The Essential Eight maturity model runs from Maturity Level Zero to Maturity Level Three. ML0 means real gaps remain. ML1 to ML3 meet progressively more capable attackers. ASD expects the same level across all eight strategies, and your weakest one sets the score. It is a point in time measure, not a certification.
Most teams describe themselves as working towards Maturity Level Two. The model does not grade effort. It grades the state of eight specific strategies on the day they are measured, and it scores you at the lowest of the eight. One weak strategy caps the whole result, which is why the honest answer is usually a level below the one people quote.
What are the Essential Eight maturity levels?
Four levels, from Maturity Level Zero to Maturity Level Three. Each one is defined by the kind of attacker it is built to stop, not by a percentage or a tool count. ASD publishes them as the Essential Eight Maturity Model, first issued in June 2017 and last substantially revised in November 2023. Every step up the ladder assumes an adversary willing to spend more time, effort and tradecraft to get in. The job is to match your controls to the threat you actually face, then hold that line evenly across all eight. The complete Essential Eight guide sets out where the model sits in the wider ACSC picture.
What does each maturity level mean?
Read each level by the attacker it answers. ML0 records a gap. ML1 stops the opportunist. ML2 stops someone who invests in the attempt. ML3 stops an adversary who has chosen you specifically.
Maturity Level Zero means there are weaknesses in the overall posture and readily available techniques would compromise the system. It is not a resting place, it is a finding. Maturity Level One defends against attackers using widely available, commodity tools, content with any victim who is easy enough. The November 2023 update lifted the ML1 bar, including stronger and phishing resistant multi factor authentication expectations. Maturity Level Two answers attackers who invest more time, target user credentials and work to bypass weaker MFA and basic monitoring. Maturity Level Three answers adaptive attackers who rely less on public tools, exploit small weaknesses to gain deeper and longer access, and focus on a particular target.
| Level | What it answers | Typically suits |
|---|---|---|
| ML0 | Gaps in the baseline; commodity attacks would succeed | No one by choice; a starting finding |
| ML1 | Opportunistic attackers using commodity tradecraft | Small to medium enterprises |
| ML2 | Attackers who invest time and target credentials | Large enterprises; most Commonwealth entities (PSPF mandate) |
| ML3 | Adaptive attackers focused on you | Critical infrastructure and high threat environments |
Why does the weakest strategy set your maturity?
Because an attacker needs only one open door. ASD measures your maturity as the lowest level reached across all eight strategies, not an average. You can run application control at ML3 and still sit at ML1 overall if your backups are untested or your Office macro settings are loose. ASD advises reaching the same level across all eight before lifting any single strategy higher. In assessment work this is the most common pattern we see: heavy investment in MFA sitting next to unpatched internet facing software. The score follows the gap, not the showpiece.
Which maturity level do you need?
Choose the level by the threat you face, then check any mandate that applies to you. For non corporate Commonwealth entities the PSPF has required all eight at Maturity Level Two or above since 1 July 2022, with ML3 where the threat environment warrants it. State and territory governments and private organisations are not bound by the PSPF, but the same level turns up in contracts, grants and tenders. ASD maps ML1 to small and medium enterprises, ML2 to large enterprises, and ML3 to critical infrastructure and other high threat settings. Size is a guide, not the rule. What decides it is who would come after your systems and what they would spend to get in.
How is your maturity level assessed?
By assessment against the Essential Eight assessment process guide, at a point in time. A level is a snapshot. It drifts the moment a system changes, a new application, a relaxed macro policy, a backup that quietly stops being tested. There is no pass mark and no certificate, only an implementation status recorded for each strategy. The November 2023 model raised several requirements, so a result measured against an older version is not comparable. An independent Essential Eight assessment against the current model gives you a defensible baseline and a remediation order, then you reassess on a regular cadence and after material change.
Is a higher maturity level always better?
No. Aim for the level that matches your threat, and reach it evenly. Claiming ML3 on paper while the basics wobble is weaker than a clean, consistent ML2. ML3 controls assume an adversary already working against your defences; if that is not your threat, the spend is better placed on closing the eight evenly. The Essential Eight is also a baseline, not the whole picture. The Information Security Manual holds hundreds of further controls across governance, personnel, physical security and incident response that the eight do not touch.
There is no pass or fail. ML0 records that one or more strategies fall short of Maturity Level One. It is a finding to act on, not a grade you keep.
In practice yes, and most organisations are. Your reported maturity is the lowest level reached across all eight, so a single lagging strategy sets the overall result.
For non corporate Commonwealth entities, yes, under the PSPF since 1 July 2022. Other organisations are not legally bound but often commit to ML2 through contracts and tenders.
Maturity is point in time and drifts as systems change. Reassess on a regular cadence and after any material change, always against the current version of the model.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- ASD, Essential Eight Maturity Model, November 2023
- ASD, Essential Eight explained, accessed June 2026
- ASD, Essential Eight maturity model changes, November 2023
- ASD, Essential Eight assessment process guide, accessed June 2026
- PSPF, information security policy (Maturity Level Two requirement), from 1 July 2022
- ASD, The Commonwealth Cyber Security Posture in 2025, 2025
Last updated: 21 June, 2026