The Essential Eight is not an alternative to the ISM. It is a small, prioritised subset of it. The eight are baseline technical mitigations; the Information Security Manual is ASD’s full control catalogue, covering governance, personnel, physical and technical security. You can reach Maturity Level Two and still sit a long way from ISM alignment.
Is the Essential Eight part of the ISM?
Yes. The Essential Eight is a prioritised subset of ASD’s broader strategies to mitigate cyber security incidents, and those strategies sit inside the wider Information Security Manual. Treating the two as competing standards is the common error. They are not rivals. The Essential Eight is the floor; the ISM is the building.
The Essential Eight names the eight mitigations: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening, and regular backups. ASD designed them to protect internet connected, Windows based IT networks. The ISM is the document an ASD endorsed assessor measures a system against in an IRAP assessment. It runs to many hundreds of controls across governance, personnel security, physical security, communications and incident management. The Essential Eight is the part of that catalogue ASD asks you to get right first.
What does each one actually cover?
The Essential Eight covers eight technical controls and nothing else. The ISM covers the whole security program, technical and non technical. The table sets the scope side by side.
| Essential Eight | Information Security Manual (ISM) | |
|---|---|---|
| What it is | Eight prioritised technical mitigations | ASD’s full cyber security control catalogue |
| Scale | Eight strategies, rated across four maturity levels | Many hundreds of controls across multiple security domains |
| Scope | Internet connected, Windows based IT networks | Governance, personnel, physical and technical security |
| How it is measured | Maturity Level 0 to 3; the weakest strategy sets your level | Control by control for a specific system; implemented, not, or by an alternate control |
| Where it is assessed | Essential Eight assessment against the Maturity Model | IRAP assessment against the ISM, by an ASD endorsed assessor |
| Who mandates it | PSPF: non-corporate Commonwealth entities, at least Maturity Level Two | PSPF: government systems and the cloud services that handle their data |
The gap is the point. An organisation can patch well, enforce MFA and lock down macros, and still have no security governance, no personnel vetting, no documented incident response and no supply chain assurance. The Essential Eight does not ask about any of that. The ISM does.
Does Maturity Level Two mean you are ISM compliant?
No. This is the most expensive misunderstanding in the room. Reaching Maturity Level Two on the Essential Eight tells you eight technical mitigations are mostly aligned. It says nothing about the hundreds of ISM controls outside those eight.
A system at Maturity Level Two has handled commodity and slightly better tradecraft on patching, MFA, administrative privileges and the rest. An IRAP assessment against the ISM will still examine security governance, system ownership, personnel clearances, physical access, cryptographic protection, logging and monitoring, and incident response, none of which the Essential Eight scores. The two measurements answer different questions. One asks whether your baseline mitigations hold. The other asks whether the whole system is fit to handle government information.
Which one applies to you?
It depends on who you are and what data you handle. Most organisations need the Essential Eight as a baseline; only some need to be assessed against the full ISM.
Non-corporate Commonwealth entities must implement the Essential Eight to at least Maturity Level Two under the PSPF, in force since 1 July 2022. If you are a cloud or SaaS provider wanting to handle government data at OFFICIAL: Sensitive or above, the bar is the ISM, assessed through an IRAP assessment. See the complete IRAP guide for how that works. State governments and private organisations are not bound by the PSPF, but many adopt the Essential Eight through contracts, grants and tenders. The Essential Eight is the sensible starting point for almost everyone. The ISM is where you go when government data is in scope.
Do you need both?
If you are assessed against the ISM, the Essential Eight is already inside that scope; you do not run a separate Essential Eight assessment to satisfy an IRAP assessor. If you only need a recognised baseline, the Essential Eight stands on its own. Read the Essential Eight guide if the baseline is your goal.
The relationship is one of containment, not duplication. The ISM incorporates the mitigation strategies the Essential Eight is drawn from, so a system assessed against the ISM is already being measured on patching, MFA, application control and the rest, alongside everything else. Where organisations trip is sequencing. They chase an IRAP assessment before the baseline mitigations are stable, then spend the assessment documenting weaknesses they could have closed for far less beforehand. Get the Essential Eight working first. It is the cheapest risk reduction available, and it makes the larger assessment shorter.
Essential Eight vs the ISM: frequently asked questions
For non-corporate Commonwealth entities, yes. The PSPF requires them to implement all eight to at least Maturity Level Two. State governments and private organisations are not bound by it, though many adopt it through contracts and tenders.
The ISM is the control set Australian government systems are assessed against, and cloud services handling government data are measured against it through an IRAP assessment. For private systems with no government data it is guidance rather than a requirement.
Not in practice. The Essential Eight mitigations are drawn from the ISM, so a system assessed against the ISM is already measured on them. Aligning to the ISM means meeting the Essential Eight controls and many more.
Yes. An IRAP assessment measures a system against the ISM, which includes the mitigation strategies the Essential Eight is based on. You do not need a separate Essential Eight assessment to satisfy an IRAP assessor.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ASD, Essential Eight Explained, current June 2026
- ASD, Essential Eight Maturity Model, current June 2026 (November 2023 release)
- ASD, Strategies to Mitigate Cyber Security Incidents
- Australian Government Information Security Manual, June 2026
- PSPF, information security policy (Maturity Level Two mandate)
Last updated: 21 June, 2026