The Australian Government’s baseline cybersecurity strategy. Eight mitigation controls. Three maturity levels. Epic IT implements and manages the full programme.
Prevent attacks, limit impact, and recover data
Progressive uplift from ML1 through ML3
Published by the Australian Signals Directorate (ASD)
Required for all Commonwealth entities under PSPF
The Essential Eight is a cybersecurity framework published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It defines eight mitigation strategies that address the most common methods attackers use to compromise systems – from unpatched software and stolen credentials to ransomware and data exfiltration.
The strategies are organised around three objectives: prevent cyber attacks from executing, limit the extent of attacks that do succeed, and recover data and systems when an incident occurs. Together, they form the minimum baseline the Australian Government recommends for every organisation connected to Australian networks. For a practical walkthrough of each control, read our Essential 8 compliance guide.
Unlike broad governance frameworks, the Essential Eight is prescriptive and technical. Each control has clearly defined requirements at each maturity level, making it measurable, auditable, and directly tied to real-world threat mitigation. Maturity Level 2 is mandatory for all non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF).
Grouped by their defensive objective – every strategy must be implemented at the same maturity level to avoid weakest-link exposure.
Only approved applications are allowed to execute on workstations and servers. This prevents malware, ransomware, and unauthorised software from running – even if a user downloads it. At higher maturity levels, application control extends to all user-accessible locations including temporary folders, USB drives, and network shares.
Security vulnerabilities in applications – browsers, PDF readers, Microsoft Office, Java – are patched or mitigated within defined timeframes. At Maturity Level 1, patches for internet-facing applications are applied within two weeks. At ML2 and ML3, the window tightens to 48 hours for critical vulnerabilities, and vulnerability scanners are used to verify compliance.
Microsoft Office macros are a common delivery mechanism for malware. This control restricts macros from executing in files downloaded from the internet and limits macro use to only vetted, trusted sources. At higher maturity levels, macros are blocked entirely for users who do not have a demonstrated business requirement.
Web browsers and email clients are configured to block known attack vectors – Flash, Java, and web advertisements are disabled, and browsers are hardened against scripting-based exploits. At ML2 and ML3, PowerShell is constrained to reduce its use as an attacker tool, and .NET frameworks are restricted to approved versions only.
Administrative accounts are limited to only those who need them, and privileged access is tightly controlled. Users do not perform daily work with admin credentials. At higher maturity levels, privileged accounts are further segmented, just-in-time access is enforced, and all admin activity is logged and monitored for anomalous behaviour.
Security vulnerabilities in operating systems are patched within defined timeframes. Unsupported operating systems – those no longer receiving vendor patches – are replaced. At ML2 and ML3, critical OS patches must be applied within 48 hours, and vulnerability scanners confirm that patches have been successfully deployed across the environment.
Multi-factor authentication (MFA) is enforced for all users accessing internet-facing services, remote access, and privileged accounts. At higher maturity levels, phishing-resistant MFA methods are required – such as hardware security keys or certificate-based authentication – rather than SMS or app-based codes alone.
Critical data, configurations, and system images are backed up regularly and stored securely – separate from production systems and protected from ransomware encryption. At higher maturity levels, backups are tested for recoverability, retention periods are defined, and backup access is restricted to break-glass accounts only.
Maturity is assessed across all eight strategies simultaneously. ASD recommends targeting the same level across every control – progressing sequentially from ML1 through ML3.
Defends against opportunistic attackers using widely available tools and techniques – commodity malware, phishing campaigns, and known exploits. Controls are in place but may be inconsistently applied or manually managed. A practical starting point for most Perth SMBs.
Defends against more capable attackers who invest time in targeting specific organisations. Controls are repeatable, monitored, and enforced with shorter patching windows and stronger authentication. The minimum standard for Commonwealth entities and increasingly expected by cyber insurers. Our Essential Eight ML2 guide breaks down what this looks like in practice.
Defends against highly skilled adversaries using advanced tradecraft – including zero-day exploits, custom tooling, and supply chain compromise. Controls are proactive, automated, and continuously verified. Typically pursued by organisations handling classified data, critical infrastructure, or high-value intellectual property.
We are often asked how the Essential Eight compares to SMB1001. The short answer: they are complementary, not competing.
SMB1001 is a five-tier cybersecurity certification developed by Dynamic Standards International – it covers similar technical ground but adds governance, policies, training, and formal certification. It also provides a gentler on-ramp through its Bronze and Silver tiers, making it accessible for businesses that are not ready for the full scope of Essential Eight from day one.
For most Perth SMBs, the practical path is: start with SMB1001 to build your security foundation and earn a recognised certification, then progress into Essential Eight compliance when your business requires it – whether driven by government contracts, regulatory obligations, or enterprise client expectations. We also offer Essential Eight plus Further Five for businesses that need the highest level of protection.
We do not just advise on the Essential Eight – we implement and manage it as part of our managed cybersecurity services, working alongside our managed IT services to protect your entire environment.
The Essential Eight is a set of eight mitigation strategies published by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). The strategies are designed to prevent cyber attacks, limit the impact of attacks that succeed, and ensure data can be recovered. It is the Australian Government’s recommended baseline for cybersecurity across all organisations.
Maturity Level 2 is mandatory for all non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). While not legally required for private businesses, the Essential Eight is increasingly expected by government agencies engaging contractors, by cyber insurers during underwriting, and by enterprise clients assessing supply chain risk. Adopting the framework significantly reduces your exposure to common cyber threats regardless of any mandate.
The Essential Eight maturity model defines four levels. Maturity Level Zero means controls are not aligned with the strategy. Maturity Level 1 means controls are partly aligned – defending against opportunistic attackers. Maturity Level 2 means controls are mostly aligned – defending against more targeted attacks. Maturity Level 3 means controls are fully aligned – defending against advanced adversaries using sophisticated tradecraft. ASD recommends applying the same maturity level across all eight strategies.
Most Perth SMBs should aim for Maturity Level 1 as a starting point and progress to Maturity Level 2 over time. ML2 is increasingly the baseline expectation for cyber insurance renewals and government contract eligibility. Businesses handling sensitive data, operating in regulated industries, or working with government agencies should plan for ML2 as the minimum target. Epic IT will assess your risk profile and recommend the right level.
Reaching Maturity Level 1 typically takes two to four months depending on your starting posture, environment complexity, and the number of controls that need implementing. Maturity Level 2 usually requires six to twelve months of sustained effort including policy development, technical enforcement, and evidence collection. Epic IT manages the full process to minimise disruption to your operations.
The Essential Eight focuses on eight prescriptive technical controls published by ASD. SMB1001 is a five-tier certification framework developed by Dynamic Standards International that covers similar technical ground but adds governance, policies, staff training, and formal certification. SMB1001 provides a staged entry point through its Bronze and Silver tiers, while Essential Eight requires all eight strategies from Maturity Level 1. Many businesses start with SMB1001 and progress to Essential Eight when their risk profile or contractual obligations require it.
Managed Security Services (MSSP)
Transformations
ABS Institute
ABS Institute is a leading Western Australian training organisation and trusted state government partner, delivering professional development and mentoring programmes across the state.
Blackburne
Blackburne is one of Perth’s most recognised property groups, with a portfolio spanning residential development, property management, and commercial real estate across Western Australia.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Services.
