Understanding Essential Eight Maturity Levels
The Essential Eight framework does not operate as a simple pass-or-fail checklist. Instead, the Australian Cyber Security Centre (ACSC) uses a maturity model with four distinct levels — Maturity Level Zero through Maturity Level Three — that measure how thoroughly each of the eight mitigation strategies has been implemented across your organisation.
This maturity model exists because cybersecurity is not binary. A business that has partially implemented multi-factor authentication is in a stronger position than one that has not started at all, even if neither has achieved full compliance. The maturity levels provide a structured roadmap for continuous improvement, allowing businesses to set realistic targets and measure progress over time.
The Four Maturity Levels
Maturity Level Zero — Not Aligned
At Maturity Level Zero, the organisation has either not implemented the mitigation strategy at all, or the implementation has significant weaknesses that undermine its effectiveness. This is the starting point for many Australian small and mid-size businesses, particularly those that have grown without dedicated IT security oversight.
Being at Maturity Level Zero does not necessarily mean you have no security measures in place. It means your implementation of a specific Essential Eight strategy does not meet the minimum requirements defined by the ACSC. For example, if your business uses passwords without multi-factor authentication for remote access, your MFA maturity sits at Level Zero — even if you have strong firewalls and antivirus software.
Maturity Level One — Partly Aligned
Maturity Level One represents the baseline. At this level, the mitigation strategy is implemented in a way that provides protection against opportunistic adversaries — attackers who use widely available tools and techniques to exploit common vulnerabilities. These are the automated attacks, mass phishing campaigns, and commodity malware that account for the vast majority of cyber incidents affecting Australian businesses.
For most small businesses, Maturity Level One should be the immediate goal. Key requirements at this level include patching internet-facing application vulnerabilities within two weeks, implementing MFA for internet-facing services, performing daily backups, and restricting administrative privileges to only those who need them.
Maturity Level Two — Mostly Aligned
Maturity Level Two provides protection against more capable adversaries — attackers who invest more time and effort in targeting specific organisations. At this level, the implementation is more comprehensive and the controls are more robust. Patching timelines tighten (48 hours for critical internet-facing vulnerabilities), MFA must use phishing-resistant methods for privileged accounts, and application control must be enforced on workstations.
This is the level the ACSC recommends for most Australian organisations handling sensitive data, operating in regulated industries, or working with government contracts. Achieving Maturity Level Two typically requires dedicated IT security resources or a managed IT services provider with Essential Eight expertise.
Maturity Level Three — Fully Aligned
Maturity Level Three represents the gold standard — protection against highly capable adversaries who use advanced tradecraft, including nation-state actors and sophisticated criminal organisations. At this level, every control is implemented to its fullest extent with ongoing validation and continuous monitoring.
Maturity Level Three requirements include centralised logging of all authentication events, automated patching within 48 hours for all applications (not just internet-facing ones), hardware-based MFA tokens, and application control enforced on all systems including servers. Very few private-sector organisations in Australia currently operate at Maturity Level Three across all eight strategies.
How to Assess Your Current Maturity
A proper Essential Eight maturity assessment evaluates each of the eight strategies independently. It is common — and expected — for an organisation to sit at different maturity levels across different strategies. You might be at Maturity Level Two for backups but Maturity Level Zero for application control.
The assessment process typically involves reviewing your current IT policies and configurations against the ACSC’s published requirements for each maturity level, interviewing IT staff about actual practices (which often differ from documented policies), testing technical controls to verify they work as intended, and identifying the specific gaps between your current state and your target maturity level.
TechAssist conducts Essential Eight maturity assessments that provide a clear picture of where your business currently sits across all eight strategies, along with a prioritised roadmap for reaching your target maturity level.
Which Maturity Level Should You Target?
The right target depends on your organisation’s risk profile, industry, and regulatory obligations. As a general guide, most Australian SMBs should aim for Maturity Level One as an immediate priority, with a plan to reach Maturity Level Two within 12 months. Organisations in regulated industries (healthcare, finance, legal) or those handling government data should target Maturity Level Two from the outset. Government agencies are required to reach Maturity Level Two or above.
It is worth noting that cyber insurance providers are increasingly asking about Essential Eight maturity as part of their underwriting process. A demonstrated commitment to reaching Maturity Level Two can positively impact your premiums and coverage terms.
Realistic Timelines for Maturity Improvement
Achieving meaningful improvement in your Essential Eight maturity is a journey, not a single project. Based on our experience working with Australian businesses of various sizes, here are realistic timelines. Reaching Maturity Level One from a standing start typically takes 2 to 4 months with focused effort and appropriate resources. Moving from Level One to Level Two generally requires 4 to 8 months, depending on the complexity of your IT environment. Reaching Maturity Level Three is an ongoing process that most organisations approach incrementally over 12 to 24 months.
The most important thing is to start. Every incremental improvement in your Essential Eight maturity reduces your risk. You do not need to achieve Level Three overnight — but you do need to know where you stand today and have a plan for getting to where you need to be.
Ready to find out where your business sits? Contact TechAssist for an Essential Eight maturity assessment and get a clear, prioritised roadmap for improving your cybersecurity posture.
Related reading: Essential Eight controls | assessment | admin access
