What Is the Essential Eight?
The Essential Eight is Australia’s gold-standard cyber security framework, created by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It’s a set of eight fundamental security strategies designed to protect organisations from cyber attacks, particularly those targeting sensitive data and critical infrastructure.
The framework has become the baseline for cyber security in Australia. Government agencies require it. Major companies demand it from their suppliers. And Australian regulators increasingly reference it when assessing security compliance. But despite its importance, many business owners and IT managers don’t fully understand what it means or how to implement it.
Here’s what makes the Essential Eight so important: ASD research shows that implementing the Essential Eight mitigates 85% of targeted cyber intrusions. That’s not just a helpful recommendation—it’s a statistic showing that if you get these eight things right, you’ve eliminated most of the cyber threats your business will face.
This guide explains each strategy in plain language, shows you how to assess your current security posture, and outlines what it takes to get compliant. Whether you’re a government contractor required to implement Essential Eight, a business in a regulated industry, or simply an organisation that wants to take cyber security seriously, this framework is your roadmap.
The Eight Strategies Explained
The Essential Eight is built on eight core security strategies. Each one addresses a specific type of cyber threat. Together, they create layers of protection that make it very difficult for attackers to succeed. Let’s look at each one.
1. Application Control
Application control means you decide which programs can run on your computers, and which ones cannot. Instead of blocking known bad applications, you allow only known good ones. This stops malware, unauthorised software, and malicious code from executing—even if it somehow gets onto your network.
Without application control, employees can install anything. An attacker sends a dodgy file. Someone clicks it. The malware runs. Your data walks out the door. With application control in place, that file can’t execute, no matter who runs it or how they try.
Application control requires planning—you need to know what software your business needs—but it’s one of the most effective defences against malware. Most modern organisations find it challenging to implement without expert help, because legitimate business applications are constantly changing and updating.
For detailed guidance on implementing application control across your organisation, read our full guide: Application Control: The Ultimate Defence Against Malware
2. Patching Applications
Software vendors constantly release patches and updates. These fixes address security vulnerabilities that attackers can exploit. Patching applications means systematically keeping all your software current with the latest security updates. It’s straightforward in theory, but complicated in practice because some patches break other things, and organisations often run thousands of different applications.
Here’s what happens without patching: attackers discover a vulnerability in software your organisation uses. They can be publicly known vulnerabilities (which everyone including attackers knows about) or zero-day exploits (vulnerabilities nobody knew about until someone started using them). Either way, an unpatched system is vulnerable. Many of the biggest recent breaches exploited known vulnerabilities that organisations simply hadn’t patched yet.
Patching applications is a hygiene task—it’s boring, it needs doing regularly, and the moment you stop doing it, you’re vulnerable again. It’s also one of the Essential Eight strategies where businesses most often fall behind.
For a comprehensive look at how to build a robust patching strategy, see: Patching Applications: The Non-Negotiable Security Practice
3. Restricting Administrative Privileges
Most employees don’t need administrator access to do their jobs. Administrator (or “admin”) privileges allow someone to install software, change security settings, access sensitive files, and make system-wide changes. When everyone has admin access, one compromised employee account gives an attacker full control of the system.
Restricting administrative privileges means only giving admin access to people who genuinely need it—typically IT staff—and having everyone else work with standard user accounts. This limits what an attacker can do if they compromise a regular employee’s account. Yes, it creates friction. Yes, it means employees need to ask IT to install software. That inconvenience is exactly what makes it effective.
Many organisations resist this strategy because they think it makes users unhappy or slows down work. The security benefit far outweighs the minor inconvenience, and users quickly adapt. If your alternative is a ransomware attack that shuts down your entire business, the inconvenience looks pretty minor.
Learn more about implementing admin privilege restrictions effectively: Restricting Administrative Privileges: The Principle of Least Privilege
4. Data Offsite Backups and the 3-2-1-1-0 Rule
Ransomware attacks encrypt your data and demand payment to unlock it. The only reliable defence is backups—copies of your data stored somewhere an attacker can’t reach. Data backups must be automated, frequent, tested regularly, and kept in multiple locations. If you can’t restore your data within hours of an attack, you’re at the attacker’s mercy.
The Essential Eight specifies a particular backup strategy known as the 3-2-1-1-0 rule. This means: 3 copies of your data (original plus two backups), 2 different storage types (for example, disk and cloud), 1 offline copy (disconnected from your network), 1 in a different geographic location, and 0 errors when you restore from backup. If any one of these fails, your backups won’t protect you when you need them.
Without proper backups, a ransomware attack becomes a catastrophe. With them, it becomes an inconvenience. Many organisations backup data regularly but never test whether they can actually restore it. That’s like buying fire insurance and never checking whether the policy is actually valid.
For detailed explanation of backup strategies and the 3-2-1-1-0 rule, read: The 3-2-1-1-0 Backup Rule: Ransomware-Proof Data Protection
5. Multi-Factor Authentication (MFA)
Multi-factor authentication means proving who you are in more than one way before you can access a system. Usually that’s something you know (a password) plus something you have (a phone, security key, or authenticator app). An attacker might steal your password, but they can’t access your systems unless they also have your phone or security key.
Without MFA, stolen passwords are catastrophic. An attacker needs your email address and password—both available on the dark web for hundreds of thousands of people—and they’re in. With MFA, a stolen password is almost useless. This is particularly important for high-value accounts like email administrators, cloud administrators, and anyone with access to financial systems or sensitive data.
MFA is considered a critical security practice globally, not just in Australia. Most major breaches involve compromised credentials. MFA doesn’t prevent compromised credentials, but it makes them far less useful to an attacker. The inconvenience of entering an extra code or confirming access on your phone is negligible compared to the security benefit.
6. Endpoint Detection and Response (EDR)
Endpoint Detection and Response is a category of security software that watches what’s happening on computers and servers—your “endpoints.” It looks for suspicious behaviour that suggests an attacker is present, such as unusual network connections, strange file activity, or attempts to exploit security vulnerabilities. When it detects something suspicious, it can automatically respond by isolating that computer, stopping the suspicious process, or alerting your security team.
Without EDR, you’re flying blind. An attacker might be on your network, stealing data or planting malware, and you wouldn’t know until weeks later. With EDR, you get visibility into what’s actually happening on your systems and the ability to respond before attackers cause serious damage.
EDR is increasingly table stakes for organisations of any size. It’s particularly important for businesses that can’t afford a dedicated security team, because EDR provides automated threat detection and response that smaller teams can’t achieve manually. The cost of EDR has also come down significantly, making it accessible even for small to medium businesses.
7. Event Logging and Audit Trails
Event logging means recording everything of security significance that happens on your systems—successful and failed login attempts, file access, privilege changes, security software alerts, and so on. These logs create an audit trail that lets you investigate what happened if a breach occurs, and they help you detect suspicious activity in progress.
Without event logging, you have no forensic trail. If you suffer a breach, you won’t know how the attacker got in, what they accessed, or how long they were there. With comprehensive logging and auditing, you can trace the entire attack chain and understand what needs to be fixed to prevent recurrence.
Event logging also serves a compliance purpose. Regulators, auditors, and customers often require proof of what happened on your systems. Event logs provide that proof. The challenge with logging is volume—modern systems generate enormous quantities of logs. You need tools and processes to make sense of them, typically using a security information and event management (SIEM) system or equivalent.
8. Regular Backup Restoration Testing
This strategy is simple in concept but often neglected in practice: regularly test that you can actually restore your backups. Many organisations discover during a crisis that their backups are corrupted, incomplete, or incompatible with their current systems. That discovery comes too late to help.
Without regular testing, backups are a false sense of security. You’re paying for backups that might not work. With regular testing, you know your recovery process works, you’ve identified problems before you need to recover, and your team has practiced restoring systems so they can do it quickly and correctly when pressure is on.
Testing should be frequent and thorough—not just confirming that a backup file exists, but actually restoring data and verifying it’s correct and usable. Many organisations test quarterly; some test monthly. The frequency depends on how quickly your business needs to recover from an attack.
Understanding Essential Eight Maturity Levels
The Essential Eight framework doesn’t have a single on/off switch. Instead, it defines four maturity levels (ML0 through ML3) that describe how comprehensively you’ve implemented each strategy. Understanding these levels helps you assess your current position and plan a realistic improvement path.
Maturity Level 0 (ML0): Ad Hoc or Not Implemented
At ML0, you haven’t really implemented a strategy, or you’ve done so only in an ad hoc, inconsistent way. For example, ML0 for application control might mean you’ve told some teams to install only approved software, but you have no technical controls in place and people regularly install whatever they want.
Most small businesses and many medium businesses start at ML0 for most strategies. This isn’t a judgement—it reflects the fact that essential security requires resources, planning, and expertise that smaller organisations often lack. However, ML0 leaves you vulnerable to the vast majority of cyber attacks.
Maturity Level 1 (ML1): Repeatable
At ML1, you’ve started to implement a strategy systematically, but not comprehensively. For example, ML1 for patching might mean you have a process to patch servers regularly, but client computers are patched inconsistently and you have no process for third-party applications.
ML1 indicates you’ve made a commitment to that strategy and have basic processes in place. You’ve moved from “we don’t really do this” to “we’re trying to do this consistently, but we’re not there yet.”
Maturity Level 2 (ML2): Defined and Managed
At ML2, you’ve comprehensively implemented a strategy across your entire organisation, and you’re actively managing it. You have written procedures, your team follows them consistently, you have evidence that procedures are being followed, and you review and update them regularly.
Most small to medium businesses should be targeting ML2 for the Essential Eight. At this level, you’ve implemented all eight strategies to a solid standard. You’ve significantly reduced your cyber risk. You meet the compliance requirements of most government and corporate customers. ML2 is achievable for organisations of any size, though the cost and effort required increases with organisational complexity.
Maturity Level 3 (ML3): Optimised and Automated
At ML3, you’ve implemented a strategy at the highest level, with automated monitoring, continuous improvement, and rapid response. You have data on how well the strategy is working, you’re actively looking for ways to improve it, and your organisation has invested in sophisticated tools and processes.
ML3 requires substantial resources and is typically necessary only for large organisations, critical infrastructure operators, and entities handling highly sensitive data. For most Australian businesses, ML2 is the realistic and appropriate target.
For a detailed assessment of which maturity level is right for your organisation, read: Essential Eight Maturity Levels: How to Assess Your Organisation
Who Needs Essential Eight Compliance?
Essential Eight compliance is mandatory for some organisations and strongly recommended for others.
Mandatory Requirements
Government contractors and suppliers: If you win government contracts, Essential Eight compliance is non-negotiable. Whole-of-government procurement policies require government contractors to implement the Essential Eight. This includes direct contractors and many supply chain participants.
Organisations in regulated industries: If you operate in banking, finance, health, energy, telecommunications, or critical infrastructure, regulators increasingly reference Essential Eight in their security requirements.
Public sector organisations: All Australian Government agencies are required to implement the Essential Eight to protect their information and systems. This is a top-down mandate from the Australian Government Information Security Manual (ISM).
Strongly Recommended
Organisations handling sensitive data: If your business holds customer information, financial data, personal information, or intellectual property, Essential Eight compliance protects you and your customers.
Supply chain participants: If your major customers have Essential Eight requirements, they’ll expect you to comply too. Supply chain security is increasingly important—large organisations are pushing security requirements down to their suppliers.
Any business concerned about cyber risk: Essential Eight isn’t just for government contractors or regulated industries. It’s the baseline for anyone who takes cyber security seriously.
Connection to Australian Privacy Act: The Australian Privacy Act requires organisations to take “reasonable steps” to protect personal information. Regulators increasingly argue that “reasonable steps” includes implementing frameworks like the Essential Eight. For more on the privacy landscape, read: Australian Privacy Act for SMBs: What You Need to Know
What Does Essential Eight Compliance Cost?
Cost is often the first question organisations ask about Essential Eight compliance. The honest answer is: it depends significantly on your starting point, your organisation’s size, and your complexity. But here are some realistic ranges.
By Business Size
Micro businesses (1-10 people): If you’re starting from scratch, expect $3,000-$8,000 for initial assessment, planning, and implementation support. Ongoing costs are lower—perhaps $500-$1,500 annually for software, licensing, and monitoring.
Small businesses (11-50 people): Initial compliance costs are typically $8,000-$25,000. Larger organisations have more systems to secure, more users to manage, and greater complexity. Annual ongoing costs might be $2,000-$5,000.
Medium businesses (51-250 people): Initial costs typically range from $25,000-$100,000+. You’re probably implementing sophisticated tools, potentially replacing existing security infrastructure, and managing significant organisational change. Ongoing costs might be $5,000-$20,000 annually.
Large organisations: Costs vary dramatically based on your existing security infrastructure and your industry. A large organisation might spend hundreds of thousands of dollars on Essential Eight implementation.
Where the Money Goes
Most of the cost goes to three areas: software and tools (licenses, cloud services, EDR software, logging platforms); professional services (assessment, planning, implementation support, training); and people time (your team implementing changes, managing rollout, testing).
Many organisations find the biggest barrier isn’t cost, but the effort required. Compliance takes time and focus. It requires planning and coordination across the organisation. It often means changing how people work. The financial investment is just one part of the equation.
For detailed analysis of compliance costs and budgeting, read: Essential Eight Compliance Cost: Budget Planning for Your Organisation
How to Get Started With Essential Eight
The path to Essential Eight compliance follows a standard sequence. You don’t need to do everything at once, but you do need a clear plan.
Step 1: Get an Independent Assessment
The first step is understanding where you currently stand. What maturity level have you reached for each of the eight strategies? What’s working well? What are the biggest gaps? An independent assessment by someone who understands the Essential Eight framework gives you that baseline.
Step 2: Develop a Gap Analysis and Remediation Roadmap
Once you know where you are, you need to know where you’re going and how you’ll get there. A gap analysis identifies specific gaps between your current state and your target maturity level (typically ML2 for most organisations). A remediation roadmap prioritises which gaps to address first and outlines what it will take to close them.
Step 3: Implement Security Changes
With a roadmap in place, you begin implementing. This might mean deploying new software, changing processes, updating policies, training staff, and testing changes to ensure they work. It’s often helpful to have external support during this phase—someone who has done this many times before can help you avoid expensive mistakes and move faster.
Step 4: Verify Implementation and Obtain Certification
Once changes are implemented, you need to verify they’re working and document evidence of compliance. If you need formal certification (for government contracts or customer requirements), an external assessor will verify your maturity level against the framework.
Step 5: Implement Ongoing Management and Continuous Improvement
Essential Eight compliance isn’t a destination—it’s an ongoing practice. Systems change. Threats evolve. Your team learns what works and what doesn’t. You need processes to continuously monitor that your security measures are working, update them as needed, and keep up with new threats.
For comprehensive guidance on planning and implementing your compliance program, visit our services page: TechAssist Essential Eight Compliance Program
Ready to discuss your organisation’s specific situation? Contact us for a confidential conversation about your Essential Eight roadmap.
Need Professional Help with Essential Eight?
TechAssist provides end-to-end Essential Eight compliance services for Australian SMEs. From initial assessment and gap analysis to full implementation and ongoing managed compliance — we handle the technical work so your team can focus on running the business.
Our service covers all eight mitigation strategies, maturity level assessments, remediation roadmaps, and continuous compliance management.
Frequently Asked Questions
Is the Essential Eight mandatory in Australia?
Essential Eight compliance is mandatory for Australian Government agencies and government contractors. It’s strongly recommended for all organisations as best practice cyber security. For organisations in regulated industries (finance, health, energy, critical infrastructure), regulators increasingly expect Essential Eight or equivalent frameworks. For other organisations, it’s not technically mandatory, but it’s the ASD’s official recommendation for protecting against targeted cyber intrusions, and it’s increasingly becoming a requirement for government and corporate customers.
How long does Essential Eight compliance take?
This depends on your starting point and target maturity level. For a small business starting from ML0 and targeting ML2, expect 3-6 months from assessment through full implementation. For a medium-sized organisation, 6-12 months is more realistic. Some of this happens in parallel—while you’re implementing one strategy, you can be planning another.
What’s the difference between the Essential Eight and ISO 27001?
The Essential Eight is an Australian framework focused on the most effective security controls against targeted cyber intrusions. ISO 27001 is a global information security management standard covering a much broader range of security practices. Essential Eight is simpler and more focused; ISO 27001 is more comprehensive. Many organisations implement both—the Essential Eight gives you the most critical controls, and ISO 27001 adds management systems and broader security practices around those controls.
Do I need all eight strategies?
Yes. The Essential Eight is designed as a complete set. While each strategy addresses different threats, they work together to create comprehensive protection. Implementing seven out of eight leaves you vulnerable to whatever the eighth strategy protects against. That said, you don’t need to implement all eight at maturity level 3—most organisations target ML2 across all eight.
What maturity level should my business target?
For most small to medium businesses, maturity level 2 (Defined and Managed) is the appropriate target. At ML2, you’ve comprehensively implemented all eight strategies. You’ve met government and corporate customer requirements. You’ve significantly reduced your cyber risk. ML3 (Optimised and Automated) is expensive and typically necessary only for large organisations or critical infrastructure.
How often does the Essential Eight framework change?
The Australian Signals Directorate periodically reviews and updates the Essential Eight framework based on evolving threats and new technologies. Significant updates are relatively rare—roughly every 3-5 years. When updates occur, they’re communicated clearly and organisations are given time to adapt.
Can I implement Essential Eight without external help?
Organisations can implement Essential Eight without external consultants, but external expertise is valuable for several reasons: someone experienced in Essential Eight can help you avoid expensive mistakes, move faster than trial-and-error learning, navigate organisational change more effectively, and provide evidence of proper implementation if you need compliance certification. At minimum, getting an independent assessment is valuable even if you implement remediation yourself.
Who created the Essential Eight?
The Essential Eight was created by the Australian Signals Directorate (ASD), now operating under the Australian Cyber Security Centre (ACSC). The ASD is Australia’s signals intelligence and information security agency. The ACSC is the government’s cybersecurity authority responsible for improving Australia’s cyber security. The Essential Eight was developed based on analysis of real cyber attacks against Australian organisations.