An Essential Eight assessment has no list price, so its cost is set by scope. For most organisations the assessment itself is a contained engagement of a few weeks. The larger spend sits after it, in the remediation needed to reach your target maturity level and the work to hold that level as systems change.
Most quotes for an Essential Eight assessment answer the smaller question. Measuring where you sit against the eight strategies is the cheap part. Closing the gaps the measurement exposes is where the budget goes, and the gap is almost always wider than the brief assumed. Price the remediation, not just the assessor’s days.
What does an Essential Eight assessment cost?
There is no published rate. The work is scoped to the size and complexity of what is being assessed, so a single, well bounded environment costs a fraction of a sprawling estate with several operating system fleets and a long list of business applications. A fixed price is set once that scope is clear.
As a guide to effort, a focused maturity assessment runs about three to six weeks from documentation review to the final report. That window, and the day rate behind it, is the figure most people mean by cost. It is also the smallest number in the exercise. Treat it as the entry fee, not the bill.
What drives the price of an Essential Eight assessment?
Five things move the number more than anything else: how much is in scope, the maturity level you are assessed against, how ready your evidence is, whether the assessment tests configurations or only reviews documents, and the size of the estate behind the eight strategies.
| Cost driver | Why it moves the price |
|---|---|
| Scope and number of environments | Each separate system, tenancy or operating environment is assessed on its own, so more boundaries means more work |
| Target maturity level | Maturity Level Two and Three demand stronger controls and more evidence than Level One, so they take longer to assess and far longer to reach |
| Evidence readiness | Organised, current evidence shortens the assessment, while reconstructing it during the engagement extends it |
| Documentation review versus configuration testing | Confirming a control actually works in the environment costs more than reading a policy that says it should |
| Size of the estate | More operating systems, applications, servers and privileged accounts mean more to sample and verify |
Why is remediation the bigger cost?
Because the assessment only measures. Reaching a level means changing how the environment runs, and the maturity model scores you at your weakest of the eight strategies, so one neglected control caps the whole result.
Lifting all eight to Maturity Level Two is where money is actually spent: phishing resistant multi factor authentication, application control across workstations and servers, a patching cadence measured in days for critical vulnerabilities, and backups you have tested by restoring. Some of that is licensing. Most of it is engineering time and the disruption of changing settled habits. Budget for the climb, not the photograph.
What do you get for the assessment fee?
An independent maturity assessment against the ACSC Essential Eight Maturity Model, run in two phases: a documentation and configuration review, then reporting.
The deliverables are a maturity report, a heatmap of current against target maturity for each of the eight strategies, a prioritised remediation roadmap, and an executive summary written for a board rather than an engineer. The roadmap is the part that earns its keep. It turns the score into a sequence of work with the weakest strategies first, so the next dollar lifts your level rather than polishing a strategy that is already there.
How often do you pay for it?
More than once. Maturity is a point in time measure and it drifts as systems, staff and software change, so a level you reach this quarter is not a level you keep without effort.
Non corporate Commonwealth entities are expected to reach at least Maturity Level Two and to keep demonstrating it, which in practice means periodic reassessment rather than a single sign off. State agencies and private organisations adopt the same rhythm when a contract, grant or tender asks for evidence. Build the reassessment into the annual budget alongside the remediation it will surface.
How do you keep the cost down?
Scope tightly, prepare the evidence, and do not buy more maturity than your threat warrants. ASD sets the suitable level against the threat an organisation faces, not its size: Level One may suit smaller businesses, Level Two suits large enterprises, and Level Three is aimed at critical infrastructure and high threat environments.
Chasing Level Three when Level Two is the genuine requirement multiplies both the remediation and the assessment, for protection against attackers who were never going to target you. Fix the obvious gaps before the assessor arrives, and bring evidence that already exists rather than building it on the clock.
No. There is no published rate. The assessment is scoped to the size and complexity of the environment, and a fixed price is set once that scope is clear.
No. An Essential Eight assessment measures maturity at a point in time. It is not a certification and there is no pass mark. Reaching and holding a level is separate work.
Usually, yes. The assessment is a few weeks of work. Lifting all eight strategies to Maturity Level Two can take months of engineering and licensing, and it is where most of the budget goes.
For most organisations, about three to six weeks, from the documentation and configuration review through to the final report and roadmap.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- ASD, Essential Eight Maturity Model, November 2023
- ASD, Essential Eight explained, accessed June 2026
- PSPF, information security policy, Maturity Level Two for non corporate Commonwealth entities
- ASD, The Commonwealth Cyber Security Posture in 2025
Last updated: 21 June, 2026