The Essential Eight and ISO 27001 answer different questions. The Essential Eight is eight technical controls the Australian Signals Directorate sets for hardening Windows networks, measured by maturity level. ISO 27001 is an international, certifiable management system covering governance, people and risk. Government suppliers usually need the first; commercial sellers usually need the second. Plenty of growing companies need both.
What is the difference between the Essential Eight and ISO 27001?
One is a set of technical controls. The other is a management system. The Essential Eight is the Australian Signals Directorate’s most effective subset of its Strategies to Mitigate Cyber Security Incidents: eight mitigations aimed at internet connected, Windows based IT networks. ISO/IEC 27001 is the international standard for an information security management system, a way of governing security across the whole organisation that an accredited body can certify.
The gap shows up in what each one asks of you. The Essential Eight asks whether eight specific things are done well enough to reach a maturity level. ISO 27001 asks whether you run a system that finds your risks, treats them, and keeps doing so under management oversight. You can reach Maturity Level Two without a single documented policy beyond configuration. You cannot pass an ISO 27001 audit that way. Different problems, different proof.
Which one is mandatory in Australia?
For federal government, the Essential Eight. Under the Protective Security Policy Framework, non corporate Commonwealth entities have had to implement all eight strategies to at least Maturity Level Two since 1 July 2022, and consider Maturity Level Three where the threat warrants. ISO 27001 carries no such government mandate in Australia. Its pressure comes from the market: enterprise customers, tenders and partners that will not sign until they see a current certificate.
So the question is rarely which is compulsory in the abstract. It is who you sell to. A SaaS provider chasing a Commonwealth contract is measured against the Essential Eight, and often the ISM through an IRAP assessment above it. A SaaS provider selling to banks or into the United States is measured against ISO 27001 or SOC 2. The buyer sets the framework, not the other way round.
| Dimension | Essential Eight | ISO 27001 |
|---|---|---|
| Set by | Australian Signals Directorate | ISO and IEC (international) |
| What it covers | Eight technical mitigations for Windows IT networks | A full information security management system: governance, people, physical, technical |
| Form | Prescriptive controls and a maturity model | Management system clauses (4 to 10) plus 93 Annex A controls |
| Independent certificate | No. A maturity assessment, point in time | Yes. Certified by an accredited body after a Stage 1 and Stage 2 audit |
| Who mandates it | The PSPF, for non corporate Commonwealth entities (at least ML2) | No government mandate; driven by customers and contracts |
| Cost to use the framework | Published free by ASD | The standard is purchased; certification is paid to a certification body |
| How it is measured | Maturity Level Zero to Three; the weakest strategy sets the level | Conformity with the standard; certificate valid three years with surveillance audits |
Where do the Essential Eight and ISO 27001 overlap?
On the technical controls, and only there. The Essential Eight maps onto part of ISO 27001’s technological controls in Annex A: patching applications and operating systems, multi factor authentication, restricting administrative privileges, application control, user application hardening and regular backups all have a counterpart in the 2022 control set. If you have done the Essential Eight well, a chunk of Annex A’s technical evidence is already on the table.
The overlap ends there. ISO 27001’s 93 controls run across four themes: organisational, people, physical and technological. Only the last theme is where the Essential Eight lives. Supplier management, access governance, human resources security, physical protection, incident response and the clause 4 to 10 management system have no Essential Eight equivalent. Treating the Essential Eight as most of ISO 27001 is the mistake. It is a slice of one theme.
Can Essential Eight work count towards ISO 27001?
Yes, but as evidence, not as a head start on the system. Mature Essential Eight controls give you working proof for several Annex A technological controls and feed straight into your risk treatment. That saves real time in the technical part of an ISO 27001 build. What it does not give you is the management system: the scope, the risk assessment method, the Statement of Applicability, internal audit and management review that the auditor actually certifies.
It does not run the other way as neatly. An ISO 27001 certificate does not prove your Essential Eight maturity to a Commonwealth buyer. They still want an assessment against the maturity model, because ISO 27001 lets you accept a risk and document it, while the Essential Eight asks for the specific control at the specific level. Where I see teams trip is assuming one certificate answers both questions. It rarely does.
Which one does your organisation need?
Start with your buyer. If you are a non corporate Commonwealth entity, or you sell cloud or SaaS to one, the Essential Eight is the floor, and an IRAP assessment against the ISM is often the real requirement above it. If you sell to enterprise, financial services or international customers, ISO 27001 is the certificate that opens doors, sometimes alongside SOC 2. If both markets matter, you need both, and the order is a judgement call: lead with the Essential Eight when a government deal is the near term driver, lead with ISO 27001 when commercial growth is.
The good news is the work compounds. The technical hardening you do for one is evidence for the other. Scope it once, prove it twice. The judgement call that stays with you is sequencing and certification timing, not whether the effort is wasted. It is not.
Frequently asked questions
No. They are separate frameworks. The Essential Eight overlaps with some of ISO 27001’s technological controls in Annex A, but ISO 27001 also covers governance, people and physical security that the Essential Eight does not touch.
No. An ISO 27001 certificate does not prove Essential Eight maturity. A Commonwealth buyer will still want a separate assessment against the Essential Eight Maturity Model, because the two measure security in different ways.
They are hard in different ways. The Essential Eight is narrow but technically demanding, especially at Maturity Level Two and above. ISO 27001 is broader and document heavy, but it lets you manage a risk rather than meet a fixed control level.
Only if you serve both audiences. Government and government suppliers are measured against the Essential Eight; enterprise and international customers usually ask for ISO 27001. Companies selling to both often hold both.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Essential Eight explained, ASD (cyber.gov.au), accessed June 2026
- Essential Eight Maturity Model, ASD (cyber.gov.au), June 2026
- PSPF information security policy, Department of Home Affairs, accessed June 2026
- ISO/IEC 27001:2022, International Organization for Standardization, 2022
Last updated: 21 June, 2026