The Essential Eight is a set of eight prioritised mitigation strategies from the Australian Cyber Security Centre. Implemented together to a target maturity level, they defend against the most common cyber threats. An Essential Eight assessment measures your current maturity and gives you a prioritised roadmap to the level you need.
This guide covers what the Essential Eight is, the maturity model, who has to implement it, how an assessment runs, what it costs, and how it sits alongside the ISM and ISO 27001. Each section answers on the page and links out where there is more to say.
What is the Essential Eight?
The Essential Eight is the ACSC’s baseline set of eight mitigation strategies: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi factor authentication, and regular backups. The first seven lower the chance of a compromise; backups limit the damage when one gets through. They are designed to be implemented as a package, not cherry picked. The ACSC sets out each one in Essential Eight explained.
The maturity model, from Level Zero to Three
The Essential Eight Maturity Model defines four levels. Maturity Level Zero means there are weaknesses in the organisation’s posture. Levels One, Two and Three describe increasingly capable mitigation, mapped to increasingly capable adversaries. You do not aim for Level Three by default. You choose a target level based on the threats you face and the data you hold, and for most non corporate Commonwealth entities Maturity Level Two is the common baseline.
Who needs the Essential Eight?
The Australian Government requires non corporate Commonwealth entities to implement the Essential Eight, so for federal agencies it is a standing obligation. State agencies apply equivalent requirements. Private organisations are increasingly asked to demonstrate Essential Eight maturity to win a government contract, satisfy a cyber insurance policy, or answer a supplier security questionnaire, and many use it as a practical baseline before pursuing ISO 27001.
How an Essential Eight assessment works
An assessment is an independent measure of your current maturity against the model, followed by a prioritised roadmap to your target. It runs in two stages: a documentation and configuration review of your security policies, configuration baselines, patch records and access controls against each strategy at the target level, then reporting. You receive a maturity assessment report across all eight strategies, a heatmap of current versus target, a prioritised remediation roadmap with effort estimates, and an executive summary for the board.
How long it takes, and what it costs
An Essential Eight assessment typically runs three to six weeks, depending on the size of the environment and how ready your evidence is. Cost is scoped to the environment rather than published as a fixed rate. The assessment itself is the smaller number. Closing the gaps it finds is where the real effort sits.
The Essential Eight and the ISM
The Essential Eight is a subset of the broader Information Security Manual. The ISM is the full ASD control framework; the Essential Eight is the prioritised starting point within it. Meeting the Essential Eight is a strong foundation, but it is not the same as meeting the ISM, which an IRAP assessment evaluates in full. See IRAP assessment: the complete Australian guide.
Essential Eight or ISO 27001?
They serve different purposes and work well together. The Essential Eight is a focused set of technical controls with a maturity model; ISO 27001 is a management system standard that governs how you run security across the organisation. The Essential Eight is often the faster, more technical baseline, and a sensible step before or alongside ISO 27001.
Cybernion provides independent Essential Eight assessments and a prioritised roadmap to your target maturity. Essential Eight assessments.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- ACSC Essential Eight Maturity Model, 2025
- ACSC Essential Eight Explained, 2025
- Protective Security Policy Framework
Last updated: 21 June, 2026