The Essential Eight is a set of eight mitigation strategies from the Australian Signals Directorate, built to protect internet connected IT networks against the most common cyber attacks. You implement all eight together to a target maturity level, from Maturity Level Zero to Three. It is a baseline, measured by assessment, not a certification.
Most organisations meet the Essential Eight through a contract clause or a tender question, not by choice. This explains what it actually is, the eight strategies, the maturity levels, who is legally bound by it, and how an assessment works. For the full cluster, see the complete guide to the Essential Eight.
What is the Essential Eight?
The Essential Eight is the most effective subset of the Strategies to mitigate cyber security incidents, a longer list the Australian Signals Directorate publishes. ASD distilled the eight that stop the widest range of attacks for the least effort. They were designed to protect Microsoft Windows based, internet connected networks. The principles can extend to other environments, but that is not what they were built for, and other controls may suit operational technology better. Two things people get wrong. It is not a product you buy, and it is not a pass or fail badge. It is a set of practices you run continuously, scored by how fully you have implemented each one.
What are the eight strategies?
The eight split into three jobs: stop malicious code running, limit the damage if something does, and make sure you can recover. None of them is optional. ASD’s position is that they reinforce each other, so a strong seven with one weak strategy still leaves the gap an attacker looks for.
| Strategy | What it does |
|---|---|
| Application control | Allows only approved programs to run, so unknown executables and malware are blocked |
| Patch applications | Fixes known flaws in software such as browsers, Office and PDF readers before they are exploited |
| Restrict Microsoft Office macros | Blocks or limits macros, a common path for delivering malware |
| User application hardening | Turns off risky features such as web ads, Java and unneeded browser functions |
| Restrict administrative privileges | Limits admin accounts to those who need them and separates admin from daily use |
| Patch operating systems | Keeps operating systems current so known vulnerabilities are closed quickly |
| Multi-factor authentication | Requires a second proof of identity, so a stolen password alone is not enough |
| Regular backups | Backs up data and configuration, and tests restoration, so you can recover from ransomware |
What are the maturity levels?
Maturity is scored from Zero to Three against each strategy, set out in the Essential Eight maturity model. The levels describe how well you align with the intent of each strategy, framed against the kind of attacker each one holds off.
| Level | Meaning |
|---|---|
| Maturity Level Zero | Minimally aligned. Exploitable weaknesses in the entity’s posture |
| Maturity Level One | Partly aligned. Holds off attackers using common, widely available tradecraft |
| Maturity Level Two | Mostly aligned. Holds off attackers willing to invest more time and effort to bypass controls |
| Maturity Level Three | Fully aligned. Holds off adaptive attackers willing to invest significant effort |
ASD’s advice is to reach the same level across all eight before climbing higher, because the strategies are designed to work as a set. The model is also a moving target. The November 2023 update lifted the bar, for example expecting faster patching of critical vulnerabilities and phishing resistant multi-factor authentication at the higher levels. A maturity level you earned two years ago is not the same level today.
Who has to comply with the Essential Eight?
Non-corporate Commonwealth entities must implement all eight strategies to at least Maturity Level Two. That obligation sits in the Protective Security Policy Framework and has applied since 1 July 2022, with Maturity Level Three expected where the threat environment warrants it. State and territory governments and private organisations are not bound by the PSPF. In practice many adopt it anyway, because it now appears in grants, contracts and tenders as the security floor. Compliance is uneven even where it is mandatory. ASD’s 2025 Commonwealth Cyber Security Posture report shows most entities still fall short of Maturity Level Two across all eight at once, which is the hard part: it is the weakest strategy, not the average, that sets your level.
How is Essential Eight maturity assessed?
An assessment measures your current maturity for each of the eight and gives you a roadmap to the level you need. ASD publishes an Essential Eight assessment process guide that sets out how it should be done, including testing controls rather than taking documentation at face value. A Cybernion Essential Eight assessment runs in two phases, a documentation and configuration review followed by reporting, and is conducted independently. You receive a maturity report, a heatmap of current against target by strategy, a prioritised remediation roadmap, and an executive summary. For a moderately complex environment it takes about three to six weeks, driven by scope, evidence readiness and access.
Is the Essential Eight enough on its own?
No, and treating it as the finish line is the common mistake. The eight are a baseline drawn from a much larger body of guidance. The Information Security Manual holds hundreds of controls covering governance, personnel, physical security and incident response that the Essential Eight does not touch. An organisation can reach Maturity Level Two and still carry material risk the ISM would flag. Read the Essential Eight as the floor every organisation should stand on, then decide what your data and obligations require on top of it.
Frequently asked questions
For non-corporate Commonwealth entities, yes. The PSPF requires all eight strategies at Maturity Level Two or above. State governments and private organisations are not bound by it, but the Essential Eight increasingly appears in contracts, grants and tenders as a baseline.
Commonwealth entities must reach Maturity Level Two across all eight. Everyone else sets a target from their threat environment. ASD advises reaching the same level across all eight before going higher, because the strategies are built to work together.
No. There is no certificate and no pass mark. You hold a maturity level against each strategy at a point in time, measured by assessment. Maturity drifts as systems change, so it is reviewed periodically.
For a moderately complex environment, about three to six weeks from kickoff to report, depending on scope, evidence readiness and access to the right people.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- Essential Eight explained, Australian Signals Directorate, accessed June 2026
- Essential Eight maturity model, Australian Signals Directorate, November 2023 update
- Protective Security Policy Framework, information security policy, since 1 July 2022
- The Commonwealth Cyber Security Posture in 2025, Australian Signals Directorate
Last updated: 21 June, 2026