The Australian Government’s baseline cybersecurity framework. Eight practical controls that drastically reduce your risk of cyber incidents. Epic IT implements and manages E8 for Perth organisations.
Book a Free Security Assessment
Read our Essential 8 Compliance Guide for the full implementation walkthrough, or see our Essential Eight vs SMB1001 comparison to understand which framework fits your business. Our maturity guides cover every requirement at Maturity Level 1, Maturity Level 2, and Maturity Level 3. With the Five Eyes warning that AI cyber attacks are months away, the Essential Eight is the action list those agencies effectively endorsed. Note too that the ASD has announced it will retire the Essential Eight over the next two years and replace it with the Essentials series, the controls below still apply and carry forward.
Practical mitigation strategies targeting the most common attack vectors
ML0 through ML3, assessed as a package across all eight strategies
Published and updated by the Australian Signals Directorate’s ACSC
Epic IT delivering cybersecurity services for Perth businesses
The Essential Eight is a cybersecurity framework developed by the Australian Cyber Security Centre (ACSC). It defines eight practical mitigation strategies that address the most common methods attackers use to compromise systems, steal data, and disrupt operations.
Unlike broad security standards that require months of consulting to interpret, the Essential Eight gives your organisation a clear, structured set of controls to implement. The maturity model defines four levels (Maturity Level Zero through Three) so you can measure progress, and the ACSC expects the eight strategies to be implemented as a package: reach the same level across all eight before moving up, rather than running a few controls hard and neglecting the rest.
For Perth businesses managing sensitive client data, regulatory obligations, or government contracts, Essential Eight implementation is increasingly expected by insurers, auditors, and clients. Epic IT helps organisations assess their current maturity, build a practical roadmap, and implement each control properly.
If your business is earlier in its cybersecurity journey, our SMB1001 framework provides a simpler starting point that aligns with and feeds into Essential Eight compliance.
Each control targets a specific attack vector. Together, they form a comprehensive defence against the most common types of cyber incidents affecting Australian businesses.
Security vulnerabilities in applications are one of the most common ways attackers gain access. The ACSC requires critical vulnerabilities, and those with known exploits, to be patched or mitigated within 48 hours; internet-facing applications within two weeks. We manage patching across your entire application estate with automated deployment and compliance reporting.
Operating system vulnerabilities are just as critical. Unpatched workstations and servers are easy targets for both automated attacks and targeted intrusions. We manage OS patching across your Windows, macOS, and server environments with scheduled deployments, testing, and rollback capability.
Stolen passwords are involved in the majority of data breaches. Multi-factor authentication (MFA) adds a second verification step that prevents attackers from using compromised credentials. We implement MFA across Microsoft 365, VPN, remote access, and business applications using phishing-resistant methods, which the ACSC requires for workstation logon from Maturity Level Two.
Admin accounts are the keys to your kingdom. If an attacker compromises an admin account, they have access to everything. We implement least-privilege access controls, separate admin and user accounts, governance over privileged access to data repositories, and just-in-time access through our access management service.
Application control prevents unauthorised software from running on your systems. This blocks malware, ransomware, and unapproved tools even if they make it past other defences. We configure application control policies, apply Microsoft’s recommended blocklist, and run the annual ruleset reviews the ACSC expects, balancing security with usability for your team.
Malicious macros in Office documents remain one of the most common delivery methods for malware. We configure macro policies that block untrusted macros while allowing legitimate business processes to continue. Users who need macros get controlled access; everyone else is protected.
Web browsers, PDF viewers, and Office applications can be hardened to reduce their attack surface. We disable unnecessary features like Internet Explorer 11, Java from the internet, and web advertisements that attackers commonly exploit. Your team keeps the functionality they need while reducing exposure to threats.
When everything else fails, backups are your last line of defence. We implement backup solutions for Microsoft 365, on-premises servers, and hybrid environments with regular recovery testing. Your backups are encrypted, offsite, and validated so they actually work when you need them.
Once your business reaches a solid Essential Eight maturity level, the next step is the Further Five: a set of advanced controls that strengthen your posture even further. These include backup validation, security event monitoring, vulnerability scanning, incident response planning, and network segmentation.
Together, the Essential Eight and Further Five form a comprehensive approach to modern cybersecurity. Epic IT guides you through both, building each layer on the foundation of the last. For businesses starting from scratch, our SMB1001 framework provides the entry point that feeds into Essential Eight compliance.
Essential Eight is particularly valuable for regulated industries handling sensitive data.
Patient data protection, Privacy Act compliance, and clinical system security. E8 provides the technical controls to meet your obligations.
Client privilege, document security, and regulatory compliance. Law firms handling sensitive matters need provable security maturity.
APRA CPS 234 alignment, client data protection, and audit readiness. Essential Eight provides the technical foundation for financial compliance.
Essential Eight compliance is increasingly required for government contracts. We help Perth businesses meet the bar and prove it.
The model defines Maturity Level Zero through Three. ML0 simply records that ML1 requirements are not yet met. The ACSC expects you to reach a consistent level across all eight strategies before targeting the next, and assessments work the same way: ML1 must be demonstrated before an ML2 assessment can begin.
Basic implementation of all eight strategies. Protects against opportunistic, commodity-level attacks. The ACSC’s suggested fit for small to medium enterprises, and the starting point for most Perth SMBs. Focuses on automated patching, MFA, basic application control, and reliable backups. See our ML1 requirements guide.
Timeline: 3–6 months | Investment: Typically $10,000–$25,000 for initial assessment and implementation, then ongoing as part of your managed agreement.
Stronger implementation targeting adversaries with moderate capability. Requires tighter patching timelines, phishing-resistant MFA for workstation logon, centralised logging, and more granular access controls. The mandatory baseline for federal government entities under the PSPF, and the target for businesses handling sensitive data or serving enterprise clients. See our ML2 implementation guide.
Timeline: 6–12 months from ML1 | Investment: Incremental. Most controls build on ML1 infrastructure.
Advanced implementation designed to resist sophisticated, targeted attacks. Requires real-time monitoring, automated response, and security operations capabilities. The ACSC’s suggested fit for critical infrastructure operators and organisations in high threat environments. See our ML3 guide.
Timeline: 12+ months from ML2 | Investment: Significant. Requires dedicated security operations capability.
The Essential Eight is a cybersecurity framework developed by the Australian Cyber Security Centre (ACSC). It defines eight practical mitigation strategies that help organisations defend against the most common cyber threats including ransomware, phishing, and credential theft. Epic IT helps Perth businesses implement the Essential Eight in a structured, practical way aligned to your risk profile.
The ASD has announced it will retire the Essential Eight over roughly two years and replace it with a broader Essentials series, beginning with Essentials for enterprise IT. Both frameworks stay live during the transition. The controls remain valid and carry forward, so implementing the Essential Eight now is still the right move. Our guide to the Essential Eight retirement explains what it means for your business.
The Essential Eight is mandatory for federal government entities, with Maturity Level Two set as the baseline under the Protective Security Policy Framework. For private sector businesses, it is strongly recommended and increasingly expected by cyber insurers, auditors, and enterprise clients. Many government contracts now require Essential Eight compliance, and the framework is becoming a de facto standard for demonstrating cybersecurity maturity in Australia.
The maturity model defines four levels. Maturity Level Zero captures environments that do not yet meet ML1. Maturity Level One provides basic protection against commodity threats. Maturity Level Two provides stronger protection against more capable adversaries. Maturity Level Three provides the highest level of protection against sophisticated threats. The ACSC expects organisations to reach the same level across all eight strategies before moving up. Most Perth SMBs should target Maturity Level One initially and progress from there.
No. The ACSC does not certify Essential Eight implementations, and there is no official certificate at any maturity level. However, an independent assessment may be required by a government directive, a regulator, or a contract, and the ASD publishes an assessment process guide that assessors follow. If you need certified proof of cyber maturity for clients or insurers, the SMB1001 framework provides formal certification and maps to the Essential Eight.
The SMB1001 framework was built for small and medium businesses and includes controls that align with the Essential Eight. Many SMB1001 controls map directly to E8 mitigation strategies, so achieving SMB1001 certification gives you a strong foundation for Essential Eight compliance. Most businesses start with SMB1001 and progress to E8 as their maturity grows.
Once you reach a solid Essential Eight maturity level, the Further Five controls add advanced protections including backup validation, security event monitoring, vulnerability scanning, incident response planning, and network segmentation. Together, E8 and the Further Five form a comprehensive cybersecurity programme for Australian organisations.
Timeline depends on your starting point and target maturity level. A typical Maturity Level One implementation for a Perth SMB takes three to six months. We start with quick wins that reduce your risk immediately while working through the longer-term controls in parallel. Our managed services clients get E8 controls implemented as part of their ongoing agreement. The Essential Eight also supports compliance with Privacy Act 2026 obligations and provides the cybersecurity foundation for AI governance.