Essential Eight Maturity Assessment Checklist

What is the Essential Eight?

The Essential Eight is a set of prioritised mitigation strategies published by the Australian Signals Directorate (ASD) to help organisations protect against cyber threats. Originally derived from the broader Strategies to Mitigate Cyber Security Incidents, these eight strategies represent the baseline security controls that all Australian organisations should implement.

While the Essential Eight is mandatory for non-corporate Commonwealth entities (under the PSPF), it’s considered best practice for all Australian organisations and is increasingly referenced in government procurement requirements.

The eight strategies

1. Application control

   Prevent execution of unapproved programs including .exe, DLL, scripts, and installers. At higher maturity levels, this extends to application whitelisting on all workstations and servers.

2. Patch applications

   Patch internet-facing applications within 48 hours of critical vulnerabilities. At Maturity Level 3, all applications must be patched within two weeks, and unsupported applications must be removed.

3. Configure Microsoft Office macro settings

   Block macros from the internet, only allow vetted macros in trusted locations, and at higher levels implement code-signing and sandboxing.

4. User application hardening

   Configure web browsers to block Flash, ads, and Java. Disable unneeded features in Office, web browsers, and PDF viewers. Restrict PowerShell execution policies.

5. Restrict administrative privileges

   Limit admin access to only those who need it. Use separate privileged accounts, implement just-in-time access, and regularly revalidate the need for admin rights.

6. Patch operating systems

   Patch OS vulnerabilities within 48 hours for internet-facing systems. Replace unsupported operating systems. At higher maturity, automated patch deployment is required.

7. Multi-factor authentication

   Require MFA for all remote access, privileged accounts, and internet-facing services. At Maturity Level 3, MFA must use phishing-resistant methods like FIDO2 keys.

8. Regular backups

   Perform regular backups of important data, software, and configuration settings. Store backups offline. Test restoration processes. At higher levels, backups must be protected from privileged account compromise.

The four maturity levels

The ASD defines four maturity levels for each strategy, reflecting increasing difficulty for adversaries:

• Maturity Level 0 — Not aligned. Significant weaknesses exist that are easy for adversaries to exploit.
• Maturity Level 1 — Partly aligned. Mitigates opportunistic adversaries using widely available tools and techniques.
• Maturity Level 2 — Mostly aligned. Mitigates adversaries who are more selective in their targeting and invest moderate effort.
• Maturity Level 3 — Fully aligned. Mitigates adversaries who are more adaptive and less reliant on public tools, using techniques like credential theft and social engineering.

Most organisations should target Maturity Level 2 as a minimum. Government entities handling sensitive information should aim for Level 3.

Mapping Essential Eight to ISO 27001

Each Essential Eight strategy maps to one or more Annex A controls in ISO 27001:2022:

• Application control → A.8.19 (Installation of software)
• Patch applications → A.8.8 (Management of technical vulnerabilities)
• Macro settings → A.8.19, A.8.23 (Web filtering)
• Application hardening → A.8.9 (Configuration management)
• Restrict admin privileges → A.8.2 (Privileged access rights)
• Patch operating systems → A.8.8 (Technical vulnerabilities)
• Multi-factor authentication → A.8.5 (Secure authentication)
• Regular backups → A.8.13 (Information backup)

Implementing the Essential Eight effectively means you’re already addressing several ISO 27001 Annex A controls, making certification faster and cheaper.

How to assess your maturity

1. Self-assess each strategy — For each of the eight strategies, review the maturity criteria at each level. Be honest about where your controls actually are, not where you think they should be.
2. Document evidence — Collect evidence for each control: screenshots, configuration exports, policy documents, training records. Your auditor will need these.
3. Identify gaps — Where your current state falls short of your target maturity, document the gap and create a remediation plan with owners and deadlines.
4. Prioritise by risk — Focus on the strategies that address your highest risks first. MFA and patching typically provide the biggest security uplift.
5. Track progress continuously — Maturity isn’t a one-time assessment. Review quarterly and adjust as your environment changes.

How Standardise helps

Standardise includes a dedicated Essential Eight module with all eight strategies, 52 maturity criteria, and maturity level tracking. Track your progress toward your target maturity level, document evidence against each criterion, and see how your Essential Eight implementation maps to your ISO 27001 Statement of Applicability.