Essential Eight (E8MM)

The ASD Essential Eight helps organisations reduce cyber security risk by implementing eight key mitigation strategies that protect systems, data, and critical business information from common cyber threats.

About Essential Eight (E8MM)

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to mitigate cybersecurity incidents, to help organisations protect themselves against various cyberthreats. The most effective of these mitigation strategies are the Essential Eight.

The Essential Eight maturity model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASD’s experience in producing cyberthreat intelligence, responding to cybersecurity incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.

The Essential Eight strategies are grouped into three primary objectives: preventing cyberattacks, limiting the extent of cyber security incidents, and recovering data and system availability. To prevent attacks, the framework recommends measures such as application control, patching applications, configuring Microsoft Office macro settings, and user application hardening. To limit the impact of a breach, the strategies focus on restricting administrative privileges, patching operating systems, and implementing multi-factor authentication. Finally, the objective of data recovery ensures organizations can restore systems after an incident through the maintenance of regular backups.

The Essential Eight Maturity Model (E8MM) defines three maturity levels (Maturity Level One through Maturity Level Three) based on the increasing sophistication of adversary tradecraft and targeting. Maturity Level One focuses on defending against malicious actors who use widely available, commodity tradecraft to opportunistically target any victim. Maturity Level Two addresses adversaries who are more selective and willing to invest more time in their tools, while Maturity Level Three targets highly skilled and adaptive adversaries who can circumvent weaker controls. Organizations are advised to identify a target maturity level appropriate for their risk environment and achieve it across all eight strategies before progressing to the next tier.

Global Compliance Certification (GCC) helps organisations validate their alignment with these rigorous standards through its specialised information security services. As a provider of Infosec Registered Assessors Program (IRAP) assessments, GCC deploys certified assessors to evaluate security controls against the Australian Government’s Information Security Manual (ISM), which underpins the Essential Eight. Additionally, GCC provides ISO/IEC 27001 certification, offering the governance and risk management framework needed to sustain these technical controls, ensuring organisations not only achieve but also maintain their target maturity levels against evolving cyber threats.

Quick Quote

Fill out the form below to find out more

  • This field is for validation purposes and should be left unchanged.

The Essential Eight

Patch Application

Patch Operating Systems

Multi-Factor Authentication

Restrict Administrative Privileges

Application Control

Restrict Microsoft Office Macros

User Application Hardening

Regular Backups.

Essential Eight Maturity Model – Understanding Cybersecurity Readiness

Maturity Level Zero

Indicates an immature cybersecurity posture where weaknesses could allow compromise of data confidentiality, integrity or availability. Organisations at this level are vulnerable to basic threats..

Maturity Level One

Focuses on mitigating opportunistic threats using common tradecraft. Controls at this level defend against basic attacks such as unpatched systems and weak authentication.

Maturity Level Two & Three

At Level Two, controls reduce risk from more capable adversaries using improved techniques. Level Three targets adaptive threats with stronger controls and monitoring to deter sophisticated compromise attempts

Essential Eight Assessment Process Guide

Purpose of the Essential Eight Assessment Guide

This guide provides structured advice on how to assess both the implementation and effectiveness of controls under the Essential Eight using the ASD maturity model. It should be used alongside other Essential Eight tools and templates.

Assessment Foundations and Maturity Levels

Assessments are conducted against the Essential Eight maturity model, which includes Maturity Levels Zero through Three, with foundational assessment principles applicable regardless of system size or complexity.

Evidence Quality in Assessment

The guide defines four levels of evidence quality — excellent, good, fair, and poor — and stresses using the highest quality evidence reasonably practicable when determining control effectiveness.

Four Stages of the Assessment Process

The assessment is structured into four key stages: planning and preparation; determining scope and approach; assessing controls; and developing the final security assessment report.

Effective Implementation and Compensating Controls

Assessors must evaluate whether mitigation strategies are implemented effectively using judgement, representative sampling and evidence quality, and ensure compensating controls provide equivalent protection when in place.

Key Updates to the Essential Eight Maturity Model: Patching, MFA, and Governance

Stronger Prioritised Patching Requirements

Indicates an immature cybersecurity posture where weaknesses could allow compromise of data confidentiality, integrity or availability. Organisations at this level are vulnerable to basic threats..

Enhanced Multi-Factor Authentication Standards

Multi-factor authentication now requires stronger factors and removes opt-out options for customers, with phishing-resistant MFA required at more maturity levels to defend against evolving attacks.

Tighter Administrative Privilege Controls

New governance requirements mandate validated privileged access processes, stricter internet access limitations for privileged accounts, and expanded credential protections for high-risk accounts.

Revised Application Control and Logging Practices

Application control rules must be reviewed annually and incorporate Microsoft’s blocklists at earlier levels, while logging enhancements shift focus to more effective native mechanisms like PowerShell and command line event logging.

Frequently Asked Questions

  • While no set of mitigation strategies are guaranteed to protect against all cyberthreats, organisations are recommended to implement eight essential mitigation strategies from the Strategies to mitigate cybersecurity incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for malicious actors to compromise systems.
  • The mitigation strategies that constitute the Essential Eight are: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening and regular backups.
  • Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cybersecurity incident.
  • The E8MM is designed to assist organisations to implement the Essential Eight in a graduated manner based upon different levels of malicious actors’ tradecraft (i.e. tools, tactics, techniques and procedures) and targeting.
  • The different maturity levels can also be used to provide a high-level indication of an organisation’s cybersecurity maturity.
  • The Australian Signals Directorate (ASD) is committed to providing cybersecurity advice that is contemporary, fit for purpose and practical. This includes regular updates to the E8MM.
  • Malicious actors continually evolve their tradecraft to defeat preventative measures that organisations put in place.
  • ASD continually learns of advances in malicious actors’ tradecraft through its cyberthreat intelligence and cybersecurity incident response functions.
  • ASD also learns of how our cybersecurity advice is implemented within organisations as part of Essential Eight implementation assessments and uplift activities.
  • Updates to the E8MM follow a thorough review by ASD, which includes consultation with government and industry partners.
  • Organisations are strongly encouraged to use the latest version of the E8MM to protect themselves against contemporary tradecraft used by malicious actors. Note, legacy versions of the E8MM will often no longer be fit for purpose due to the continual evolution of tradecraft used by malicious actors.
  • The applicability of controls within the Information security manual (ISM) is based on the classification of data that a system will store, process or communicate whereas the E8MM is based on prioritising the implementation of controls to mitigate different levels of malicious actors’ tradecraft and targeting.
  • A mapping between the E8MM and ISM is provided within the Essential Eight maturity model and ISM mapping publication.
  • The ISM also provides OSCAL baselines for the E8MM which can be used by organisations to track their implementation of the E8MM within their governance, reporting and compliance tools.
  • Organisations should consider their E8MM and ISM requirements independently. For example, an organisation contractually required to implement Maturity Level Two from the E8MM should not assume that controls within the ISM that are mapped to Maturity Level Three are out of scope when building and deploying a system. For non-corporate Commonwealth entities subject to the Department of Home Affairs’ Protective Security Policy Framework, this means that while Maturity Level Two is considered a mandatory baseline, controls mapped to Maturity Level Three within the ISM are still applicable for their systems, however, their implementation may be risk managed.
  • ASD has developed an Essential Eight assessment course and partnered with TAFEcyber for the delivery of the course to cybersecurity professionals across Australia.
  • The Essential Eight assessment course is a face-to-face three-day course that uses a blend of specialist expertise, knowledge and hands-on technical training. Further information on the Essential Eight Assessment Course is available from TAFEcyber.

GCC Training

Empower your team with our self-paced efficient training.

Quality Management System - ISO 9001 Courses

Find out more

Environment Management System - ISO 14001 Courses

Find out more

OHS Management System - ISO 45001 Courses

Find out more
Global Compliance Certification (GCC) - October is National Cybersecurity Awareness Month

Information Security Management Systems (ISMS) -ISO 27001 Courses

Find out more

Latest News and Updates

Launch Your Million-Dollar Hacking Business: 5 Dead-Simple Steps
02/02/2026
GCC IQNET
Global Compliance Certification Australia Becomes the Only Australian Member of IQNET
29/01/2026
Global Compliance Certification (GCC) Achieves Historic ANAB Accreditation for its ISO 27001 Certifications
03/12/2025
NDIS Commission Revokes Approval of JPS Audit Specialists; GCC acquires Audit Work and Intellectual Property
03/12/2025