1300 002 001
Follow Us  —Fb. /Lk. /X. /Ig.

Glossary

Essential Eight

The Australian Cyber Security Centre's prioritised list of eight mitigation strategies for protecting Microsoft Windows-based environments from common cyber threats.

The Essential Eight is the Australian Cyber Security Centre’s (ACSC) prioritised set of eight mitigation strategies. It’s the baseline framework most Australian organisations measure their cyber posture against, and it underpins federal procurement requirements as well as a growing share of private-sector tender questions.

The eight strategies

  • Application control — only approved applications execute.
  • Patch applications — patch internet-facing apps quickly.
  • Configure Microsoft Office macro settings — block macros from the internet.
  • User application hardening — disable risky browser and Office features.
  • Restrict administrative privileges — fewer admins, scoped access.
  • Patch operating systems — patch on a defined timeline.
  • Multi-factor authentication — across admin and remote access.
  • Regular backups — tested restores, offline copies.

Maturity levels

Each strategy is scored across four maturity levels — ML0 (not implemented) through ML3 (mitigates targeted, adaptive attackers). The framework’s “uniform maturity” principle is the catch: you’re only as mature as your lowest-scoring strategy. Reaching ML1 across all eight is the realistic starting target for most SMBs; ML2 is appropriate where compromise would materially affect the business.

How Symsafe approaches it

Essential Eight uplift starts with an assessment against the current maturity model and a written roadmap to ML1 across all eight, then ML2 where the risk profile justifies the additional control overhead. Scope and timeline are scoped per engagement; nothing is uplifted without a documented change record.

— Related services

← Back to glossary