Most Essential Eight assessments run three to six weeks for a single environment, from the first working session to the final report. The work splits into documentation and configuration review, then reporting. What moves the timeline is the size of your environment, how many of the eight strategies are already evidenced, and the maturity level you are being measured against.
How long does an Essential Eight assessment take?
Three to six weeks is the realistic range for a single environment, measured from the first working session to the final report. A small, well documented environment being measured at Maturity Level One sits at the short end. A large estate, or one where evidence has to be gathered from scratch across all eight strategies, runs longer. The assessment is point in time. It measures where you are on the day, not where you intend to be.
That range assumes one environment and a defined scope. Multiple operating environments, separate business units, or a mix of cloud and on premises each add their own review. The number that drives the timeline is not the assessment. It is your evidence.
What happens in each phase?
An assessment runs in two phases. First, documentation and configuration review: the assessor collects your policies, system configurations, patch records, backup logs and administrative access registers, then tests them against the eight strategies. Second, reporting: the findings become a maturity rating for each strategy, a current versus target heatmap, and a remediation roadmap.
| Phase | What happens | Indicative duration |
|---|---|---|
| Scoping and kickoff | Confirm the environment, the target maturity level and who provides evidence | A few days |
| Documentation and configuration review | Collect and test policies, configurations, patch and backup records against the eight strategies | One to three weeks |
| Reporting | Maturity rating per strategy, a current versus target heatmap, and a remediation roadmap ranked by risk | One to two weeks |
Durations above are indicative; the work is scoped by complexity. Where teams lose a week is access. An assessor cannot rate application control or Microsoft Office macro settings from a slide deck. They need to see the configuration, and someone with the right permissions has to be in the room.
What makes an Essential Eight assessment faster or slower?
Four things move the timeline. Scope, meaning the number of environments and systems in the boundary. Evidence readiness, meaning whether documentation is current or reconstructed during the assessment. The target maturity level, since Maturity Level Two and Three require more evidence, including phishing resistant multi factor authentication and tighter patch windows. And whether you want an assessment only, or an assessment with a roadmap to a target level. One point catches people out: the weakest of the eight strategies sets your level, so an assessor still examines all eight even when you are confident about seven.
Why does the maturity level change the timeline?
Because each level raises the bar on evidence. At Maturity Level One the assessor confirms controls that defend against widely available, commodity tradecraft are in place. At Maturity Level Two they check tighter patch windows, stronger logging and phishing resistant MFA for privileged users. At Maturity Level Three they look for controls that hold against an adversary focused on your organisation. ASD advises reaching the same level across all eight strategies before going higher, so the assessment covers the full set at your target level, not only your strong strategies. More to evidence at each step means more days.
How does this compare to an IRAP assessment?
Different scale. An Essential Eight assessment measures eight mitigation strategies and runs three to six weeks. An IRAP assessment reviews a system against the hundreds of controls in the Information Security Manual and runs twelve to sixteen weeks. The Essential Eight is a baseline, not a substitute for the ISM. If you are new to the framework, start with what the Essential Eight is, weigh it against what an assessment costs, or read the complete Australian guide.
Frequently asked questions
No. There is no pass mark and no certificate. Maturity is a point in time rating against the ACSC Essential Eight Maturity Model, and it drifts as systems change.
Treat it as continuous. Maturity drifts as systems and configurations change. Many organisations reassess each year or after a material change, and Commonwealth entities report against the model regularly.
The model can be self assessed. An independent assessment carries more weight with boards, agencies and customers, and an experienced assessor finds evidence gaps a self assessment tends to miss.
Non corporate Commonwealth entities must reach at least Maturity Level Two. For everyone else the right level is set by the threat the organisation faces, not its size.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ASD Essential Eight Maturity Model, current June 2026 (November 2023 release)
- ASD Essential Eight Assessment Process Guide, November 2023
- ASD Essential Eight Explained
- PSPF information security policy, Maturity Level Two mandate
Last updated: 21 June, 2026