ACSC Essential Eight Assessment: How to Prepare and What to Expect
If you’ve heard your IT provider mention an Essential Eight assessment, you probably have a few questions. What exactly gets assessed? How much will it cost? And more importantly, what happens if you fail?
We’ve guided dozens of Australian SMBs through their first Essential Eight assessment. The process is less intimidating than people expect—but only if you know what to prepare for. This guide walks you through the whole thing.
What Is an Essential Eight Assessment?
The Essential Eight is the Australian Signals Directorate’s list of eight security controls that stop the vast majority of cyber attacks against Australian organisations. An assessment measures how well your business implements these eight controls.
It’s not a yes/no pass/fail exam. Instead, assessors rate your implementation at one of four maturity levels—from basic (Level 1) up to optimised (Level 4). Most SMBs aim for Level 2, which the ASD itself recommends.
Think of it this way: the assessment reveals exactly where your security gaps are, and in what order you should fix them. That’s genuinely useful information.
Self-Assessment vs Third-Party Assessment
You have two paths. Self-assessment means your own team (or your IT provider) evaluates your maturity levels internally. It’s free and quick, but no one outside your business verifies the results.
Third-party assessment brings in an external auditor—usually someone accredited by the Australian Computer Society or similar body. They cost money (typically $3,000–$8,000 depending on business size) but you get an independent report and a formal recommendation. Many organisations doing this for compliance reasons prefer the third-party route.
The Eight Controls: What Assessors Actually Look For
You need to understand what each control means in practice, because assessors will probe your implementation at every maturity level.
1. Application Control
This means preventing unauthorised software from running. At Level 1, you might just have a list of approved applications. At Level 4, you’re using technical controls that block anything not explicitly approved—before it even runs.
Assessors will ask: “How do you decide what software is approved? Who manages that list? Can users install their own software?” Most SMBs fail application control because they allow too much flexibility.
2. Patch Management
Updates to operating systems and applications fix security flaws. At Level 1, you patch occasionally. At Level 4, critical patches deploy within 48 hours of release.
Assessors will review your patching logs. They want to see evidence that you test patches, deploy them on a schedule, and track completion.
3. Admin Privileges
Limiting who has admin access prevents attackers from accessing your highest-value data. At Level 1, perhaps your accountant has admin access “just in case”. At Level 4, admin accounts are separate from user accounts, multi-factor authentication guards them, and they’re used only when necessary.
4. Multi-Factor Authentication
Something you know (password) plus something you have (phone, security key) stops password attacks cold. At Level 4, MFA is mandatory for all remote access and all cloud accounts.
5. Backups
You need copies of your data that are separate from your main systems, tested regularly, and recoverable within your required timeframe. At Level 1, backups exist but you’ve never tested them. At Level 4, you test every 12 weeks.
Assessors will ask: “Show me your backup logs from the last three months. When did you last do a full recovery test? How many copies do you keep?” Most SMBs fail backups because they back up but never restore.
6. User Access Control
People should access only the files and systems they need. At Level 1, access is granted ad-hoc. At Level 4, you have a formal process, regular reviews, and documented approvals.
7. Email Security
This includes technical controls like SPF, DKIM, and DMARC to prevent spoofing, plus scanning for malicious attachments and links. At Level 1, you might just have basic spam filtering. At Level 4, you’re blocking known-bad links, scanning for phishing, and using threat intelligence.
8. Event Logging and Monitoring
You should log important security events and review them regularly. At Level 1, logs exist but no one reads them. At Level 4, you’re monitoring logs actively, investigating anomalies, and keeping 12 months of history.
How to Prepare: The Practical Steps
One month before the assessment: Gather evidence. Collect your patching logs, backup test results, MFA policies, user access lists, and any security policies you have.
Two weeks before: Do a self-assessment against the Essential Eight maturity levels. Be honest about gaps.
One week before: Create a simple policy document if you don’t have one. It doesn’t need to be long—a one-page summary of how you handle each control is enough.
Day before: Get your IT team aligned. Everyone should be able to answer basic questions about your controls.
What Happens During the Assessment
A typical third-party assessment takes 4–6 hours for a small business. The assessor will:
- Interview your key staff (IT staff, management, maybe finance if they handle passwords)
- Review your policies and procedures
- Look at logs, backups, and access records
- Test some controls (like whether a user can run unauthorised software)
- Rate each of the eight controls at a maturity level
Most assessors will give you draft findings on the day. You get a written report within a week.
Common Gaps Found in SMB Assessments
In our experience, Australian SMBs typically struggle with the same controls:
Patching. Critical patches languish for weeks because no one owns the patching process. You’ll improve fast here because it’s mostly just discipline and a monthly calendar reminder.
Application control. SMBs want flexibility—they let staff install software they think they need. Assessors see this as a risk.
Backups. You back up, but you’ve never recovered. Assessors will ask you to restore a file during the assessment, and many SMBs can’t. Start testing monthly.
Admin privileges. Too many people have admin access for convenience. Assessors expect you to remove it wherever it’s not strictly necessary.
Related reading: Essential Eight requirements | maturity assessment | investment
Monitoring. You’re not logging events or no one’s reviewing the logs. This is a quick fix technically, but it requires a process change.
Timeline and Cost
Self-assessment takes 1–2 weeks if you have your documentation together, and costs nothing.
Third-party assessment costs $3,000–$8,000 depending on your business size, number of staff, and IT complexity. You can expect the assessment itself to take 1–2 weeks (including pre-work, the actual assessment, and the report).
If you need to remediate major gaps, budget another few months and $5,000–$20,000 for implementation.
Choosing an Assessor
Look for someone accredited by the Australian Computer Society or a similar body. Check whether they specialise in SMB assessments. Ask for references from other SMBs they’ve assessed.
Also ask: “What happens after the assessment?” You want someone who can help you plan remediation, not just produce a report and vanish.
The Path Forward
An Essential Eight assessment isn’t the end goal—it’s a starting point. You now know exactly what to fix, in what order, and why. Most SMBs find it clarifying.
After your assessment, prioritise the gaps that create the most risk. Usually, that means patching and backups first (they’re quick wins), then access control and application control.
