See all articles

Essential Eight: A comprehensive guide to cyber security maturity levels

In the current digital age, cybersecurity has become a critical aspect of organisational strategy. The Essential Eight, developed by the Australian Cyber Security Centre (ACSC), provides a robust framework for improving cybersecurity defences. This article delves into the Essential Eight strategies and explains how organisations can assess their cybersecurity maturity levels, ranging from Level One to Level Three.

Understanding the Essential Eight

The Essential Eight framework consists of eight key mitigation strategies designed to prevent and mitigate cyber incidents:

  1. Application Control
  2. Patch Applications
  3. Configure Microsoft Office Macro Settings
  4. User Application Hardening
  5. Restrict Administrative Privileges
  6. Patch Operating Systems
  7. Multi-factor Authentication (MFA)
  8. Regular Backups

These strategies form a comprehensive defence against various cyber threats, from common malware to sophisticated attacks.

The Maturity Levels

The ACSC defines three maturity levels to help organisations gauge their implementation of the Essential Eight strategies:

  1. Maturity Level One: Basic protection against commodity threats.
  2. Maturity Level Two: Enhanced protection against more sophisticated threats.
  3. Maturity Level Three: Advanced protection with adaptive capabilities against highly sophisticated threats.

Assessing Cybersecurity Maturity

Assessing an organisation’s cybersecurity maturity involves evaluating how well the Essential Eight strategies are implemented and maintained. Here’s a detailed look at each maturity level:

Maturity Level One: Basic Protection

At Maturity Level One, the focus is on mitigating common, widely available threats. This level assumes that malicious actors are opportunistic and will use publicly available exploits and tools to gain access to systems.

Key Characteristics:

  • Application Control: Basic application whitelisting is in place to prevent unauthorised software execution.
  • Patch Applications: Applications are patched regularly, focusing on high-risk vulnerabilities.
  • Macro Settings: Macros are disabled by default, and only approved macros are allowed.
  • User Application Hardening: Basic hardening measures, such as disabling unnecessary features, are implemented.
  • Restrict Administrative Privileges: Users have minimal administrative privileges to limit the potential impact of a compromised account.
  • Patch Operating Systems: Operating systems are patched regularly to address critical vulnerabilities.
  • MFA: MFA is implemented for remote access and critical systems.
  • Regular Backups: Regular backups are performed, and backup integrity is routinely tested.

Implementation Tips:

  • Start Small: Begin with a pilot program to implement and test controls in a controlled environment.
  • Automate Processes: Use automated tools for patch management and backup to ensure consistency and reliability.
  • Educate Users: Provide training on the importance of cybersecurity and best practices.

Maturity Level Two: Enhanced Protection

Maturity Level Two provides enhanced protection against more sophisticated threats. Malicious actors at this level are more persistent and may use more advanced techniques to bypass basic security controls.

Key Characteristics:

  • Application Control: Application control is more refined, with policies regularly updated to reflect new threats.
  • Patch Applications: Patching processes are more rigorous, with critical patches applied promptly and lesser-known vulnerabilities addressed.
  • Macro Settings: Macros are allowed only from trusted locations or digitally signed by a trusted source.
  • User Application Hardening: Additional hardening measures, such as enhanced browser and email client security settings, are implemented.
  • Restrict Administrative Privileges: Administrative privileges are tightly controlled, with regular reviews and monitoring.
  • Patch Operating Systems: More frequent and thorough patching of operating systems, including testing patches in a staging environment before deployment.
  • MFA: MFA is expanded to cover more systems and user accounts.
  • Regular Backups: Backup processes are more sophisticated, with offsite storage and regular testing for data integrity and restore capability.

Implementation Tips:

  • Regular Audits: Conduct regular audits of security controls to ensure they are effective and up-to-date.
  • Threat Intelligence: Utilise threat intelligence to stay informed about emerging threats and adjust controls accordingly.
  • Advanced Tools: Implement more advanced security tools, such as intrusion detection systems (IDS) and security information and event management (SIEM) systems.

Maturity Level Three: Advanced Protection

At Maturity Level Three, organisations have advanced capabilities to defend against highly sophisticated threats. This level assumes that malicious actors are well-funded, highly skilled, and capable of adapting their techniques.

Key Characteristics:

  • Application Control: Highly granular application control policies are in place, with continuous monitoring and adaptation.
  • Patch Applications: Comprehensive patch management processes that address even obscure vulnerabilities promptly.
  • Macro Settings: Strict controls over macros, with advanced monitoring and anomaly detection.
  • User Application Hardening: Comprehensive hardening measures across all user applications, with continuous updates and monitoring.
  • Restrict Administrative Privileges: Sophisticated privilege management systems that enforce the principle of least privilege and monitor for abuse.
  • Patch Operating Systems: Immediate and thorough application of patches, with rigorous testing and validation processes.
  • MFA: MFA is ubiquitous, covering all access points and user accounts, with adaptive authentication measures.
  • Regular Backups: Advanced backup strategies, including real-time replication and robust disaster recovery plans.

Implementation Tips:

  • Continuous Improvement: Regularly review and update security controls based on the latest threat intelligence and best practices.
  • Red Team Exercises: Conduct regular red team exercises to test and improve defensive capabilities.
  • Collaboration: Collaborate with industry peers and participate in information-sharing initiatives to stay ahead of emerging threats.
Abstract image with orange and black elements: arrows for continuous improvement, shield and swords for red team exercises, and handshake for collaboration.

Enhance your cybersecurity with continuous improvement, regular red team exercises, and collaboration for a robust defence strategy | Empire Technologies

Steps to Implement the Essential Eight

Successfully implementing the Essential Eight and progressing through the maturity levels requires a systematic approach:

1. Conduct a Baseline Assessment:

  • Evaluate the current state of your cybersecurity controls.
  • Identify gaps and areas for improvement.
  • Determine your organisation’s current maturity level.

2. Develop a Roadmap:

  • Create a detailed plan for implementing each of the Essential Eight strategies.
  • Set achievable milestones and timelines.
  • Allocate necessary resources, including budget and personnel.

3. Implement and Test Controls:

  • Start with high-priority areas and gradually expand implementation.
  • Test controls thoroughly to ensure they are effective.
  • Address any issues or gaps identified during testing.

4. Monitor and Review:

  • Continuously monitor the effectiveness of implemented controls.
  • Conduct regular reviews and audits to ensure compliance and identify opportunities for improvement.
  • Use feedback to refine and enhance your cybersecurity measures.

5. Foster a Cybersecurity Culture:

  • Educate and train employees on cybersecurity best practices.
  • Promote a culture of security awareness and vigilance.
  • Encourage reporting of suspicious activities and potential security incidents.
Two people in a modern workplace using their devices, conveying a sense of collaboration and cybersecurity awareness.

Promote a cybersecurity culture by encouraging collaboration and vigilance among employees using their devices | Empire Technologies


The Essential Eight framework provides a comprehensive approach to cybersecurity that can help organisations defend against a wide range of threats. By assessing and improving their maturity levels, organisations can enhance their security posture and resilience. Remember, cybersecurity is an ongoing process that requires continuous effort, adaptation, and improvement.

For more detailed information and resources, organisations can visit the ACSC’s Essential Eight page​ (​​ (​​ (​. By staying informed and proactive, organisations can better protect their digital assets and ensure their long-term security and resilience.