What is the Essential 8 ?

The Australian Cyber Security Centre (ACSC) developed the Essential Eight Maturity Model, known widely as the Essential 8. The ACSC essential 8 maturity model consists of eight strategies that are part of a more extensive list called the Strategies to Mitigate Cyber Security Incidents. These eight specific strategies were singled out because they are the most effective. The ACSC forms part of the larger Australian Signals Directorate (ASD), and so the maturity model is also sometimes referred to as the ASD Essential 8, or the ASD Essential 8 maturity model.

The strategies primarily focus on Microsoft Windows networks, as they are commonplace and represent a large collective attack surface that is commonly exploited. Although some strategies are Microsoft-specific, most strategies can be applied to other kinds of networks.

They describe a minimum set of strategies that provide a baseline security posture. The recommendations are not intended to be implemented in isolation. They should be used adjacently to other security policies in an organisation.

Unlike ISO27001, which is a mandatory security certification, the Essential 8 is not mandatory. However, Government bodies have the option to request that Government organisations or organisations working with the Government provide them with an evaluation of themselves based on the Essential 8 criteria.

To implement the Essential 8 Maturity Model properly, an organisation should implement it across all eight areas. Of course, if an organisation does not have a Windows Network, it cannot be considered “Essential 8 compliant”, but arguably, such an assessment is not relevant. The Australian Government is now implementing the Essential 8 framework as mandatory across all 98 non-corporate Government bodies.

The model has Maturity Levels that describe the level of mitigation applied to increasingly stronger adversaries. So which Maturity Level should an organisation choose?  The maturity level that an organisation should implement is based on two main considerations:

  1. How “attractive” it is to attack
  2. The classification of data that is vulnerable

Target Attractiveness: There is no hard, fixed guideline on what makes a target attractive to attack, but high-profile organisations are frequently targeted and lower-profile organisations suffer fewer attempts at compromise. Businesses that publicly claim to be secure and those in the security industry (such as banks and cybersecurity firms) often come under attack.

Classified data. Sensitive data itself will elicit more adverse responses. Nonetheless, even a very low-profile organisation protecting highly valuable information should consider strong mitigation strategies. This is particularly true of government departments and higher education institutions.

The Government mandates the precise level of compliance for its own organisations, but other organisations should strive for the highest Maturity Level that is feasible. These strategies have been developed with an important underlying premise: how an organisation is targeted is much more relevant to security than who is targeting it.

Data security: CIA

Data security is often described as a “triad” of Confidentiality, Integrity and Availability, or the “CIA Triad”.

Confidentiality is keeping information secret except to those authorised to use it.

Integrity is ensuring that information is accurate and complete.

Availability ensures that the information is ready for use when it is needed and authorised.

The Maturity Levels of the Essential Eight are designed around protecting these three facets of Information Security.

Maturity levels

This model has four Maturity Levels, ranging from zero (the weakest) to three, the strongest.

Maturity Level Zero is the weakest security posture. It applies to any organisation that does not meet or exceed Maturity Level One.

Maturity Level One focuses on mitigating casual attacks from opportunistic attackers, often using publicly available automated hacking tools. As well as affecting the CIA Triad, these attackers may destroy data.

Maturity Level Two focuses on those attackers that may take more time to attack a target. They are still opportunistic and still use publicly available tools, but may choose to spend more effort on a target they believe they can compromise.

Maturity Level Three is concerned with mitigating attacks from adversaries who focus on specific targets and will spend significant time attempting to compromise them. These attackers are more sophisticated and may use custom tools and procedures. They will also be more likely to hide their tracks and try to establish a long-term presence in a network.

Areas of interest

Essential 8 covers the following (eight!) areas of client (workstation) and server security:

  1. Application control
  2. Patching
  3. MS Office macro settings
  4. Other user application hardening
  5. Administration Privilege restriction
  6. Operating system patching
  7. Multi-factor Authentication
  8. Backups

The areas are summarised below. This post serves only as a guide. For a definitive list, please refer to the Essential Eight Maturity Model.

1. Application control
Level 1

Use of standard user profiles to control which executables, libraries, scripts, etc, and control panel items are allowed to be executed.

Level 2

The application controls are also carried out on internet-facing servers, and internally, they are managed in workstation groups. Logging is carried out for executions, both allowed and blocked, for internet-facing servers as well as workstations.

Level 3

All servers are now included in execution prevention. Microsoft’s ‘recommended block rules’ for executables and drivers are employed. Rulesets for application control are validated regularly, at least annually. All logging is centrally stored, protected from tampering, and constantly monitored for compromise, and when security events are detected, they are acted upon swiftly.

2. Applying Patches

Patches should be applied to systems to give them the most recent level of protection against compromise.

Patch timing table

The following table describes the time between a patch being released and when it is applied, and the kind of software involved.


      • “Patches” here can refer to actual patches, vendor updates or security mitigations.
      • “Scans” are vulnerability scanners designed to discover missing patches.
      • “Productivity software” means Microsoft Office suite, Web Browsers and associated extensions, Email clients, and PDF software.
      • “Lag time” is the time between a patch being released and it being applied
      • “Removed” means that the software/application/service is shut down and no longer used.

3. MS Office Macro Settings
Level 1
  • Only enable Office Macros for those who need it
  • No Office Macros in files originating from the internet are permitted
  • Virus scanning of Macros
  • Users cannot alter macro security settings
Level 2

Includes all of Level 1, and in addition:

  • Macros cannot make Win32 API calls
  • Logging of all macro executions, including those that are blocked and allowed
Level 3

Includes all of Level 2, and in addition:

  • Restrict macro execution to the following environments:
    • A sandboxed environment
    • A Trusted Location
    • A digitally signed macro from a trusted publisher
  • Trusted Locations for macros are administered only by privileged users
  • No macros from an untrusted publisher can be enabled manually
  • Publishers are validated at least annually if not more often
  • Logs of macro executions are protected from modification and deletion and are monitored for compromise and if adverse events are detected, they are actioned upon
4. Other User Application Hardening
Level 1
  • Web browsers do not run internet-based java
  • Web advertisements are blocked in browsers
  • IE 11 does not process (i.e. be connected to) the internet
  • Web browser security settings cannot be changed by the user
Level 2

Includes all of Level 1, plus:

  • MS Office is prevented from creating child processes, from creating executable files, from injecting code into other processes and cannot activate Object Linking and Embedding (OLE) packages.
  • PDF software cannot create child processes
  • Guidance from the ACSC or Vendors regarding web browsers, MS Office and PDF software is implemented
  • PDF software settings cannot be changed by the user
  • Any attempts to run blocked PowerShell scripts are logged
Level 3

Includes all of Level 2, plus:

  • Removal or disabling of the following:
    • IE 11
    • .NET framework versions 2.0, 3.0 and 3.5
    • PowerShell 2.0
  • PowerShell must be configured to use Constrained Language Mode
  • Blocked PowerShell script executions are logged, the logs are protected and restricted, and action is taken if a cyber security event is detected
5. Administration Privilege Restriction
Level 1
  • All privileged system and application requests are validated when first requested
  • Privileged accounts cannot access the internet (exception: privileged service accounts)
  • Privileged users have a separate unprivileged account for their internet, email and web services
  • Privileged operating environments can only be accessed by privileged accounts
  • Unprivileged environments cannot be logged into by Privileged accounts (exception: local administrator accounts)
Level 2

Includes all of Level 1, plus:

  • Privileged access is for 12 months at a time before being disabled. Privilege must be revalidated to avoid the privilege being disabled.
  • Privileged access to systems and apps is disabled after 45 days of inactivity
  • Privileged operating environments should not exist in virtualised environments that are themselves not privileged.
  • Administrative activities must be done through jump hosts
  • For local admin accounts, credentials must be secure, unique and unpredictable
  • All privileged access is logged
  • Changes to privileged accounts are logged
Level 3

Includes all of Level 2, plus:

  • Privileges are assigned on a needs-only basis.
  • All privileged accounts, including service accounts, cannot access the internet
  • Just-in-time administration is used to administer privileges for systems and applications
  • Both of the following Windows Defender services are enabled:
    • Credential Guard
    • Remote Credential Guard
  • Privilege access attempts are logged, the logs are protected and restricted, and action is taken if a cyber security event is detected
  • Changes to privileged accounts are centrally logged, protected, monitored, and action if cyber security events occur.
6. Operating System Patching
Level 1
  • Patches, updates and vendor mitigations for security vulnerabilities:
    • For internet-facing operating systems are applied within two weeks of release, or 48 hours in the case of an exploited vulnerability
    • For workstation operating systems, servers and network devices are applied within one month from release
  • Vulnerability scanners are used:
    • At least daily to find missing patches in operating systems of internet-facing services
    • At least fortnightly to find missing patches for workstations, servers and network devices
  • Replace all operating systems not supported by vendors
Level 2

Includes all of Level 1, plus:

  • Patches, updates and vendor mitigations for security vulnerabilities for workstation operating systems, servers and network devices are applied within two weeks from release
  • Vulnerability scanners are used at least weekly to find missing patches for workstations, servers and network devices.
Level 3

Includes all of Level 2, plus:

  • Patches, updates and vendor mitigations for security vulnerabilities for workstation operating systems, servers and network devices are applied within two weeks from release or 48 hours if an exploit exists
  • The latest release or the previous release of operating systems are used for workstation operating systems, servers and network devices
7. Multi-factor authentication
Level 1
  • MFA is used by users if they authenticate to their organisation’s internet-facing services
  • organisations use MFA if their organisation’s sensitive data is stored on 3rd-party services
  • MFA is used by organisations, if possible, if their organisation’s non-sensitive data is stored on 3rd-party services
  • MFA is enabled by default for non-organisational users if they use an organisation’s internet-facing services. These users may opt out.
Level 2

Includes all of Level 1, plus:

  • MFA is used to authenticate all privileged users
  • MFA uses the security system of either:
    • Something users have and something they know (e.g. password and token); or
    • Something users have, unlocked by something they know or are (e.g. a USB token unlocked by a PIN or fingerprint)
  • All MFA access attempts, successful or not, are logged
Level 3

Includes all of Level 2, plus:

  • MFA is used to access important data repositories
  • MFA security systems are verifier impersonation resistant
  • All authentication attempts by MFA systems are centrally logged, protected, and monitored and if adverse cybersecurity events occur, they are actioned.
8. Backups
Level 1
  • All important data is backed-up and is retained in a resilient manner that implements business continuity requirements
  • Restoring of backed-up services is regularly tested in a coordinated manner when performing disaster recovery exercises
  • Unprivileged accounts can only access their own backups
  • Unprivileged accounts cannot modify or delete any backups
Level 2

Includes all of Level 1, plus:

  • Privileged accounts can only access their own backups, with the exception of Backup Administrators.
  • Privileged accounts cannot modify or delete any backups, with the exception of Backup Administrators.
Level 3

Includes all of Level 2, plus:

  • Unprivileged accounts cannot access backups
  • Backup Administrators cannot access any backups without emergency authorisation.

In conclusion, the Essential Eight Maturity Model stands as a valuable framework for organisations seeking to bolster their cyber security defences. Providing a graduated approach to implementing the Essential Eight Strategies based on the organisation’s potential threats ensures a more targeted and effective security posture. 

Through this model, organisations can make informed decisions about the level of security measures they need to adopt, enabling them to optimise resource allocation and enhance their overall cyber security readiness. As threats continue to evolve in the digital landscape, the essential Eight Maturity Model serves as a dynamic tool, allowing organisations to adapt and fortify their defences against cyber threats with confidence. 

It’s important to remember that cyber security is an ongoing journey, and the Essential Eight Maturity Model offers a strategic path towards continuously improving and maintaining a robust cyber defence strategy. Embrace this model as a proactive measure, and stay one step ahead of the potential threats, safeguarding your digital assets and ensuring a safer online environment for your organisation and its stakeholders. By incorporating the Essential Eight into your cyber security roadmap, you can confidently face the challenges of the digital age and navigate the ever-changing cyber landscape with resilience and assurance.


What are the benefits of adopting the Essential 8? 

Embracing the Essential 8 proactively can prove to be highly advantageous in relation to time, finances, and resources, compared to reacting to a major cyber-incident. 

What is the Essential 8 Maturity Model? 

The Essential 8 Maturity Model was created to help organisations adopt the 8 strategies in a progressive way, depending on their level of expertise and the potential threats they face. These varying levels of maturity can also serve as a general measure of an organisation’s overall cyber security readiness. 

Author: Damian Wernert
Read More…


  1. Essential 8 Maturity Model
  2. Govt to mandate Essential Eight Cyber Security Controls
  3. Strategies to Mitigate Cyber Security Incidents
About Skillfield:

Skillfield is a Melbourne-based Cyber Security and Data Services consultancy and professional services company. We provide solutions that help our customers discover, protect and optimise big data in a way that works for them.