Essential Eight Self-Assessment Checklist for Australian SMBs

What the Essential Eight Is — and Why It Matters for Your Business

The Australian Cyber Security Centre (ACSC) developed the Essential Eight as a prioritised set of mitigation strategies designed to protect organisations against the most common and damaging cyber threats. Originally developed for federal government agencies, it has become the de facto security baseline for Australian businesses of all sizes.

The reason it matters is straightforward: most successful cyberattacks against Australian SMBs exploit gaps that the Essential Eight directly addresses. Ransomware, credential theft, malicious macros, and supply chain compromises are all addressed by these eight controls. A business that is compliant with the Essential Eight at Maturity Level 2 has eliminated the vast majority of exploitable attack surface available to opportunistic attackers.

Why now? Cyber insurance underwriters are increasingly using Essential Eight compliance as a factor in premium calculation and coverage approval. Businesses seeking government contracts — including state and federal procurement — may face formal Essential Eight requirements. And the ACSC has made clear that compliance expectations for the private sector will only increase over the coming years.

---

The Three Maturity Levels Explained

The Essential Eight uses a maturity model with three levels, each building on the previous.

Maturity Level 1 (ML1) represents partial alignment with the intent of each strategy. Controls exist but may be incomplete, inconsistently applied, or not actively monitored. An organisation at ML1 has reduced risk but has significant exploitable gaps remaining.

Maturity Level 2 (ML2) represents complete alignment with the intent of each strategy. Controls are fully implemented, consistently applied, and actively monitored. For most businesses under 200 staff, ML2 is the practical target. It addresses the vast majority of opportunistic attack vectors.

Maturity Level 3 (ML3) represents alignment that specifically addresses advanced threats, including targeted attacks from sophisticated adversaries. It is typically relevant for organisations handling sensitive government data, critical infrastructure, or operating in high-risk sectors (defence, intelligence, critical utilities).

For most Melbourne SMBs, achieving and maintaining ML2 is the goal. This guide focuses on ML1 and ML2 controls.

---

Strategy 1: Application Control

What it is: Only approved applications can run on your systems. Instead of trying to block every malicious program (impossible), application control creates a whitelist of permitted software.

Why it matters: Application control prevents malware, ransomware, and unauthorised software from executing — even if it somehow reaches a device. It is one of the most powerful preventive controls available.

ML1 Checklist

• Application control is implemented on workstations
• Control covers executable files, scripts, and libraries in user-writable locations
• A defined list of approved applications exists and is documented

ML2 Checklist

• Application control is applied to all user workstations and servers
• Control covers all file types including scripts (PowerShell, VBScript, JavaScript) and installers
• Microsoft-recommended block rules are implemented
• Application control events are logged
• The approved application list is reviewed quarterly and when new software is requested

Implementation note for Microsoft environments: Windows Defender Application Control (WDAC) and AppLocker are the native Microsoft tools for application control. WDAC is the recommended approach for modern Windows 10/11 environments. It is configured via Group Policy or Microsoft Intune.

---

Strategy 2: Patch Applications

What it is: Software vulnerabilities are patched promptly before attackers can exploit them.

Why it matters: The majority of successful cyberattacks exploit known vulnerabilities that have already been patched. The attacker is not finding new vulnerabilities — they are finding organisations that have not applied fixes Microsoft, Adobe, and others have already released.

ML1 Checklist

• A process exists for identifying and applying security patches
• Patches for critical vulnerabilities are applied within 30 days of release
• End-of-life applications with no available patches have been identified

ML2 Checklist

• Patches for vulnerabilities with a CVSS score of 7.5 or higher are applied within 48 hours of release for internet-facing services
• All other critical patches are applied within 14 days of release
• Patch compliance is actively monitored and reported
• End-of-life applications are removed or isolated with compensating controls
• Applications that cannot be patched have been assessed for risk and documented

Scope — what needs to be patched:

• Windows operating system
• Microsoft 365 applications (Word, Excel, Outlook, Teams)
• Browsers (Chrome, Edge, Firefox)
• Adobe products (Acrobat, Reader)
• Java runtime
• Third-party applications
• Firewall and network device firmware

---

Strategy 3: Configure Microsoft Office Macro Settings

What it is: Macros — automated scripts embedded in Office documents — are restricted so that malicious macros cannot execute.

Why it matters: Macro-enabled Office documents delivered via email are one of the most common malware delivery mechanisms. A legitimate-looking invoice or form arrives with a macro that, when enabled, downloads and executes malware. Restricting macros eliminates this attack vector almost entirely.

ML1 Checklist

• Macros from the internet are blocked
• Staff are not prompted to enable macros on documents received via email

ML2 Checklist

• Only macros signed by a trusted publisher are permitted
• Staff without a business need to use macros cannot enable them
• The approved macro publisher list is documented and reviewed
• Microsoft 365 macro blocking policy is configured and enforced via Group Policy or Intune
• Macro execution events are logged

Microsoft 365 configuration: The relevant settings are found in Microsoft 365 Apps admin centre under Security policies. For most organisations, the appropriate setting is “Block all macros except digitally signed macros” combined with “Trust access to the VBA project object model” disabled.

---

Strategy 4: User Application Hardening

What it is: Disable or restrict browser and application features that are commonly exploited but rarely needed in a business context.

Why it matters: Attackers exploit browser vulnerabilities, plug-ins, and unnecessary features to gain initial access. Removing or disabling these features shrinks the attack surface.

ML1 Checklist

• Web browsers are configured to block or disable Flash (end-of-life content)
• Web browser advertisements are blocked via policy or filtering
• Internet Explorer is disabled or removed (end-of-life)

ML2 Checklist

• Browsers are configured to disable Java from the web
• Web content filtering blocks ads and known malicious domains
• Microsoft Office is configured to disable ActiveX controls
• Office applications are configured to prevent automatic execution of web content
• Browser hardening settings are enforced via Group Policy or Intune
• PDF readers are configured to disable JavaScript execution

---

Strategy 5: Restrict Administrative Privileges

What it is: Only staff with a genuine need for administrative access have it, and only for as long as it is needed.

Why it matters: Most malware needs elevated privileges to spread across a network, disable security tools, or cause significant damage. Restricting admin access limits the blast radius of any successful infection.

ML1 Checklist

• A formal process exists for requesting and approving administrative access
• Standard user accounts are used for day-to-day work (not admin accounts)
• A documented list of who has admin access and why exists

ML2 Checklist

• Administrator accounts are separate from standard user accounts (no dual-use)
• Privileged accounts are not used for email or web browsing
• Domain Administrator accounts are only used on domain controllers
• Local administrator accounts on workstations use Windows LAPS or equivalent
• Administrative access is reviewed quarterly; access for departed staff is confirmed removed
• Microsoft 365 Global Admin accounts are reviewed; Privileged Identity Management (PIM) is enabled for just-in-time admin access where possible

Common gap: Many Melbourne businesses have given multiple staff Global Admin rights in Microsoft 365 because it was easier than managing individual permissions. Most businesses need only 2–3 Global Admins for redundancy. Every additional Global Admin account is an additional attack surface.

---

Strategy 6: Patch Operating Systems

What it is: Operating system vulnerabilities are patched promptly, following the same timeline principles as application patching.

Why it matters: Unpatched operating systems are a primary target for ransomware operators seeking to move laterally through networks. WannaCry, NotPetya, and most major ransomware families have exploited OS vulnerabilities that were already patched.

ML1 Checklist

• A process exists for applying OS patches
• Critical OS patches are applied within 30 days
• End-of-life operating systems have been identified

ML2 Checklist

• Critical OS patches (CVSS 7.5+) on internet-facing systems are applied within 48 hours
• All other OS patches are applied within 14 days
• Windows 10 end-of-life (October 2025) is addressed — all devices are running Windows 11 or have ESU coverage
• Patch compliance is monitored and reported automatically
• End-of-life operating systems are isolated from the network or removed from service

Windows 10 note: Microsoft ended mainstream support for Windows 10 in October 2025. Devices running Windows 10 without Extended Security Updates (ESU) are receiving no security patches. If you have Windows 10 devices in your environment, this is a critical gap.

---

Strategy 7: Multi-Factor Authentication

What it is: Accounts require more than a password to authenticate. A second factor — typically an authenticator app, hardware key, or biometric — must be provided.

Why it matters: Credential theft through phishing, data breaches, and password spraying is the most common initial access vector in Australian business cyberattacks. MFA defeats the majority of credential-based attacks, even when passwords are compromised.

ML1 Checklist

• MFA is enabled on all internet-facing services (email, VPN, remote access)
• MFA is enabled for all users accessing Microsoft 365 or Google Workspace
• MFA methods do not rely solely on SMS (SMS is vulnerable to SIM-swapping)

ML2 Checklist

• MFA is enforced via policy — users cannot bypass it
• MFA is required for all privileged accounts accessing systems, not just internet-facing services
• Phishing-resistant MFA (FIDO2 hardware keys, Windows Hello for Business, Microsoft Authenticator with number matching) is used for high-privilege accounts
• MFA bypass rules are documented and minimised
• Conditional Access policies enforce MFA based on device compliance and risk signals
• Break-glass emergency access accounts are documented and secured

Microsoft 365 implementation: MFA in Microsoft 365 is enforced through Conditional Access in Entra ID (Azure Active Directory). Security Defaults enable basic MFA enforcement. Conditional Access provides more granular control and is the recommended approach for ML2 compliance.

---

Strategy 8: Regular Backups

What it is: Important data, software, and configuration settings are backed up regularly and can be restored reliably.

Why it matters: When all other controls fail — and eventually something will fail — backups are the last line of defence. A verified, immutable backup means a ransomware attack is a business disruption rather than a business-ending event.

ML1 Checklist

• Important business data is backed up daily
• Backups include data, systems, and configuration settings
• At least one backup copy is stored off-site or in the cloud

ML2 Checklist

• Backups are completed daily with automated verification
• At least one backup copy is offline, off-site, or immutable (ransomware cannot modify it)
• Microsoft 365 data (Exchange, SharePoint, OneDrive, Teams) is backed up with a third-party tool — Microsoft’s own resilience does not protect against user error or ransomware
• Backup restoration is tested at least quarterly with documented results
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined and the backup solution meets them
• Backup integrity is monitored; alerts are generated for backup failures

The Microsoft 365 backup gap: Microsoft provides infrastructure resilience for Microsoft 365 but explicitly states in their shared responsibility model that data protection is the customer’s responsibility. Accidental deletion, ransomware, and malicious insider actions are not covered by Microsoft’s built-in recovery beyond a 14–30 day retention window. A third-party backup solution (Veeam, Datto SaaS Backup, Backupify) is required for ML2 compliance.

---

How to Score Your Assessment

After completing the checklist, tally your results for each of the eight strategies:

• All ML2 items checked: You are at Maturity Level 2 for this strategy. Maintain.
• All ML1 items checked, some ML2 gaps: You are at Maturity Level 1 for this strategy. Prioritise the ML2 gaps.
• Some ML1 items unchecked: You are below Maturity Level 1. Address these first.

Overall maturity level: Your overall Essential Eight maturity level is determined by the lowest level at which all strategies are complete. If six strategies are at ML2 and two are at ML1, your overall maturity is ML1 until the remaining two reach ML2.

---

Priority Order for Remediation

If you have gaps across multiple strategies, the ACSC recommends this prioritisation order based on the volume and severity of attacks each control prevents:

1. Multi-Factor Authentication — highest impact, stops the majority of credential-based attacks
2. Patch Applications — eliminates the most commonly exploited attack vectors
3. Regular Backups — ensures recovery is possible regardless of what else fails
4. Restrict Administrative Privileges — limits blast radius of any successful attack
5. Patch Operating Systems — complements application patching
6. User Application Hardening — reduces browser and Office exploit surface
7. Configure Macro Settings — eliminates a major malware delivery channel
8. Application Control — powerful but requires the most implementation effort

---

What to Do With This Assessment

The most productive use of this checklist is as a structured conversation with your IT provider. Go through it before your next quarterly business review and ask your provider to walk you through your current position against each control.

If they cannot give you specific, evidence-based answers — not “we think we’re doing that” but “here is the monitoring data showing compliance rates and the policy configurations enforcing each control” — you have identified a gap in your current managed IT service.

For businesses doing this assessment without a managed IT provider, the ACSC publishes free assessment tools at cyber.gov.au. The ASD Essential Eight Maturity Model documentation provides the authoritative reference for each control.

---

CX IT Services implements and manages Essential Eight compliance for Melbourne businesses, including maturity assessment, gap remediation, and ongoing monitoring. Book a Right Fit Call to discuss your current compliance position and what it would take to reach ML2.