Essential Eight (E8)
Australia and New Zealand's foundational cyber security framework
The Essential Eight is a cyber security framework published by the Australian Signals Directorate (ASD) and maintained by the Australian Cyber Security Centre (ACSC). It defines eight mitigation strategies that form the baseline defence every Australian and New Zealand organisation should have in place.
The framework is not about ticking boxes. It is about making it materially harder for threat actors to compromise your systems, limiting what they can do if they get in, and restoring normal operations quickly if they succeed. Each of the eight strategies addresses a distinct attack vector the ASD has observed being exploited in real incidents across Australia and New Zealand.
The Essential Eight sits at the core of ASD's Strategies to Mitigate Cyber Security Incidents. These eight controls provide meaningful protection against targeted cyber intrusions, ransomware, and insider threats. They are the starting point, not the ceiling, of a mature cyber security programme.
Why the Essential Eight matters to regulated organisations in Australia and New Zealand
For organisations in financial services, aged care, healthcare, and critical infrastructure, the Essential Eight is not simply a best-practice recommendation. It maps directly to existing and emerging regulatory obligations across Australia and New Zealand. Demonstrating Essential Eight maturity provides defensible evidence that your organisation is actively managing cyber risk -- something regulators in both jurisdictions now expect to see documented.
APRA CPS 234
APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats to their information assets. Essential Eight maturity provides a structured, auditable baseline that supports CPS 234 compliance and ongoing APRA supervisory expectations -- particularly following the ASD's November 2023 tightening of MFA and logging requirements.
APRA CPS 230
Effective 1 July 2025, CPS 230 requires boards to oversee operational risk management and ensure material service provider risk is controlled. An Essential Eight assessment provides direct input to the technical control environment evidence your board, audit committee, and external reviewers will need to see.
SOCI Act
The Security of Critical Infrastructure Act 2018 (as amended) imposes positive security obligations on critical infrastructure asset owners. The Department of Home Affairs recognises the Essential Eight as a suitable control baseline. If you own or operate a critical infrastructure asset, Essential Eight compliance should be treated as a minimum starting position.
Aged Care Act 2024
The strengthened aged care regulatory framework places increasing scrutiny on information management and cyber risk governance. Aged care providers that can demonstrate Essential Eight alignment are better positioned for ACQSC oversight, board governance attestations, and the information security expectations embedded in the new Act.
NZ Privacy Act 2020 and NZISM
For New Zealand organisations, the NZ Information Security Manual (NZISM) shares strong structural alignment with the Essential Eight. Insicon Cyber's trans-Tasman model means your Australian and New Zealand environments can be assessed and uplifted under a single engagement, with findings mapped to both frameworks.
Supply chain and procurement
Government agencies and large regulated entities are increasingly requiring suppliers to evidence Essential Eight compliance as a condition of procurement. Many state and territory governments reference the Essential Eight directly in their own protective security frameworks. Organisations without a documented maturity level are finding themselves unable to compete for contracts that require it.
Not sure where your organisation stands?
An introductory Essential Eight gap conversation with our advisory team takes around 45 minutes and gives you a clear picture of your current exposure before any formal assessment begins.
Book an introductory conversationIs the Essential Eight mandatory?
The short answer depends on who you are. Compliance is currently mandatory for some organisations and a clear regulatory expectation for others. The direction of travel is well established: the ASD recommends all Australian businesses achieve at least Maturity Level Two, and the regulatory environment continues to move in that direction.
Commonwealth agencies
All 98 non-corporate Commonwealth entities are required to implement the Essential Eight to Maturity Level Two under PSPF Policy 10, effective 1 July 2022. Maturity Level Three is required where the threat environment warrants it. ASD conducts formal Cyber Maturity Measurement Programme assessments against these requirements.
Critical infrastructure operators
SOCI Act positive security obligations require asset owners to manage and mitigate risk to their systems. The Department of Home Affairs references the Essential Eight as a suitable baseline. SOCI-regulated entities that cannot demonstrate active controls risk formal regulatory engagement.
APRA-regulated entities
Not mandated by name under CPS 234 or CPS 230, but Essential Eight maturity is increasingly cited by APRA supervisors as evidence of the information security capability these standards require. Regulated entities without a documented maturity position are exposed during supervisory reviews.
Private sector organisations
Technically voluntary, but government procurement requirements and regulatory supply chain obligations are pushing Essential Eight compliance progressively down the contractor and vendor ecosystem. Organisations without a documented maturity level are increasingly finding themselves excluded from government and regulated-sector contracts.
As the ASD states directly: "Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident." Every organisation in Australia and New Zealand that handles sensitive data, operates critical systems, or sits in a regulated supply chain has a practical obligation to act, regardless of specific mandate.
What changed in November 2023 -- and why your previous assessment may no longer hold
The ASD made substantial updates to the Essential Eight Maturity Model in November 2023. These are not cosmetic changes. Organisations that completed an assessment in 2022 or earlier and have not reassessed since may have regressed in maturity level without any change to their own technical environment. The updated model reflects how threat actor tradecraft has evolved -- and where the framework's prior weaknesses were being exploited.
Faster patching for critical vulnerabilities (all maturity levels)
When vendors assess a vulnerability as critical -- particularly those that enable authentication bypasses or remote code execution without user interaction -- organisations must now patch, update, or mitigate within 48 hours. This requirement applies across Maturity Levels One, Two and Three. Applications that routinely handle untrusted content from the internet (office productivity suites, web browsers, email clients, PDF readers) now require vulnerability scans at least weekly.
Phishing-resistant MFA required at Maturity Level Two (not Three)
MFA requirements have been substantially tightened in response to the rise of real-time phishing attacks and session hijacking that bypass traditional MFA. The updated model requires phishing-resistant MFA methods -- including FIDO2/WebAuthn, smart cards, and Windows Hello for Business -- at Maturity Level Two. Organisations that implemented SMS or push-notification MFA and considered themselves Level Two compliant should treat this as a significant gap.
Centralised logging moved down to Maturity Level Two
The requirement for centralised logging of event data has been shifted from Maturity Level Three to Maturity Level Two. This has a direct architectural and cost implication for many mid-market organisations that previously achieved Level Two without centralised log management in place. If your organisation does not have centralised event logging in operation, you are no longer meeting Level Two under the updated model.
Stricter privileged access governance and incident response requirements
New requirements have been added for validating requests for privileged access to data repositories, automatic disablement of privileged access after 12 months unless revalidated, and tighter restrictions on internet access for privileged accounts. Cyber security incidents must now be formally reported to both the organisation's CISO and to ASD, and incident response plans must be enacted -- not simply documented -- in response to incidents.
The ASD's own reporting confirmed that entities which had not yet implemented the new requirements recorded a reduction in maturity level compared to prior assessments. If your last Essential Eight assessment predates November 2023, it is no longer a reliable picture of your actual maturity level. A reassessment against the current model is the only way to know where you genuinely stand.
The Essential Eight controls
The eight strategies are organised across three primary objectives. All eight controls are complementary and must be treated equally. Implementing seven controls at a high standard while leaving one underdone gives an adversary a clear path. The ASD recommends organisations work toward the same maturity level across all eight strategies before attempting to elevate individual controls.
Application control
Prevent the execution of unapproved or malicious programs on workstations and servers, including ransomware and other malicious code. Application control rulesets must now be validated at least annually under the updated model.
Patch applications
Mitigate vulnerabilities in applications by applying patches and updates. Critical vulnerabilities must be patched within 48 hours. Applications that interact with untrusted internet content are a particular priority.
Configure Microsoft Office macro settings
Block macros originating from the internet and restrict execution to vetted, digitally signed sources. Macros remain one of the most common malware delivery mechanisms across Australian and New Zealand organisations.
User application hardening
Configure web browsers, PDF readers, and office productivity suites to reduce attack surface. The November 2023 update requires both ASD and vendor hardening guidance to be implemented where available, with the more stringent requirements taking precedence.
Restrict administrative privileges
Limit privileged access to only those who need it, on only the systems they need it for. Updated requirements mandate validation of privileged access to data repositories and automatic disablement after 12 months unless revalidated.
Patch operating systems
Apply operating system patches and updates in a timely manner. The 48-hour critical vulnerability patching window now applies to internet-facing servers and network devices, in addition to standard workstation patching requirements.
Multi-factor authentication (MFA)
Require MFA across all user-facing and privileged access points. Following the November 2023 update, phishing-resistant MFA -- FIDO2/WebAuthn, smart cards, or Windows Hello for Business -- is required at Maturity Level Two. Push-notification and SMS MFA alone no longer meets Level Two.
Regular backups
Back up important data, software, and configuration settings regularly. Test those backups to confirm they can actually be restored. The updated model encourages organisations to prioritise backups based on the business criticality of their data. Backups must be protected from modification and deletion -- including by ransomware actors who specifically target backup systems before deploying their payload.
Understanding the Essential Eight Maturity Model
The Essential Eight Maturity Model allows organisations to benchmark their implementation against three defined levels. Each level corresponds to the profile of adversary you can withstand. Moving to a higher level does not mean you have finished -- it means you can defend against a more capable threat actor. The ASD recommends all Australian businesses aim for Maturity Level Three.
Partly aligned
The organisation has begun implementing the eight controls but is not yet consistently applying them across all systems and environments. At Level One, you can withstand adversaries using widely available, opportunistic attack tools and techniques.
Withstands: opportunistic attacks using commodity exploit kits, basic ransomware, and untargeted phishing campaigns.
Mostly aligned
Controls are consistently applied across most systems with documented evidence of compliance. Following the November 2023 update, Level Two now requires phishing-resistant MFA and centralised event logging. This is the minimum required level for all Commonwealth entities under the PSPF.
Withstands: adversaries willing to invest time, using credential harvesting, lateral movement, and targeted phishing.
Fully aligned
Controls are fully implemented, rigorously documented, and subject to regular independent validation. The ASD recommends all Australian businesses achieve Maturity Level Three as the optimal position for malware and cyber attack protection.
Withstands: adaptive, targeted adversaries including sophisticated criminal groups and state-sponsored threat actors.
The ASD updates the framework in response to observed changes in adversary tradecraft. An assessment that was accurate 18 months ago may not reflect your actual maturity today. Organisations that maintain ongoing compliance monitoring are far better positioned than those that treat assessment as a periodic event and do nothing in between.
How Insicon Cyber guides your Essential Eight journey
Most organisations know they should address the Essential Eight. Few have a clear, honest picture of where they stand today or a realistic plan to close the gaps. Insicon Cyber works with Australian and New Zealand organisations as their advisory partner across all four stages of the journey -- from baseline assessment through to sustained, auditable maturity.
Essential Eight assessment
We establish an honest baseline of your current controls against the updated ASD maturity model. Using structured interviews, technical review, and documentation analysis, we assess your maturity across all eight strategies, identify specific gaps, and quantify your current risk exposure. The output is a clear gap report written to be understood at board level.
Typical duration: 2 to 4 weeks
Roadmap development
We translate assessment findings into a sequenced remediation plan aligned to your target maturity level, risk profile, budget, and operational constraints. The roadmap identifies quick wins alongside longer-term structural changes, with realistic timelines and resource allocation. It is your board-ready statement of intent for the uplift programme ahead.
Output: board-ready roadmap and executive risk summary
Maturity uplift
Hands-on advisory and implementation support for deploying the controls your assessment identified as gaps -- MFA configuration, application control, privileged access management, patch management workflows, and centralised logging. We also develop the governance documentation required to evidence compliance: patch management policies, backup and recovery procedures, and privileged access governance frameworks.
Delivered alongside your existing IT and security teams
Managed compliance
The Essential Eight is not a destination. Ongoing managed compliance provides continuous monitoring, evidence collection, and annual reassessment to ensure your maturity level is maintained and remains auditable at any point in time. Clients on our Managed Compliance service are ready for regulatory inquiry, supplier due diligence, or board reporting without scrambling to pull evidence together under pressure.
Annual reassessment included
Start with an Essential Eight assessment
Understand where you stand today. Our assessment gives you a clear, evidence-based baseline and a practical roadmap to your target maturity level.
Start your assessment Learn about managed complianceAdvisory-led. Trans-Tasman. Genuinely independent.
Insicon Cyber is a trans-Tasman cyber security advisory and managed services firm. Co-founders Matt Miller and Greg Bunt are both practising Fractional CISOs with direct experience advising boards and leadership teams on cyber risk across Australia and New Zealand. Our Essential Eight advisory work is led by senior practitioners who have navigated the same board conversations you are having -- not delegated to junior consultants reading from a playbook.
Trans-Tasman coverage
We operate across Australia and New Zealand. If your organisation has a footprint in both countries, we can align your Essential Eight assessment to both the ASD framework and NZISM obligations under a single engagement, with findings mapped across both jurisdictions.
ISO 27001 certified
Our own information security management system is certified to ISO 27001. We practise what we advise. Our clients can be confident that the firm handling their sensitive assessment data is held to the same standards we help others achieve.
Fractional CISO-led advisory
Every Essential Eight engagement is backed by Fractional CISO-level thinking. We connect your maturity level to board risk appetite and business strategy, not just a technical checklist. Our reports are written to be understood by executives, not filed away by IT teams.
Regulated industry specialists
We work extensively with financial services, aged care, healthcare, and professional services organisations -- the regulated sectors where Essential Eight maturity has the most direct impact on regulatory posture, client trust, and director liability.
Recognised by the industry
Winner - Retail Cyber Security Partner of the Year, 2025 Benchmark Security Awards. Finalist - Cyber Consulting Business of the Year (SME), 2026 Australian Cyber Awards.
Finalist - CISO of the Year, 2026 Australian Cyber Awards.
Essential Eight frequently asked questions
How long does an Essential Eight assessment take?
For most mid-market organisations, a thorough Essential Eight assessment takes between two and four weeks from commencement to final report. The timeframe depends on the complexity of your environment, the number of systems in scope, and the availability of relevant documentation and stakeholders.
Insicon Cyber can discuss your specific environment in an introductory conversation and provide a scoping estimate before any formal engagement begins. We will not commit you to a timeline that does not work for your organisation.
Does the Essential Eight apply to cloud environments?
Yes. The ASD updated the Essential Eight in 2023 to provide clearer guidance on cloud service environments, including updated requirements around administrative privileges in cloud services. While the framework was originally designed primarily for Microsoft Windows-based networks, the ASD expects organisations to consider how each control applies to their specific environment -- including cloud, hybrid, and SaaS-heavy architectures.
Some controls apply directly; others require adaptation for cloud contexts. An experienced assessor will help you scope the assessment correctly for your environment and ensure cloud-hosted systems are not inadvertently excluded from the assessment boundary.
How often should organisations reassess their Essential Eight maturity?
At a minimum, annually. The ASD updates the Essential Eight in response to changes in adversary tradecraft, meaning the framework itself can evolve between assessments. The November 2023 update caused many organisations to regress in maturity level without any change to their own technical environment.
For organisations with a regulatory obligation -- APRA-regulated entities, critical infrastructure operators, government suppliers -- an annual independent assessment is increasingly expected as evidence of ongoing compliance. Insicon Cyber's Managed Compliance service provides continuous monitoring and evidence collection between formal annual assessments.
What is the difference between Maturity Level One, Two and Three?
Each maturity level corresponds to the type of adversary you can withstand. Maturity Level One provides protection against opportunistic attacks using widely available tools. Maturity Level Two -- now mandatory for Commonwealth entities under the PSPF -- protects against adversaries willing to invest time and resources, including credential harvesting and lateral movement techniques. Maturity Level Three provides protection against adaptive, targeted adversaries, including state-sponsored actors and sophisticated criminal organisations.
Following the November 2023 update, organisations previously assessed at Level Two that have not adopted phishing-resistant MFA and centralised event logging may no longer meet the Level Two standard under the current model.
How does the Essential Eight relate to ISO 27001?
The Essential Eight and ISO 27001 are complementary frameworks that work well together. ISO 27001 provides a comprehensive information security management system (ISMS) framework covering governance, risk management, and a broad set of controls. The Essential Eight is more prescriptive and technically specific, focused on the eight highest-impact mitigations for the most common Australian threats.
Many organisations pursue both. An Essential Eight assessment typically reveals technical control gaps that directly inform an ISO 27001 implementation, and vice versa. Insicon Cyber holds ISO 27001 certification and can advise on how both frameworks interact within your specific context.
Does the Essential Eight apply to New Zealand organisations?
The Essential Eight is an Australian framework published by the ASD, but it is widely referenced by New Zealand organisations and aligns closely with the New Zealand Information Security Manual (NZISM). For New Zealand organisations, or Australian businesses with a New Zealand operational footprint, Insicon Cyber can align your assessment to both frameworks under a single engagement.
The NZ Privacy Act 2020 also creates obligations around information security that the Essential Eight directly supports. Insicon Cyber is one of the few advisory firms operating across both jurisdictions with practitioners in each market.
What changed in the November 2023 Essential Eight update?
The November 2023 update introduced several significant changes that have materially affected maturity ratings for many organisations. Critical vulnerabilities must now be patched within 48 hours across all maturity levels. Phishing-resistant MFA is now required at Maturity Level Two rather than Level Three. Centralised event logging shifted from Level Three to Level Two -- a significant architectural requirement for many mid-market organisations.
Privileged access governance requirements were also tightened, with new requirements around validation and revalidation of privileged access to data repositories. Incident response plans must now be formally enacted in response to incidents, and incidents must be reported to both the organisation's CISO and to ASD. Organisations that previously achieved Level Two before November 2023 should reassess against the updated model as a priority.
Do we need to reach Maturity Level Three for all eight controls?
The ASD recommends all Australian businesses aim for Maturity Level Three as the optimal level of protection. However, the right target for your organisation depends on your threat profile, the sensitivity of the data you hold, your regulatory obligations, and your practical capacity to implement and maintain controls.
Insicon Cyber helps you establish a realistic target maturity level based on your context, and build an achievable roadmap to get there. One principle is non-negotiable: you should aim for the same maturity level across all eight controls. Reaching Level Two across seven controls while sitting at Level One on the eighth means an adversary has a clear and consistent path through your defences.
Ready to understand your Essential Eight maturity?
Speak with a member of our advisory team. No sales pitch -- just a direct conversation about where your organisation stands and what the right next step looks like for your specific context.
Start your Essential Eight assessment View managed complianceNext Steps with the Essential Eight
For organisations feeling overwhelmed by the Essential Eight and its implementation, it's crucial to take that first step towards a more secure future. Start by recognising that you don’t have to navigate this journey alone. Insicon Cyber is here to simplify the process and guide you through it. We offer tailored assessments to identify your current cyber security posture and help you prioritise actions based on your specific needs. Our team can break down the Essential Eight into manageable tasks, providing clear roadmaps and support every step of the way.
Let us help you demystify cyber security and empower your organisation to build a robust defence against threats.
Contact Insicon Cyber
Speak to one of our friendly folks