The Essential Eight: Your Complete Cyber Compliance Guide
The Australian Cyber Security Centre's Essential Eight is the most effective set of cybersecurity controls available to Australian businesses. This hub covers what each control does, why it matters, maturity levels explained — and exactly how CX IT Services implements and manages each one for Melbourne clients.
95%Of cyber incidents preventable by Maturity Level 1 controls
1 in 5Australian businesses impacted by cybercrime annually
$46KAverage cost of a cybercrime incident for an Australian SMB
14 daysTime for insurer to require patches on critical vulnerabilities
The Essential Eight is a prioritised set of eight cybersecurity strategies developed by the Australian Cyber Security Centre (ACSC) — the national technical authority on cybersecurity under the Australian Signals Directorate.
It was designed to help Australian organisations protect themselves against the most common and impactful cyber threats. The ACSC has determined that consistent implementation of these eight controls makes a breach significantly harder to execute, contain, and profit from.
Unlike compliance frameworks that focus on documentation and governance, the Essential Eight is entirely technical — focused on what your systems actually do, not what your policies say.
The ACSC states that organisations implementing all eight controls at Maturity Level 2 or higher will be protected against approximately 95% of cyber incidents targeting Australian organisations.
Each of the eight controls is assessed at one of three maturity levels. You do not have to achieve Level 3 to be meaningfully protected — most Australian businesses should target Level 2 as their primary goal.
ML1
Maturity Level 1
Protects against opportunistic, low-sophistication attackers using commodity tools. The baseline for most Australian SMBs.
ML2
Maturity Level 2
Defends against targeted attacks using publicly available tools and tradecraft. Required for most regulated industries.
ML3
Maturity Level 3
Resists sophisticated, targeted adversaries including nation-state actors. Required for government and critical infrastructure.
Important: The ACSC updated the Essential Eight maturity model in November 2023. Maturity levels are now assessed holistically — you cannot cherry-pick controls. All eight must reach a given level before that maturity rating applies to your organisation. CX IT Services assesses and reports using the current methodology.
The Controls
All Eight Controls, Explained
Every control explained in plain English: why it matters, what it requires, how we implement it, and what to watch out for.
1Prevent
Patch Applications
Why This Control Matters
Unpatched software is the single most common entry point for cyber attackers. Vulnerabilities in web browsers, Office suites, and operating systems are exploited within hours of public disclosure.
What It Requires
Patch internet-facing services within 48 hours of a critical patch release, and all other applications within 30 days. Older, unsupported software must be removed or isolated.
Maturity Requirements
ML1
Patches applied within 30 days. No longer supported products removed or isolated.
ML2
Patches applied within 14 days. Internet-facing services patched within 48 hours of release.
ML3
Patches applied within 48 hours for critical vulnerabilities. Automated scanning validates compliance.
How CX IT Services Delivers This
We deploy and manage automated patch management across every endpoint in your environment via our RMM platform. Critical patches are applied within 48 hours. Monthly reporting shows patch compliance rates across your entire fleet.
Common Implementation Pitfalls
Legacy software with no vendor support cannot be patched — it must be isolated or replaced
Patching without testing can break line-of-business applications — we stage patches before broad deployment
Third-party applications (Java, Adobe, browsers) are often overlooked alongside OS patches
2Prevent
Patch Operating Systems
Why This Control Matters
Operating system vulnerabilities — particularly in Windows kernel, network stack, and authentication subsystems — are frequently used in lateral movement and privilege escalation after initial compromise.
What It Requires
Apply OS patches within 30 days of release. For internet-facing systems, patches must be applied within 48 hours. Unsupported operating systems (Windows 7, Server 2012 etc.) must not be in use.
Maturity Requirements
ML1
OS patches applied within 30 days. End-of-life OS removed or protected.
ML2
Patches within 14 days. Internet-facing systems patched within 48 hours.
ML3
Automated patching with validation reporting. Zero tolerance for unsupported OS in production.
How CX IT Services Delivers This
Our RMM platform enforces OS patching across Windows and macOS endpoints. We manage Windows Update for Business policies, validate patch success, and flag devices that fall outside compliance windows. Windows 10 End of Life is tracked and remediated before it becomes a liability.
Common Implementation Pitfalls
Windows 10 reaches end of life in October 2025 — any unupgraded device becomes an unpatched OS liability
Server operating systems often get overlooked — they need the same patching discipline as endpoints
Driver and firmware updates are separate from OS patches and are often missed
3Prevent
Multi-Factor Authentication
Why This Control Matters
Stolen or guessed passwords are involved in over 80% of breaches. MFA blocks virtually all credential-stuffing and phishing attacks that result in account takeover — it is the single highest-impact control you can implement.
What It Requires
MFA must be enforced on all remote access, all privileged accounts, all email systems, and all cloud services. Phishing-resistant MFA (hardware keys or passkeys) is required for privileged accounts at Maturity Level 3.
Maturity Requirements
ML1
MFA on internet-facing services for all users. Any MFA method acceptable.
ML2
MFA on all remote access, privileged accounts, and third-party providers. SMS/TOTP acceptable.
ML3
Phishing-resistant MFA (hardware keys/passkeys) for all privileged accounts. Standard users on authenticator apps minimum.
How CX IT Services Delivers This
We enforce MFA across Microsoft 365, Azure AD, VPNs, and all remote access tools using Conditional Access policies. Privileged accounts are enrolled in phishing-resistant authentication. We configure break-glass accounts with documented emergency access procedures.
Common Implementation Pitfalls
SMS-based MFA is vulnerable to SIM-swapping — we recommend authenticator apps as the minimum
MFA bypass policies for "convenience" are a direct security hole — we enforce no exceptions
Legacy protocols (SMTP AUTH, IMAP) bypass MFA by design and must be disabled or blocked
4Prevent
Restrict Administrative Privileges
Why This Control Matters
Attackers who compromise a standard user account have limited reach. Attackers who compromise an admin account own your environment. Restricting admin privileges contains the blast radius of any compromise and prevents ransomware from spreading.
What It Requires
Admin accounts must be separate from daily-use accounts. Users only receive administrative privileges they actually need (least privilege). Privileged Access Workstations (PAWs) are required at Maturity Level 3. Just-in-time access is preferred for domain-level admin.
Maturity Requirements
ML1
Separate admin accounts. No admin for email/browsing. Privileged accounts not used for standard tasks.
ML2
Privileged access for OS/apps validated regularly. Online services admin accounts are separate.
ML3
Just-in-time admin, Privileged Access Workstations for domain admin tasks, annual revalidation of all privileges.
How CX IT Services Delivers This
We audit and right-size all Active Directory and Entra ID permissions, create dedicated admin accounts separate from user accounts, remove unnecessary local admin rights, and implement time-limited privileged access using PIM in Azure AD.
Common Implementation Pitfalls
Many staff have local admin "just in case" — auditing this is eye-opening and often reveals excessive access
Shared admin accounts make forensics impossible after an incident — individual accounts are mandatory
Service accounts often have unnecessary domain admin — these are a common lateral movement path
5Prevent
Application Control
Why This Control Matters
Ransomware and malware can only execute if the operating system allows them to run. Application control creates an allowlist of approved executables — anything not on the list simply cannot run, regardless of how it got there.
What It Requires
Only approved applications can execute. This applies to executables, software libraries, scripts, and installer packages. At Maturity Level 3, application control extends to all user-writable locations and is applied to all workstations and servers.
Maturity Requirements
ML1
Application control on workstations preventing execution from user-writable locations.
ML2
Application control validated — allowlisted by publisher, product name, or file path/hash.
ML3
Application control on workstations and servers. Scripts controlled. Annual review of allowlists.
How CX IT Services Delivers This
We implement application control via Microsoft AppLocker or Windows Defender Application Control (WDAC), combined with SentinelOne EDR behavioural controls. We build and maintain an approved application inventory for your environment and manage exceptions through a change control process.
Common Implementation Pitfalls
Application control is one of the most complex controls to implement correctly — poorly built rules cause business disruption
Scripts (PowerShell, VBScript, macro-enabled Office) need separate controls — executable-only control misses most modern attacks
Application control alone is not sufficient — it works in combination with other controls
6Prevent
Configure Microsoft Office Macro Settings
Why This Control Matters
Macro-enabled Office documents are the most common malware delivery mechanism in Australian business email compromise attacks. A single click on a weaponised Word or Excel file can deploy ransomware across your network within minutes.
What It Requires
Microsoft Office macros from the internet must be blocked. Only digitally signed macros from trusted publishers should be permitted. At Maturity Level 3, macros are restricted to specific users with a demonstrated business need.
Maturity Requirements
ML1
Macros from the internet blocked. Trusted publisher lists configured.
ML2
Only digitally signed macros from trusted publishers. Microsoft 365 logging enabled.
ML3
Macros disabled except for specific users with business justification. Annual review.
How CX IT Services Delivers This
We configure Microsoft 365 Group Policy and Intune policies to block untrusted macros, enable Protected View for internet-sourced documents, configure AMSI integration for macro scanning, and set trusted publisher lists for organisations with legitimate macro requirements.
Common Implementation Pitfalls
Finance teams often use legitimate macro-based workbooks — we identify and migrate these before blocking
Blocking macros without user communication creates support tickets — we include staff communications as part of rollout
Attackers now use XLSB (binary Excel) and other formats to bypass simple macro policies — proper controls cover all Office file types
7Prevent
User Application Hardening
Why This Control Matters
Web browsers and PDF readers are the most attacked applications in a business environment. Hardening these tools — disabling unneeded features like Java, Flash, and web advertisements — eliminates entire classes of browser-based exploit.
What It Requires
Web browsers must block web ads, disable Java, and disable Flash. PDF readers must be configured to not open internet-sourced content without security validation. Internet Explorer must not be in use. Browser extensions must be controlled.
Maturity Requirements
ML1
Web ads blocked, Java disabled in browsers, Flash disabled, Internet Explorer not in use.
ML2
Browsers configured via Group Policy/Intune. PDF readers hardened. Unnecessary features disabled.
ML3
Browser extensions controlled. Security features validated regularly. Internet Explorer absent from environment.
How CX IT Services Delivers This
We deploy and manage Microsoft Edge with enterprise security policies via Intune, block advertisement networks that are known malware distribution vectors, disable Java in browsers, and manage browser extension allowlists to prevent malicious extension installation.
Common Implementation Pitfalls
Blocking web ads can break some legitimate SaaS applications — we build exception lists during hardening
PDF readers from multiple vendors are common — each needs individual hardening, not just Adobe Acrobat
Browser extension management is often overlooked — malicious extensions are a growing attack vector
8Recover
Regular Backups
Why This Control Matters
When all other controls fail — and sometimes they do — tested backups are the difference between a costly incident and a catastrophic one. Without recoverable backups, ransomware leaves you with one option: pay the ransom.
What It Requires
Business-critical data backed up daily. Backups stored in at least three locations (3-2-1 rule). Backups protected from modification and deletion (immutable). Restoration tested at least quarterly. Backups not accessible via the same credentials as production systems.
Maturity Requirements
ML1
Backups of business-critical data performed and stored securely. Tested at least annually.
ML2
Backups protected from modification and deletion. Stored in a separate location (offline or cloud). Tested quarterly.
ML3
Immutable backups. Comprehensive restoration testing. Backups not accessible via production credentials. Multiple geographic locations.
How CX IT Services Delivers This
We implement immutable cloud backup for all endpoints and servers using Datto or Azure Backup, with isolated storage credentials. Backup health is monitored daily. Restoration tests are performed quarterly and documented for cyber insurance and audit purposes.
Common Implementation Pitfalls
Microsoft 365 is NOT backed up by Microsoft — emails, SharePoint, and Teams data require a separate backup solution
Backup health monitoring is critical — a backup that silently fails for 3 months provides zero protection
Ransomware increasingly targets and deletes backup systems before encrypting production data — immutability is mandatory
How We Deliver It
We Implement and Manage the Essential Eight for Melbourne Businesses
CX IT Services is a cyber-first MSP. Every managed IT support client is assessed against the Essential Eight at onboarding, with a clear remediation roadmap to achieve their target maturity level. Ongoing compliance is monitored monthly and reported quarterly.
Baseline Assessment
We assess your current posture across all eight controls and all three maturity levels using the ACSC methodology.
Remediation Roadmap
A prioritised plan showing what to fix, in what order, and what it costs — mapped to your target maturity level.
Managed Implementation
We configure, deploy, and document each control. No DIY — our engineers do the work.
Ongoing Compliance
Monthly compliance dashboard, quarterly review, and updated reporting for insurers and stakeholders.
How the Essential Eight compares to ISO 27001, NIST CSF, and the Australian Privacy Act requirements.
Framework
Scope
Who It's For
Effort to Implement
Cyber Insurance Value
Essential Eight Overlap
ACSC Essential Eight
8 specific technical controls
All Australian businesses
Moderate
Very High
—
ISO 27001
Full ISMS governance & controls
Mid-enterprise, regulated sectors
High
High
~60% overlap
NIST CSF
Risk-based framework, 5 functions
Larger organisations, US-facing
High
Moderate
~70% overlap
Privacy Act / APPs
Personal data governance
Businesses holding personal data
Low-Moderate
Moderate
~30% overlap
APRA CPS 234
Financial sector cyber resilience
Banks, insurers, super funds
High
High
~75% overlap
By Industry
Essential Eight Across Melbourne Industries
The technical requirements are consistent, but the implementation priorities and compliance drivers differ by industry.
Healthcare & Medical
Target: ML2
Compliance Drivers
OAIC Notifiable Data Breaches obligations
RACGP Standards for General Practice (5th Ed.)
Medicare and My Health Record access requirements
Implementation Priority
MFA and patch management are critical — clinical workstations running Best Practice or MedicalDirector must be patched without disrupting patient records access.
Legal & Law Firms
Target: ML2
Compliance Drivers
Law Institute of Victoria professional standards
Legal Profession Uniform Law obligations on client data
Cyber insurance requirements for professional indemnity
Implementation Priority
Restrict admin privileges and macro control are the highest priority — BEC (Business Email Compromise) attacks targeting law firms via weaponised documents are the dominant threat.
Accounting & Finance
Target: ML2
Compliance Drivers
ATO Tax Agent Portal security requirements
ASIC regulatory obligations
APRA CPS 234 for firms holding financial services licences
Implementation Priority
MFA and patching are mandatory for ATO portal access. Application control protects against tax fraud malware. Regular backups are critical given financial data sensitivity.
Professional Services
Target: ML1–ML2
Compliance Drivers
Cyber insurance requirements (most policies now mandate E8 ML1)
Client contractual security requirements
Competitive differentiation and client trust
Implementation Priority
All eight controls at ML1 provide a strong baseline. Backup testing and MFA are the highest-value starting points for most professional services firms.
ML2 is typically the minimum for government contracts, with ML3 increasingly specified in sensitive data environments. Application control and restrict admin privileges are closely scrutinised.
Education & NFP
Target: ML1
Compliance Drivers
Student / beneficiary data protection obligations
Grant and government funding security requirements
Increasingly targeted by ransomware due to perceived weak defences
Implementation Priority
Backup testing is critical — education sector ransomware attacks are frequent. MFA and patch management are achievable with limited IT budgets using existing Microsoft 365 tools.
Self-Assessment
Quick Maturity Scorecard
Answer these eight questions to estimate your current Essential Eight maturity. This is a starting point — a proper assessment requires a technical review of your environment.
1
1. Patch Applications
Are all business applications patched within 30 days of release, with critical patches within 48 hours?
Yes — ML1+Partial — Gaps existNo — Not implemented
2
2. Patch OS
Are all operating systems patched within 30 days, with no unsupported OS in production?
Yes — ML1+Partial — Gaps existNo — Not implemented
3
3. MFA
Is MFA enforced on all email, remote access, privileged accounts, and cloud services?
Yes — ML1+Partial — Gaps existNo — Not implemented
4
4. Restrict Admin
Do admin accounts exist separately from daily-use accounts, with least-privilege access?
Yes — ML1+Partial — Gaps existNo — Not implemented
5
5. Application Control
Are only approved applications able to execute on workstations and servers?
Yes — ML1+Partial — Gaps existNo — Not implemented
6
6. Macro Settings
Are Office macros from the internet blocked, with only signed macros from trusted publishers permitted?
Yes — ML1+Partial — Gaps existNo — Not implemented
7
7. User App Hardening
Are browsers hardened with ads blocked, Java disabled, and unnecessary features turned off?
Yes — ML1+Partial — Gaps existNo — Not implemented
8
8. Regular Backups
Are backups taken daily, stored separately, protected from deletion, and tested quarterly?
Yes — ML1+Partial — Gaps existNo — Not implemented
Want a Proper Assessment?
Our Essential Eight Assessment produces a scored report across all eight controls and three maturity levels — using the ACSC's current assessment methodology. Everything starts with a Clarity Call to make sure we're the right fit, then we scope and schedule the assessment.
What's included:
Technical review of your environment
Scored report against all 8 controls × 3 maturity levels
Prioritised remediation roadmap
Cyber insurance readiness assessment
Written report you can share with your insurer or board
Is the Essential Eight mandatory for Australian businesses?
The Essential Eight is mandatory for non-corporate Commonwealth entities under the PSPF (Protective Security Policy Framework). It is not currently legislatively mandated for private businesses, but it is strongly recommended by the ACSC, required by most cyber insurers, and increasingly specified in government procurement contracts. For regulated industries (healthcare, financial services, legal), it aligns with existing compliance obligations under the Privacy Act, APRA CPS 234, and similar frameworks.
What is the difference between the Essential Eight and ISO 27001?
The Essential Eight is a prioritised list of eight specific technical controls targeting the most common attack vectors. It is practical, prescriptive, and relatively fast to implement. ISO 27001 is a comprehensive information security management system standard covering governance, risk management, asset management, HR security, physical security, and much more. Many organisations treat Essential Eight compliance as a stepping stone toward ISO 27001 certification. They are complementary, not alternatives.
How long does it take to achieve Essential Eight Maturity Level 1?
For a typical Melbourne business with 20–100 staff starting from a standard commercial IT environment, Maturity Level 1 typically takes 8–16 weeks depending on the complexity of your environment, the number of legacy systems, and how many of the controls are already partially in place. Patching and MFA can usually be enforced within the first 2–4 weeks. Application control and macro hardening take longer because they require an inventory of your approved applications and legitimate business processes.
Our cyber insurer mentioned the Essential Eight. What do I need to do?
Most Australian cyber insurers now require at minimum: MFA on all email and remote access (Maturity Level 1), tested offsite backups (Maturity Level 1–2), EDR on all endpoints (which maps to the application control and OS patching controls), and patch management within 30 days. If your insurer has specifically mentioned the Essential Eight, book a free IT health check with us and we will assess your current posture against their requirements and identify exactly what needs to change before your next renewal.
Can a small business with 10 staff realistically implement the Essential Eight?
Yes — and they should. The Essential Eight was designed with proportionality in mind. For a 10-person business using Microsoft 365, cloud-hosted applications, and modern endpoints, Maturity Level 1 across most controls can be achieved using built-in tools like Microsoft Defender, Intune, and Conditional Access — often without significant additional software cost. The challenge is configuration and ongoing management, which is exactly what our managed IT support service handles.
What is the ACSC and why does their framework matter?
The ACSC — Australian Cyber Security Centre — is the national technical authority on cybersecurity, operating under the Australian Signals Directorate. They develop and maintain the Essential Eight as part of their mandate to improve the cyber resilience of Australian organisations. ACSC guidance carries significant weight in insurance assessments, regulatory inquiries, and legal proceedings following a cyber incident. Following their framework is the most defensible posture available to Australian businesses.
How do we measure and report our Essential Eight maturity?
We perform Essential Eight assessments using the ACSC's published assessment methodology, producing a scored report across all eight controls and all three maturity levels. Clients on our managed IT support service receive an Essential Eight compliance dashboard updated monthly, with quarterly deep-dive reviews. This reporting is formatted to satisfy cyber insurance requirements and can be provided to customers, boards, or regulators who ask about your security posture.
What happens if we are breached despite implementing the Essential Eight?
The Essential Eight is designed to prevent the vast majority of attacks, not guarantee complete immunity. If a breach occurs, demonstrable implementation of the Essential Eight provides significant protection: it reduces insurer grounds for claim denial, demonstrates reasonable duty of care which is relevant in the event of customer or regulator action, and typically limits the blast radius of an incident because the controls limit lateral movement and privilege escalation. Documented compliance is your legal and commercial protection.
Free Clarity Call
Ready to Achieve Essential Eight Compliance?
Start with a Clarity Call. We'll confirm we're the right fit, then scope the right assessment for your business — scored across all eight controls with a clear remediation roadmap.