Essential Eight Assessment & Uplift
Measure, improve, and maintain your Essential Eight maturity. Independent assessments and targeted uplift services to help your organisation understand where you stand, where you need to be, and how to get there.
What Is the Essential Eight?
The Essential Eight originated from the Strategies to Mitigate Cyber Security Incidents — a broader list of 37 mitigation strategies first published in 2010 by the Australian Government's cybersecurity authority. Eight of these strategies were identified as the most effective at preventing the majority of cyber intrusions and elevated to the Essential Eight framework.
The Essential Eight is not a compliance checkbox exercise. It is a practical, threat-informed framework designed to address the most prevalent attack vectors targeting Australian organisations. The framework is continuously updated to reflect the evolving threat landscape and was significantly revised in November 2022.
Commodity Malware
Ransomware, trojans, worms
Targeted Intrusions
Advanced persistent threats, nation-state actors
Insider Threats
Malicious or negligent insiders
Data Exfiltration
Theft of sensitive information
Denial of Service
Disruption of business operations
The Eight Mitigation Strategies
Four strategies to prevent malware delivery and execution, two to limit the extent of incidents, and two to recover data and system availability.
Application Control
Only approved applications are permitted to execute on systems. This prevents malicious executables, scripts, and installers from running — even if they bypass other defences. At higher maturity levels, application control extends to all user-accessible locations including temporary folders and user profile directories.
Patch Applications
Security vulnerabilities in applications are patched or mitigated within defined timeframes. At ML3, critical vulnerabilities in internet-facing services must be patched within 48 hours. This applies to all applications — web browsers, PDF readers, office suites, and any application with network exposure.
Configure Microsoft Office Macro Settings
Microsoft Office macros are a primary delivery mechanism for malware. The Essential Eight requires organisations to block macros from the internet, restrict execution to trusted locations, and at higher maturity levels, disable macros entirely for users who do not have a demonstrated business requirement.
User Application Hardening
Web browsers and other user-facing applications are configured to reduce their attack surface. This includes blocking web advertisements, disabling unneeded features, preventing script execution where possible, and configuring applications to not process untrusted content by default.
Restrict Administrative Privileges
Administrative access is granted only to personnel who require it, only for the tasks that require it, and only for the duration required. Privileged accounts are not used for email or web browsing. At higher maturity levels, just-in-time provisioning and privileged access workstations (PAWs) are required.
Patch Operating Systems
Operating system vulnerabilities are patched within defined timeframes. Internet-facing systems at ML3 must be patched within 48 hours for critical vulnerabilities. End-of-life operating systems that no longer receive security patches must be replaced.
Multi-Factor Authentication (MFA)
Multi-factor authentication is implemented for all users, not just privileged users. At ML2 and above, MFA must be phishing-resistant — SMS and voice-based MFA are insufficient. Hardware security keys or certificate-based authentication is required at ML3.
Regular Backups
Backups of important data, software, and configuration settings are performed and tested regularly. At higher maturity levels, backups must be stored offline or immutably to prevent modification by a compromised account. Backup restoration is tested, including full disaster recovery scenarios.
Essential Eight Maturity Levels
Four maturity levels — ML0 through ML3 — representing progressively greater levels of implementation maturity. Each level builds on the previous one.
Maturity Level 0
Not a target stateWeaknesses exist that could be exploited. One or more of the Essential Eight strategies is either not implemented or is implemented so poorly that it provides negligible protection. Organisations at ML0 are at significant risk from commodity cyber threats.
Maturity Level 1
Partly alignedFocused on adversaries using commodity tradecraft. Basic controls are in place but with gaps in coverage. ML1 provides a foundation but is insufficient for organisations handling sensitive government information.
Maturity Level 2
Target for most organisationsFocused on adversaries operating with a moderate level of tradecraft. Controls are well-implemented and consistently applied. This is the target maturity level for most Commonwealth entities and provides genuine protection against the majority of cyber threats.
Maturity Level 3
Fully alignedFocused on adversaries using sophisticated tradecraft, potentially including nation-state actors. Controls are comprehensive, rigorously enforced, and continuously monitored. Appropriate for organisations handling highly sensitive information in heightened threat environments.
Choosing Your Target Maturity Level
Your target maturity level depends on your organisation type, risk profile, and regulatory obligations.
| Organisation Type | Recommended Target |
|---|---|
| Non-corporate Commonwealth entities | ML2 minimum (mandatory) |
| Corporate Commonwealth entities | ML2 recommended |
| Defence contractors (DISP members) | ML2-ML3 depending on handling requirements |
| Critical infrastructure operators | ML2 minimum |
| State and territory government | ML2 recommended |
| Enterprise / private sector | ML1-ML2 depending on risk profile |
Why the Essential Eight Matters
Mandatory for Commonwealth
Since July 2022, all non-corporate Commonwealth entities must achieve a minimum of Maturity Level 2 across all eight strategies. Compliance is enforced through the PSPF and monitored annually. The Australian National Audit Office has conducted multiple audits, consistently finding gaps — making this a priority area.
Best Practice for All
Even outside government, the Essential Eight provides the most efficient cybersecurity uplift for Australian organisations. Implementing the Essential Eight to ML2 mitigates approximately 85% of targeted cyber intrusions. No other framework delivers comparable protection with comparable efficiency.
Insurance & Regulatory
Cyber insurance providers increasingly reference the Essential Eight when assessing risk and setting premiums. Organisations demonstrating E8 compliance — particularly ML2 or above — may benefit from more favourable insurance terms. The SOCI Act's risk management obligations also align closely with E8 principles.
The Connection Between Essential Eight and IRAP
The Essential Eight strategies are a subset of the ISM controls assessed during an IRAP assessment. If your organisation is pursuing IRAP accreditation, Essential Eight compliance is a prerequisite — you cannot pass an IRAP assessment without effective implementation of the Essential Eight controls.
Leading Indicator
Organisations that achieve E8 ML2 before commencing IRAP are significantly better prepared for the broader ISM control assessment.
Independent Value
You do not need a full IRAP assessment to evaluate your Essential Eight maturity. A standalone E8 assessment provides immediate, actionable value.
Reduces IRAP Risk
Addressing E8 deficiencies before IRAP reduces the likelihood of significant findings and assessment delays.
We recommend organisations pursuing IRAP accreditation conduct an Essential Eight maturity assessment first, address any gaps, and then proceed to the full IRAP assessment with greater confidence.
Learn About IRAP AssessmentsOur Assessment Methodology
A structured, evidence-based approach aligned with the Essential Eight Maturity Model.
Scoping & Baseline
Define scope, collect system inventories, network architecture, existing tooling, and previous assessment reports.
Evidence Collection
Technical testing, configuration review, scanning, log analysis, documentation review, interviews, and process observation.
Maturity Rating
Each strategy assessed against maturity model criteria. ML0-ML3 assigned with detailed evidence and gap specifics.
Gap Analysis & Roadmap
Specific gaps, risk impact, remediation actions, effort estimation, and dependency mapping for each strategy.
Reporting & Presentation
Executive summary, per-strategy assessment, prioritised roadmap, peer benchmarks, and governance presentation.
Essential Eight Uplift Services
Assessment alone is not enough. We don't just tell you what's wrong — we help you fix it.
Uplift Advisory
Strategic guidance on technology selection, architecture changes, and process improvements needed to achieve your target maturity level.
- Application control solution selection
- PAM strategy and implementation guidance
- MFA solution evaluation and rollout
- Patching process optimisation
- Backup architecture review
Implementation Support
Hands-on assistance with implementing specific Essential Eight controls in your environment.
- Configuring application control policies
- Deploying phishing-resistant MFA
- Establishing PAW environments
- Implementing Office macro restrictions
- Browser hardening via Group Policy or MDM
Uplift Validation
After remediation activities are complete, we conduct a targeted reassessment to validate that implemented controls are effective and that the target maturity level has been achieved.
Validation ensures your investment in uplift has delivered measurable improvement before your next formal assessment.
Essential Eight Self-Assessment Calculator
We are developing an interactive Essential Eight self-assessment calculator to help organisations conduct a preliminary evaluation of their maturity. This tool will guide you through key questions for each strategy and provide an indicative maturity rating.
While a self-assessment tool cannot replace a formal independent assessment, it provides a valuable starting point for understanding your current posture and planning your improvement journey.
Frequently Asked Questions
Is the Essential Eight mandatory?
For non-corporate Commonwealth entities, yes — achieving ML2 across all eight strategies is mandatory under the PSPF. For other organisations, the Essential Eight is strongly recommended as baseline cybersecurity hygiene. Defence contractors under DISP may have specific E8 requirements as part of their security obligations.
How long does an Essential Eight assessment take?
A typical assessment takes 2-4 weeks, depending on the size and complexity of the environment. Large, multi-site organisations with diverse technology environments may require longer. The assessment is designed to be minimally disruptive to your operations.
What is the difference between an E8 assessment and an IRAP assessment?
An Essential Eight assessment evaluates your maturity across the eight specific mitigation strategies. An IRAP assessment evaluates your security posture against the full ISM control set (hundreds of controls across all security domains). The Essential Eight is a subset of the ISM, so an IRAP assessment inherently covers E8 — but a standalone E8 assessment is faster, more focused, and appropriate when full IRAP accreditation is not required.
Can we achieve ML3 without significant investment?
ML3 requires mature, well-resourced security operations. For most organisations, achieving ML3 requires investment in technology (privileged access management, hardware MFA tokens, advanced application control), process maturity, and personnel. However, the investment is proportionate to the threat environment for organisations handling high-security information.
How often should we be reassessed?
Annual reassessment is recommended at minimum. Additionally, reassessment should occur after significant changes to your environment (e.g., cloud migration, major application deployment, organisational restructuring) or when the maturity model requirements are updated.
Can Tech Blaze help if our maturity is below target?
Absolutely. There is no "pass" or "fail" in an Essential Eight assessment — there is a maturity rating. If your maturity is below your target level, that is precisely what our uplift services are designed to address. We provide a clear roadmap and, where needed, hands-on support to help you reach your target maturity.
Start Your Essential Eight Journey
Whether you need a baseline maturity assessment, targeted uplift to reach ML2, or advanced guidance to achieve ML3, Tech Blaze Consulting provides the expertise and practical approach your organisation needs.