Standardise
PricingSupportSign inGet started

Essential Eight Maturity Model

Learn about the ACSC Essential Eight mitigation strategies, maturity levels 0-3, and how Standardise tracks your implementation progress per strategy.

Overview

The Essential Eight Maturity Model is a set of baseline cyber security mitigation strategies published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). Originally derived from the broader Strategies to Mitigate Cyber Security Incidents, the Essential Eight represents the most effective strategies for protecting internet-connected IT networks. While not mandatory for all private sector organisations, it is required for non-corporate Commonwealth entities and is widely adopted as the de facto cyber security baseline across Australian government and industry.

The Eight Strategies

The Essential Eight strategies are grouped into three objectives: preventing malware delivery and execution, limiting the extent of incidents, and recovering data and system availability.

Prevent Attacks

  1. Application Control — Prevent execution of unapproved or malicious programs including executables, DLLs, scripts, and installers on workstations and servers.
  2. Patch Applications — Patch security vulnerabilities in applications (web browsers, office suites, PDF viewers, email clients) within defined timeframes. Remove applications that are no longer supported by vendors.
  3. Configure Microsoft Office Macro Settings — Block macros from the internet, disable macros for users who do not require them, and only allow vetted macros from trusted locations or signed by trusted publishers.
  4. User Application Hardening — Block web advertisements, Java from the internet, and unneeded features in web browsers, Microsoft Office, and PDF viewers.

Limit Extent of Incidents

  1. Restrict Administrative Privileges — Limit privileged access based on user duties. Revalidate access regularly. Prevent privileged accounts from reading email or browsing the web.
  2. Patch Operating Systems — Patch operating systems on workstations, servers, and network devices within defined timeframes. Replace unsupported operating systems.
  3. Multi-Factor Authentication — Require MFA for internet-facing services, remote access (VPN, RDP, SSH), privileged actions, and access to sensitive data repositories.

Recover Data and System Availability

  1. Regular Backups — Daily backups of important data, software, and configuration settings. Store backups disconnected from the network, retain for at least three months, and test restoration regularly.

Maturity Levels

Each strategy is assessed against four maturity levels:

  • Maturity Level 0 — Weaknesses exist that could be exploited. The strategy is not implemented or is fundamentally inadequate.
  • Maturity Level 1 — Partly aligned with the intent of the strategy. Addresses the most common techniques used by adversaries with limited tradecraft and targeting.
  • Maturity Level 2 — Mostly aligned. Addresses adversaries with moderate tradecraft and targeting that are willing to invest more effort.
  • Maturity Level 3 — Fully aligned. Addresses adversaries with advanced tradecraft and targeting, including nation-state actors and cybercrime syndicates.

Organisations should aim for a consistent maturity level across all eight strategies. Achieving Maturity Level 3 on one strategy but Level 0 on another does not meaningfully reduce overall risk, because adversaries will target the weakest link.

ISO 27001 Alignment

The Essential Eight strategies map to multiple ISO 27001:2022 Annex A controls. For example, Application Control aligns with A.8.19 (Installation of software), Patch Applications with A.8.8 (Management of technical vulnerabilities), and Multi-Factor Authentication with A.8.5 (Secure authentication). Implementing the Essential Eight provides concrete, measurable evidence of ISO 27001 control effectiveness.

How Standardise Helps

The AU Compliance Hub includes an Essential Eight tab that tracks all eight strategies with their implementation criteria per maturity level. For each strategy, Standardise provides:

  • A breakdown of specific implementation criteria at each maturity level (1, 2, and 3), based on the official ACSC guidance
  • Individual tracking of each criterion so you can record whether it has been met, partially met, or not yet addressed
  • An overall maturity assessment per strategy, calculated from the criteria you have satisfied at each level
  • Visibility across all eight strategies at a glance, so you can identify gaps and work toward a consistent maturity level
  • Integration with the Risk Register, where unaddressed Essential Eight gaps can be raised as risks and linked to treatment plans

Related Articles

Australian Compliance
Privacy Act & Australian Privacy Principles
Understand the Privacy Act 1988, the 13 APPs, OAIC oversight, and how Standardise tracks your compliance posture against each principle.
ISMS Modules
Australian Compliance Hub
Track compliance with Australian Privacy Principles, Essential Eight maturity, Notifiable Data Breaches, and IRAP readiness — all in one place.
ISMS Modules
Statement of Applicability
Manage all 93 Annex A controls across four categories, track applicability and implementation status, and export your SoA for auditors.
← Back to Help Center