The Essential Eight started life as a federal government baseline. It is now the de-facto control framework Australian insurers, customers, and prime contractors ask SMBs about. If you sell into government, healthcare, finance, or the supply chain of any of those — sooner or later somebody asks for your maturity level. Below is what the framework actually requires, what the maturity levels mean in practice, and where most SMBs run aground.
What the Essential Eight actually is
The Essential Eight is the Australian Signals Directorate’s prioritised list of eight mitigation strategies, published and maintained by the Australian Cyber Security Centre (ACSC). It is documented in the Essential Eight Maturity Model, which the ACSC updates roughly annually. The strategies are not the only controls that matter — they are the eight the ACSC considers the most cost-effective for preventing, limiting, and recovering from cyber incidents.
Three things to know up front:
- It is a baseline, not a ceiling. Meeting Maturity Level One does not make you secure. It means you have a defensible floor.
- It is increasingly contractual. Cyber insurance applications, federal procurement, and large-customer vendor questionnaires routinely reference Essential Eight maturity. The framework has migrated out of the public sector into the broader market.
- It is mapped against real adversary tradecraft. Each strategy targets specific techniques that the ACSC observes being used against Australian organisations. The list is not arbitrary.
The eight strategies
The strategies fall into three groupings: prevent malicious code execution, limit the extent of incidents, and recover. In ACSC order:
1. Application control. Only applications you have approved are allowed to execute. The mechanism is usually Microsoft AppLocker, Windows Defender Application Control, or a third-party tool. The intent is to break the ransomware kill chain at execution — a downloaded payload cannot run if it is not on the allowlist. This is the highest-impact, hardest-to-implement control on the list.
2. Patch applications. Internet-facing applications patched within two weeks; office productivity, web browsers, email clients, PDF readers, security products patched within a month. Critical vulnerabilities, or those with a working exploit, in internet-facing services patched within 48 hours — and that 48-hour window applies from ML1, not just the higher levels. The lever is your patch management process, not just turning on automatic updates.
3. Configure Microsoft Office macros. Macros disabled for users who do not need them. For users who do, only signed macros, or macros from a trusted location. ACSC’s logged threat data continues to show macro-based payloads in active use, despite Microsoft’s default-blocking changes from 2022. The control is not “turn off macros” — it is governance around who is allowed to enable them.
4. User application hardening. Web browsers configured to block Flash (long-deprecated but still surfaces), ads, and Java content from the internet. Microsoft Office configured to prevent OLE objects activating. PDF readers configured to disable JavaScript. Boring, mechanical, and the configuration drifts between Windows builds — so this is an ongoing piece of work, not a one-off baseline.
5. Restrict administrative privileges. Privileged accounts validated on use, separated from standard user accounts, no internet/email access from privileged accounts, just-in-time elevation at ML3. The principle is that the credentials with the most damage potential should have the smallest exposure footprint. In practice, this is the strategy SMBs default on most often.
6. Patch operating systems. Internet-facing operating systems patched within two weeks; internal OS patches within a month; critical OS vulnerabilities on internet-facing systems within 48 hours, from ML1. Unsupported operating systems removed from the environment. Sounds obvious; the audit consistently finds Windows Server 2012 R2 still running somewhere.
7. Multi-factor authentication. MFA on all internet-facing services that authenticate users, on remote access, on privileged accounts, and (under ML2 and above) phishing-resistant MFA for privileged users. SMS- and app-push MFA is acceptable at ML1; FIDO2/passkeys are the bar at ML3. Adversary-in-the-middle phishing kits have steadily eroded the value of push-based MFA, which is why the ACSC has tightened this strategy over successive versions.
8. Regular backups. Backups of important data, software, and configuration settings performed and retained in line with business continuity requirements. Backups protected from modification and deletion. Restoration tested. The wording matters: “tested” is the operative word. A backup that has not been restored is a hypothesis.
The maturity levels
The model defines four levels: ML0, ML1, ML2, ML3.
ML0 is the state of having gaps significant enough to undermine the strategies. It is not a maturity target — it is what you score against before any work has been done.
ML1 is the minimum defensible posture. The threat model is an opportunistic actor using widely-available tradecraft — commodity malware, off-the-shelf phishing kits, credential stuffing. ML1 is roughly achievable for a competent SMB inside a six-to-nine-month uplift programme. Most cyber-insurance pre-qualification baselines are at or just below ML1.
ML2 assumes an adversary willing to invest more time, money, and skill. Patch timeframes tighten for the broader application fleet, MFA hardens to phishing-resistant methods for privileged users, application control becomes formally documented and enforced, and unused privileged access is automatically disabled rather than left to accumulate. This is a meaningful step up — usually six-to-twelve months beyond ML1 for an SMB. (Just-in-time privileged elevation arrives at ML3, not here.)
ML3 assumes a sophisticated, adaptive adversary. Phishing-resistant MFA across the board, formal hunting capability, signed-and-enforced application control with cryptographic verification, comprehensive logging fed into a 24/7 monitoring capability. Most SMBs do not need ML3 and would be hard-pressed to fund it. ML3 is appropriate for organisations holding sensitive government data, critical infrastructure operators, and the financial sector.
The maturity levels are cumulative. ML2 includes every requirement of ML1. ML3 includes every requirement of ML2.
Uniform maturity
This is the rule that catches most organisations out. Your Essential Eight maturity is the lowest score across the eight strategies — not the average, not the best-of-eight.
If you have ML2-equivalent MFA, ML2 patching, ML2 application control, ML2 backups, and ML1 on the other four — you are at ML1 overall. The framework’s logic is that an adversary will find and exploit the weakest control, so the strongest controls do not compensate.
This has two practical consequences. First, the assessment scope cannot be cherry-picked. Second, the cheapest path to a higher maturity level is usually fixing the laggard control, not gold-plating the controls you already lead on. Plenty of SMBs spend money strengthening the MFA they were already strong on, when the gap is admin privilege management.
Where SMBs get stuck
In client environments we consistently see three friction points.
Restrict administrative privileges. SMBs running a single shared “Administrator” account for IT staff, IT contractors holding standing global admin in Microsoft 365, and a default of “give the user local admin so we don’t get tickets”. Fixing this requires named privileged accounts, separated from daily-driver accounts, with no internet or email — which means rolling out a second login workflow for the IT team. Not technically hard. Politically tedious. This is the strategy that quietly pulls overall maturity down to ML0 or ML1 in environments that look otherwise mature.
Configure Microsoft Office macros. The default Microsoft 365 tenant configuration does not satisfy the ACSC criteria at ML1. Macros need to be disabled by Group Policy or Intune for users who do not need them, with an exceptions process for users who do. Many SMBs never disable them centrally because of one or two users with legacy spreadsheets. The exception swallows the rule.
Patch SLAs, not patch coverage. Most SMBs patch — eventually. The ACSC requirement is a measured, evidenced timeframe: 48 hours for critical, two weeks for internet-facing, one month for internal. That requires a vulnerability scanner that emits a date-of-detection, a patch deployment system that records a date-of-deployment, and a report that closes the loop. Without those three artefacts, you cannot evidence the control at audit even when the patching is genuinely happening.
Application control is harder than all three of the above combined, but it is rare for an SMB to be stuck part-way on application control. They either have it or they do not. The three above are where partial implementation gives a false sense of maturity.
How to approach an assessment
A defensible Essential Eight assessment has four stages.
Scope. Define the systems in scope — typically the corporate network, the Microsoft 365 tenant, internet-facing services, and end-user devices. Industrial control systems, dev/test environments, and customer-facing production environments are usually scoped separately. The scope must be written down before evidence collection starts, or the assessment cannot be reconciled afterwards.
Evidence collection. For each of the eight strategies, gather the configuration evidence (Intune policies, AppLocker policy, conditional access rules, patch deployment reports) and the operational evidence (the last 90 days of patch records, the last quarter’s backup-restore test, the privileged access review log). Configuration without operational evidence proves the control was defined, not that it ran.
Gap analysis. Map evidence against ML1, ML2, ML3 criteria. Identify the lowest-scoring strategy and the controls within it that fail. Be honest about partials — “implemented but not enforced” is a fail under the ACSC criteria, not a “mostly ML1”.
Roadmap. Sequence the fixes by cost-to-impact ratio and by uniform-maturity logic. The roadmap should target the laggard strategies first to lift the overall floor, not the easier wins that improve a strategy you already lead on. Set realistic timeframes — a six-to-nine month uplift to ML1 from a baseline of ML0 is typical for an SMB working with an MSP. Faster is possible but generally means cutting corners on the politically tedious controls.
Symsafe runs Essential Eight gap assessments as a standalone consulting engagement: you don’t need to be a managed-services client, and the deliverable is yours to execute with us or with your existing provider. The output is the scope statement, the per-strategy evidence file, the gap analysis, and a roadmap aligned to a target maturity level the business has actually committed to. We do not publish indicative prices — the work scales with environment size and target maturity.
Related reading
- Cyber threats in 2026 — what business leaders need to know
- MDR — what it actually means
- ISO 27001 in plain English
Sources: Australian Cyber Security Centre, “Essential Eight Maturity Model”; ACSC “Strategies to Mitigate Cyber Security Incidents”.