Essential Eight Maturity Level 1 is where the framework starts meaning something. It is the level the ACSC suggests for small to medium enterprises, the level cyber insurers increasingly use as shorthand for “adequate controls”, and the level most Australian SMBs sit below without realising it. This guide covers what ML1 actually requires across all eight strategies, the gaps that catch most businesses, and what it takes to get there.
It completes our maturity series alongside the ML2 requirements guide and the ML3 guide. For the framework basics, start with our Essential 8 compliance guide.
The maturity model defines four levels. ML0 records that ML1 requirements are not met. ML1 counters commodity tradecraft: attackers using publicly available tools and known exploits against whoever is easiest, rather than targeting you specifically. That describes the overwhelming majority of attacks Australian SMBs actually face, which is why ML1 is not a token level. Done properly, it removes you from the easy-target pool.
Two rules shape everything. First, the Essential Eight is implemented as a package: your overall rating is the lowest level across all eight strategies, and the ACSC advises reaching a consistent level across all eight before targeting the next. Second, ML1 requirements are binary. There is no partial credit for “mostly patched” or “MFA on most accounts”. A control is met or it is not.
Execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets is blocked from user profiles and temporary folders using file system permissions. You do not need an allowlisting product at ML1 — that arrives at ML2 — but you do need the standard malware launch points locked down on every workstation.
This is the strategy people most often underestimate at ML1. Internet-facing services are scanned for vulnerabilities daily and patched within 48 hours when a vulnerability is assessed as critical or an exploit exists, otherwise within two weeks. Office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are scanned weekly and patched within two weeks. Unsupported versions of any of these are removed. The 48-hour critical window is an ML1 requirement, not an advanced one.
Macros are disabled for every user without a demonstrated business need, macros in files from the internet are blocked, antivirus macro scanning is enabled, and users cannot change any of these settings themselves.
Internet Explorer 11 is disabled or removed, web browsers do not process Java from the internet, web advertisements are blocked, and users cannot change these settings. Ad blocking surprises people, but malvertising remains a mainstream delivery channel and the ACSC treats it accordingly.
Requests for privileged access are validated when first requested. Privileged accounts are separate from day-to-day user accounts and, unless explicitly authorised and strictly limited, blocked from accessing the internet, email, and web services. Privileged and unprivileged operating environments are kept apart: admin work happens in the admin context, browsing and email happen in the standard one.
Internet-facing systems follow the same rhythm as applications: daily scanning, 48 hours for critical or exploited vulnerabilities, two weeks otherwise. Workstation, server, and network device operating systems are patched within one month, and anything no longer supported by its vendor is replaced. With Windows 10 now past end of support, this single requirement is holding a lot of Australian businesses at ML0 — our Windows 10 end of support playbook covers the way out.
MFA is required for users authenticating to your organisation’s online services and to third-party services handling sensitive data, and it is offered to customers of your own customer-facing services. Phishing-resistant methods are not mandatory until ML2, but if you are deploying MFA fresh, going straight to passkeys or security keys saves you doing the job twice.
Important data, software, and configuration settings are backed up and retained in line with business criticality and your continuity plan, restoration is tested as part of disaster recovery exercises, and unprivileged accounts cannot access backups belonging to other accounts. A backup job that runs nightly but has never been restored does not meet ML1.
Across our Essential Eight assessments of Perth businesses, the same five gaps keep appearing: the 48-hour critical patching window for internet-facing systems (usually a monitoring gap, not a tooling gap), shared admin-and-daily-driver accounts, no ad blocking, end-of-life operating systems still in service, and backups that have never been restore-tested. None of these is expensive to fix. All of them are binary, so any one of them caps the whole organisation at ML0.
Cyber insurers have made ML1 the de facto floor. Underwriters now ask proposal questions that map almost one-to-one onto the ML1 control set, and businesses that cannot evidence it are seeing exclusions, loadings, or refusal of cover — our cyber insurance guide covers what underwriters actually want. Enterprise clients run the same checklist in supplier due diligence. ML1 is also the prerequisite for everything above it: an assessor following the ASD’s process will not begin an ML2 assessment until ML1 has been demonstrated.
For a Perth SMB with a managed IT provider, reaching ML1 from a typical starting position takes three to six months and roughly $10,000 to $25,000 in assessment and implementation work, depending on how many gaps need closing. Cloud-first Microsoft 365 businesses with Intune-managed devices land at the low end. Businesses carrying legacy servers and unmanaged endpoints land at the high end, mostly because of the operating system and application control work.
If you have no contractual driver for the Essential Eight specifically, it is worth weighing SMB1001 first: it covers similar ground at the lower tiers, adds the policy and training layer, and produces a formal certification you can hand to insurers and clients. Our Essential Eight vs SMB1001 comparison walks through the decision.
We run Essential Eight assessments and implementation for businesses across Perth, aligned to the ASD’s assessment process. You get a defensible rating across all eight strategies, the specific list of gaps holding you below ML1, and a costed plan to close them. Contact us on 1300 EPIC IT for a free gap analysis.
Essential Eight Maturity Level 1 is the first target level of the ASD’s maturity model, designed to counter commodity-level attacks using publicly available tools and known exploits. It requires all eight mitigation strategies to be implemented, including 48-hour patching of critical internet-facing vulnerabilities, MFA on online services, separated admin accounts, hardened browsers and macros, and tested backups.
The ACSC suggests ML1 may be suitable for small to medium enterprises, with ML2 suited to large enterprises and ML3 to critical infrastructure and high threat environments. ML1 is also the practical floor that cyber insurers and enterprise clients now expect. If you supply to government, most contracts reference ML2, so treat ML1 as the staging post rather than the destination.
Three to six months for most Perth SMBs working with a managed IT provider, at a typical cost of $10,000 to $25,000 in assessment and implementation work. Cloud-first businesses with managed devices get there faster; environments with end-of-life operating systems or unmanaged endpoints take longer.
Five gaps account for most failures: missing the 48-hour patching window for critical internet-facing vulnerabilities, admin accounts that double as daily-use accounts, no web advertisement blocking, unsupported operating systems still in service, and backups that have never been restore-tested. Each requirement is binary, so one gap caps the whole organisation at ML0.
No. ML1 requires MFA for your organisation’s online services and third-party services handling sensitive data, but phishing-resistant methods such as security keys, passkeys, or Windows Hello for Business only become mandatory at ML2, including for workstation logon. If you are rolling out MFA from scratch, deploying phishing-resistant methods now avoids replacing the solution later.
No. The ASD’s assessment process requires maturity levels to be demonstrated in order: ML1 before ML2, and ML2 before ML3. The Essential Eight is also assessed as a package, so your overall rating is the lowest level achieved across all eight strategies.
