

All Mindset Cyber courses are delivered as self-paced eLearning or live weekend training. PECB certification is internationally recognised and includes the official exam.

Patterns ASD and assessors see repeatedly when Essential Eight programs under-deliver.

• Claiming ML2 or ML3 without meeting every ML1 requirement first — maturity is cumulative
• Averaging across strategies — overall maturity is the lowest strategy, not the mean
• Patching only "important" applications — the strategy covers the full listed categories, with no carve-outs for legacy software
• Using MFA that is not phishing-resistant at ML2+ — SMS or push-based MFA alone is not sufficient
• Allowing privileged accounts to browse the internet or receive email — a direct ML1 requirement that is frequently overlooked
• Treating backups as existing rather than tested — ML1 requires that restoration is tested as part of disaster recovery exercises
• Letting macro settings be user-changeable — the maturity model explicitly requires this to be locked
• Forgetting application control on servers at higher maturity levels — ML3 extends application control to servers, not just workstations

Essential Eight assessments performed by independent parties frequently downgrade self-assessed maturity by one or two levels. Plan for external validation before making public claims.

Terminology used in the Essential Eight Maturity Model and related ASD publications.

• Mitigation strategy — a specific preventative, detective or responsive cyber control recommended by ASD
• Maturity level — the tier (ML0–ML3) representing depth of implementation for a strategy
• Tradecraft — the tools, tactics, techniques and procedures used by malicious actors
• Phishing-resistant MFA — multi-factor authentication that cannot be bypassed by real-time phishing of codes or push approvals (e.g. FIDO2 security keys, passkeys, smartcard-based authentication)
• Application control — technology that restricts execution to an organisation-approved set of executables, scripts, installers, libraries, HTML applications and control panel applets
• Privileged account — an account with administrative rights on systems, applications or data repositories; handled under strict isolation requirements
• Online service — an internet-facing service operated by or used by the organisation (e.g. Microsoft 365, VPN gateways, web applications)
• Asset discovery — automated identification of IT assets on the network to support vulnerability scanning and management