Comprehensive guide, last updated February 2026
Every Australian business running a Windows network, using cloud email, or storing client data is a target. The question is not whether your organisation will face a cyber threat, but whether your defences will hold when it happens. The Australian Signals Directorate built the Essential Eight framework to answer that question with a practical, measurable set of controls that actually work.
This guide breaks down what the Essential 8 is, why it matters for your business, how the maturity model works, and what it takes to implement each control properly. We wrote it because most Essential 8 content online is either government documentation written for compliance officers or vendor marketing designed to sell a product. Neither is useful if you are a business owner trying to understand what you actually need to do.
The Essential 8 is a cybersecurity framework developed by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD). First published in 2017, it identifies eight mitigation strategies that address the most common methods attackers use to compromise Australian organisations.
The framework is not theoretical. It was built from real-world analysis of thousands of cyber incidents affecting Australian businesses and government agencies. Each of the eight controls targets a specific attack vector that ASD has observed being exploited repeatedly.
The eight strategies are grouped across three objectives:
| Objective | Controls | Purpose |
|---|---|---|
| Prevent attacks | Application control, Patch applications, Configure Microsoft Office macros, User application hardening | Stop malicious code from running in the first place |
| Limit impact | Restrict administrative privileges, Patch operating systems, Multi-factor authentication | Contain damage if an attacker gets in |
| Recover data | Regular backups | Restore operations after an incident |
The Essential 8 is mandatory for all non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). For private businesses, it is technically voluntary. But “voluntary” is doing a lot of heavy lifting in that sentence. Insurers, government supply chains, and regulated industries increasingly treat Essential 8 compliance as a baseline expectation. If your organisation works with government, handles sensitive data, or wants to maintain cyber insurance coverage, the Essential 8 is no longer optional in practice.
Australia has had a rough few years in cybersecurity. The Medibank breach exposed 9.7 million records. Optus lost data on 10 million customers. Latitude Financial, HWL Ebsworth, DP World, MediSecure. The list keeps growing. These are not obscure companies. They are household names with significant IT budgets, and they still got hit.
Small and medium businesses are not immune. The ACSC’s most recent threat report found that the average cost of cybercrime for a small business was over $46,000 per incident, and for a medium business, over $97,000. Those numbers only cover direct costs. They do not include lost productivity, client attrition, reputational damage, or the time your team spends cleaning up instead of doing their jobs.
The Essential 8 matters because it addresses the attacks that actually happen to Australian businesses, not exotic nation-state threats but the common tactics: phishing emails that trick staff into running malicious code, unpatched software that gives attackers a way in, stolen credentials that let them move laterally, and missing backups that leave no recovery options when ransomware hits.
There are also commercial realities pushing adoption:
Cyber insurance. Underwriters now routinely ask about Essential 8 alignment during policy renewal. Organisations with demonstrable compliance get better premiums. Organisations without it face higher costs, exclusions, or outright refusal of cover.
Government contracts. Over 90% of government tenders now reference Essential 8 compliance, typically requiring Maturity Level 2 or higher. If you work in the government supply chain, this is a commercial requirement, not a suggestion.
Client expectations. Your clients are increasingly asking about your security posture during due diligence. If you handle their data, they want to know it is protected. The Essential 8 gives you a clear, recognised framework to demonstrate that.
Board and director liability. Directors have a duty of care that extends to cybersecurity. The Australian Institute of Company Directors has published guidance making it clear that boards need to understand and oversee cyber risk. The Essential 8 provides the structured approach that satisfies that obligation.
Each control targets a specific vulnerability. Here is what they do and why they matter, explained in business terms rather than technical jargon.
Application control means only approved software can run on your systems. If an employee accidentally downloads malware, or a USB drive contains a malicious executable, the system blocks it from running because it is not on the approved list. Think of it as a strict guest list for your IT environment. If the software is not on the list, it does not get in.
Why it matters: This is consistently ranked as one of the most effective controls. It stops ransomware, trojans, and other malicious code from executing even after it lands on a device.
Every application has vulnerabilities. Vendors release patches to fix them. Patching applications means applying those fixes promptly, within 48 hours for critical vulnerabilities at higher maturity levels.
Why it matters: Unpatched applications are one of the most common entry points for attackers. The Log4Shell vulnerability in 2021 demonstrated how a single unpatched component can compromise thousands of organisations worldwide.
Microsoft Office macros are small programs that automate tasks in Word, Excel, and other Office applications. Attackers abuse them to deliver malware, typically by sending a document that asks the recipient to “enable macros” to view the content. Configuring macro settings means blocking macros from the internet and only allowing digitally signed macros from trusted publishers.
Why it matters: Macro-based attacks remain one of the most common delivery methods for malware in Australian business environments.
User application hardening means disabling unnecessary features in applications that interact with the internet: web browsers, PDF viewers, and Microsoft Office. This includes blocking Flash and Java from the internet, along with web advertisements that can deliver malicious code.
Why it matters: Every feature is a potential attack surface. Reducing features reduces the number of ways an attacker can compromise a system.
Administrative accounts have the keys to the kingdom. Restricting administrative privileges means limiting who has admin access, using separate accounts for admin tasks, and preventing privileged accounts from browsing the internet or reading email.
Why it matters: If an attacker compromises an admin account, they own your network. Restricting privileges limits the blast radius of any breach and makes lateral movement significantly harder.
The same logic as patching applications, applied to Windows, macOS, and server operating systems. Critical patches need to be applied promptly, and unsupported operating systems must be replaced.
Why it matters: An unpatched operating system is an open door. The WannaCry ransomware attack exploited a Windows vulnerability that Microsoft had already patched. Organisations that had applied the update were unaffected.
Multi-factor authentication requires users to provide two or more forms of identification before accessing systems. Typically this means something you know (password) plus something you have (a phone, hardware key, or authenticator app).
Why it matters: Passwords alone are not enough. Credential theft through phishing, brute-force attacks, and credential stuffing is one of the most common attack methods. MFA stops the vast majority of these attacks dead. Microsoft’s own data shows that MFA blocks over 99.9% of automated credential attacks.
Regular backups mean maintaining copies of important data, software, and configuration settings. Backups must be tested, stored separately from your production environment, and protected from modification or deletion, including by accounts with admin access.
Why it matters: When everything else fails, backups are your last line of defence. Ransomware specifically targets backup systems to maximise pressure on victims to pay. If your backups are solid and tested, ransomware becomes an inconvenience rather than an existential threat.
The Essential 8 uses a maturity model with four levels. Each level builds on the one below it, with progressively stricter requirements for each control.
| Level | Description | Threat protection |
|---|---|---|
| Level 0 | Minimally aligned. Significant weaknesses exist. | Vulnerable to common, opportunistic attacks |
| Level 1 | Partly aligned. Basic protections in place. | Protects against commodity tools and techniques used by opportunistic attackers |
| Level 2 | Mostly aligned. Strong security posture. | Protects against attackers willing to invest more time targeting your specific organisation |
| Level 3 | Fully aligned. Comprehensive defence. | Protects against advanced adversaries using sophisticated tools and techniques |
A critical point that many organisations miss: your overall maturity level is determined by your lowest score across all eight controls. If you are at Level 2 for seven controls but Level 0 for application control, your overall maturity is Level 0. Attackers do not avoid your weakest point. They target it.
The most recent update to the maturity model (November 2023) tightened several requirements, particularly around internet access for privileged accounts, credential management, and hardening of administrative infrastructure. Organisations that assessed themselves against an older version of the model should reassess against the current requirements.
The right maturity level depends on your risk profile, industry, and who you do business with. Here is a practical guide:
| Business profile | Recommended level | Rationale |
|---|---|---|
| Small business (under 20 staff), low-sensitivity data | Level 1 | Defends against opportunistic attacks. Most common threats for small businesses. |
| SMB (20-200 staff), client data, professional services | Level 2 | Expected by insurers and clients. Defends against targeted attacks. |
| Government supplier or contractor | Level 2 minimum | Required by most government procurement frameworks. |
| Critical infrastructure, healthcare, financial services | Level 2-3 | Regulatory expectations and high-value target profile. |
| Defence supply chain | Level 3 | Required under DISP and related frameworks. |
Most Perth SMBs we work with should be targeting Maturity Level 2. It provides meaningful protection against realistic threats without requiring the level of investment that Level 3 demands. Level 1 is a reasonable starting point, but it should be treated as a stepping stone, not a destination.
Implementation is not a single project. It is a cycle of assessment, remediation, and continuous monitoring. Here is the practical approach we use with our Essential 8 compliance clients.
The biggest mistake organisations make is treating Essential 8 as a one-time project. The threat landscape changes. Your environment changes. Your maturity level will drift if you do not actively maintain it.
After working with dozens of organisations on Essential 8 compliance, we see the same mistakes repeatedly.
Treating it as a checkbox exercise. Some organisations implement controls on paper without testing them in practice. Having a patching policy is not the same as actually patching within the required timeframes. Assessors and attackers both test real configurations, not documentation.
Ignoring the weakest control. Your overall maturity is only as strong as your weakest control. Organisations often invest heavily in the controls they find easiest (like backups) while neglecting harder ones (like application control). This does not improve your maturity level.
Not covering the full environment. The Essential 8 applies to your entire environment, including cloud services, remote workers, and third-party integrations. An organisation that achieves Level 2 for on-premise systems but ignores cloud workloads has not achieved Level 2.
Using consumer-grade MFA. SMS-based MFA is better than no MFA, but it is vulnerable to SIM-swapping and interception. At Maturity Level 2 and above, the framework requires phishing-resistant MFA: hardware keys (FIDO2) or authenticator apps with number matching. If your organisation still uses SMS codes, that needs to change.
No testing of backups. We regularly encounter organisations that have backup systems running but have never tested a full restore. The backup only matters if it works when you need it. Test quarterly at minimum.
Going it alone without expertise. The Essential 8 is conceptually straightforward but technically complex to implement correctly, especially across a Microsoft 365 environment. Misconfigurations can create a false sense of security or disrupt business operations. Working with an experienced managed IT provider significantly reduces risk and accelerates the timeline.
The Essential 8 does not exist in isolation. It maps to and complements several other frameworks Australian businesses encounter.
| Framework | Relationship to Essential 8 |
|---|---|
| SMB1001 | The SMB1001 certification framework includes Essential 8 controls within its Bronze, Silver, and Gold tiers. Achieving Essential 8 compliance directly supports SMB1001 certification. |
| ISO 27001 | The international information security standard. Essential 8 controls map to specific ISO 27001 objectives, particularly around access control, operations security, and asset management. Implementing the Essential 8 builds a strong foundation for ISO 27001 certification. |
| NIST Cybersecurity Framework | The US framework used globally. Essential 8 controls align with NIST’s Identify, Protect, and Recover functions. Organisations working with international partners may need to demonstrate alignment with both. |
| Further Five | The ASD’s additional five mitigation strategies that extend beyond the Essential 8. For organisations that have achieved Essential 8 Maturity Level 3, the Further Five provides the next level of protection. |
| CPS 234 | APRA’s prudential standard for information security in financial services. Essential 8 alignment supports CPS 234 compliance, particularly around information asset management and systematic control testing. |
The practical takeaway: if you implement the Essential 8 properly, you are building a security foundation that supports compliance with most frameworks Australian businesses encounter. It is not the only thing you need, but it is the right place to start.
Get a baseline assessment. You cannot improve what you have not measured. A proper Essential 8 assessment maps your current maturity across all eight controls and identifies the specific gaps that need addressing. This is the single most valuable first step.
Prioritise MFA and patching. If you have not already deployed phishing-resistant MFA across all user accounts and established a patching cadence that addresses critical vulnerabilities within 48 hours, start there. These two controls provide the most protection for the least disruption and are the foundation everything else builds on.
Build a 90-day plan. Do not try to achieve full compliance in a single sprint. Map out the quick wins you can deliver in 90 days, then build a 12-month roadmap for the structural changes. This is how sustainable compliance works, not as a one-time project but as an ongoing programme.
Talk to a specialist. The Essential 8 is straightforward in concept but complex in execution, particularly across Microsoft 365 environments, hybrid infrastructure, and multi-site operations. Our team has helped organisations across Perth achieve and maintain Essential 8 compliance at every maturity level. A free IT assessment is the fastest way to understand where your organisation stands and what it will take to get where you need to be.
The Essential 8 is mandatory for non-corporate Commonwealth entities under the PSPF. For private businesses, it is technically voluntary but increasingly expected by cyber insurers, government procurement processes, and clients conducting due diligence. Most Perth businesses handling sensitive data should treat it as a practical requirement.
Timeframes depend on your starting point, environment complexity, and target maturity level. A small business moving from Level 0 to Level 1 can typically achieve compliance within 3 to 6 months. Reaching Level 2 for a mid-sized organisation usually takes 6 to 12 months with the right support.
Costs vary significantly based on your current environment, target maturity level, and whether you have in-house expertise. For most Perth SMBs, the investment ranges from improving existing Microsoft 365 configurations (relatively low cost) to deploying new tools like application control and privileged access management (moderate investment). An assessment gives you a clear picture of the specific costs for your organisation.
The Essential 8 is a technical framework focused on eight specific mitigation strategies. SMB1001 is a broader cybersecurity certification framework designed for small and medium businesses that incorporates Essential 8 controls within its tiered certification levels. Many organisations pursue both: the Essential 8 for technical compliance and SMB1001 for formal certification they can demonstrate to clients.
Technically yes, but it is significantly harder without specialist expertise. The Essential 8 requires deep knowledge of Microsoft 365 configuration, endpoint management, network architecture, and security tooling. Most SMBs do not have this expertise in-house. Working with an experienced managed IT provider like Epic IT reduces risk, accelerates the timeline, and ensures controls are implemented correctly the first time.
An assessment is not a pass/fail exam. It identifies your current maturity level for each control and highlights specific gaps. The output is a remediation roadmap, not a penalty. Organisations at every maturity level have a clear path forward. The goal is continuous improvement, not perfection on day one.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
