Essential Eight compliance is not a certificate. It means implementing all eight mitigation strategies to a chosen maturity level, confirmed by a point in time assessment against ASD’s maturity model. Your weakest strategy sets your level, so the checklist is really eight checklists that have to move together.
What does Essential Eight compliance actually mean?
Start with what it is not. There is no Essential Eight certificate, no pass mark, and no badge that lasts a year. ASD does not certify anyone. Compliance means you have implemented the eight strategies to a maturity level, and an assessment has confirmed it at a point in time against the ASD maturity model.
The catch is in the scoring. Your maturity level is set by your weakest strategy, not your average. Seven strategies at Maturity Level Two and one at Maturity Level One makes you Maturity Level One. ASD’s advice is to reach the same level across all eight before lifting any higher. That is why a checklist treated as a list to tick misses the point. The eight move together or not at all.
The eight controls, and what to check for each
The eight strategies are the most effective subset of ASD’s Strategies to Mitigate Cyber Security Incidents, built for internet connected Windows networks. Below is what compliance looks like for each, and where assessments most often find the gap. The exact timeframes and methods step up by maturity level, so read this against the level you are targeting.
| Strategy | What compliance looks like | Where it slips |
|---|---|---|
| Patch applications | Critical or exploited vulnerabilities in office productivity suites, browsers and their extensions, email clients, PDF and security software patched within 48 hours; other vulnerabilities within two weeks; scanning at least weekly | A forgotten browser extension or PDF reader on a handful of machines |
| Patch operating systems | Critical or exploited vulnerabilities in internet facing servers and network devices within 48 hours; workstation and non internet facing operating systems within one month; unsupported versions removed | An end of life server kept alive for one legacy application |
| Multi factor authentication | MFA on internet facing services, important data repositories and privileged access; phishing resistant methods at the higher levels | SMS codes treated as enough, or a VPN left exempt “for now” |
| Restrict administrative privileges | Privileged access validated, time limited and separated from email and web browsing; admin accounts cannot read mail or browse the internet | Domain admins doing day to day work from the same account |
| Application control | Execution of applications, scripts, installers and drivers limited to an approved set on workstations and servers | Allowlisting left in audit only mode that no one switched to enforce |
| Restrict Microsoft Office macros | Macros blocked for users without a demonstrated need; macros from the internet blocked; the rest scanned and logged | Macros enabled organisation wide because one finance template needs them |
| User application hardening | Browsers configured to block Flash, web advertisements and Java from the internet; unneeded features disabled; hardening verified, not assumed | Default browser builds with no hardening baseline applied |
| Regular backups | Backups of important data, software and configuration retained, and restoration tested; backups protected from the accounts that could delete them | Backups that have never been restored, or that a compromised admin could wipe |
Which maturity level do you need to reach?
There are three target levels, plus Maturity Level Zero for anything short of One. The levels are defined by the adversary, not the size of your business. Maturity Level One is calibrated to attackers using widely available, commodity tools. Maturity Level Two assumes adversaries willing to invest more time, target credentials and work around weaker MFA. Maturity Level Three assumes adaptive attackers focused on a specific target and less reliant on public tools.
ASD suggests Maturity Level One may suit small to medium businesses, Two large enterprises, and Three critical infrastructure and high threat environments, but the choice follows the threat you face, not a headcount. For non corporate Commonwealth entities the decision is made for you: the Protective Security Policy Framework has required Maturity Level Two across all eight since 1 July 2022, with Maturity Level Three considered where the threat warrants.
How is compliance measured?
By assessment, against ASD’s Essential Eight assessment process guide. An assessor tests each strategy with a mix of interviews, document review and technical checks, then records a maturity level per strategy and overall. How long that takes and what it costs depends on the size of the environment, which we cover in the assessment timeline and cost articles.
The result is a snapshot. It describes the system on the day it was tested, which is why ASD frames maturity as point in time. Systems drift. A new application, a relaxed macro setting or a missed patch cycle can drop a strategy a level between assessments. Treating the assessment as the finish line is the common mistake. It tells you where you stood. The work is keeping it there.
Where do organisations lose marks?
A few patterns show up again and again. The first is the average trap: teams report a blended score and are surprised when the assessor records the lowest one. The second is evidence. The control is in place, but there is nothing to show it was in place last month, so it cannot be substantiated. The third is scope creep dressed as an exception, the VPN or the legacy box left outside MFA or patching “temporarily”, which is exactly where an attacker looks first. The fourth is backups that have never been restored. A backup you have not tested is a hope, not a control.
Used well, the eight rows above are a working list, not a wall plaque. Run them quarterly, keep the evidence, and the assessment becomes a confirmation rather than a surprise. If you want a second set of eyes, Cybernion runs independent Essential Eight assessments against the maturity model.
Frequently asked questions
No. ASD does not certify or issue a pass mark. Compliance means implementing the eight strategies to a maturity level, confirmed by a point in time assessment.
It depends on the threat you face. Non corporate Commonwealth entities must reach Maturity Level Two under the PSPF. Others choose a level against their risk, commonly One for small business, Two for larger enterprises, and Three for high threat environments.
Maturity is point in time and drifts as systems change. Many organisations assess annually, self check more often, and reassess after any material change to the environment.
No. The Essential Eight is a baseline for internet connected Windows networks. The Information Security Manual holds hundreds of further controls covering governance, personnel, physical security and incident response.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Essential Eight maturity model, ASD / cyber.gov.au (November 2023 version, current June 2026)
- Essential Eight maturity model changes, ASD / cyber.gov.au, November 2023
- Essential Eight assessment process guide, ASD / cyber.gov.au
- Essential Eight explained, ASD / cyber.gov.au
- PSPF information security policy, protectivesecurity.gov.au, 2022
Last updated: 21 June, 2026