TL;DR
The Essential Eight is a set of eight cyber security controls developed by the Australian Signals Directorate (ASD). It’s not a law for most private businesses, but it’s the closest thing Australia has to a national security standard, and an increasing number of enterprise contracts and government tenders require it. This post explains what each control covers, how maturity levels work, and what a business needs to do to get compliant.
Your board has just asked you a direct question: does this business meet the Essential Eight?
Maybe it came after a government agency asked for evidence as part of a contract. Maybe your cyber insurer flagged it at renewal. Either way, you need a clear picture of what the essential eight cyber security framework actually requires, and what your current exposure looks like.
This is a practical guide. It covers each of the eight controls, explains the maturity model, and tells you who actually needs to comply and where to start.
What the Essential Eight Is and Where It Came From
The Australian Signals Directorate (ASD) is the federal agency responsible for Australia’s signals intelligence and cyber security operations. It publishes the Essential Eight as a prioritised list of mitigation strategies for protecting organisations from cyber threats.
The framework was built specifically for the Australian context. That matters. Generic international frameworks are broad by design, built to apply across industries and jurisdictions. The Essential Eight is prescriptive. ASD developed it by analysing the techniques most commonly used against Australian organisations and identifying the controls that do the most to stop them.
The framework has been updated as the threat environment has shifted. The version in use reflects ASD’s current view of what constitutes a reasonable security baseline. It’s maintained by the same agency that advises the Australian Government on offensive and defensive cyber operations. That credibility matters when presenting compliance to regulators and enterprise clients.
No single framework eliminates all risk. What the Essential Eight does is reduce the attack surface to the point where opportunistic attackers move on, and targeted attackers face significantly more resistance.
The Eight Controls, Briefly Explained
Each control targets a specific class of attack or vulnerability. Here’s what they do in practice.
Application control restricts which applications can run on your systems. If an application isn’t on the approved list, it doesn’t execute. This stops malware and unauthorised software from running even if an employee downloads it.
Patch applications means keeping software up to date. Attackers routinely exploit known vulnerabilities in unpatched applications. Most successful attacks target flaws that patches were available for weeks or months before the incident.
Configure Microsoft Office macro settings addresses the fact that Office macros are a common delivery mechanism for malware. This control restricts which macros can run, typically allowing only digitally signed macros from trusted sources.
User application hardening removes or disables features in internet-facing applications (web browsers, PDF readers) that are commonly exploited but rarely needed. This includes disabling Flash, Java, and certain browser extensions.
Restrict administrative privileges limits who has admin access and enforces the principle of least privilege. Attackers who compromise a standard user account face far more barriers if that account can’t install software or modify system settings.
Patch operating systems applies the same logic as patching applications but to the OS itself. Unpatched OS vulnerabilities are a primary technique for lateral movement after an attacker gains initial access.
Multi-factor authentication (MFA) requires users to verify their identity with a second factor, typically a code or hardware token. This stops credential-based attacks even when passwords have been compromised.
Regular backups ensure the organisation can recover from a ransomware attack or destructive incident without paying a ransom or accepting permanent data loss. Backups need to be tested, stored separately from the live environment, and retained for a minimum period to be effective.
The Maturity Model: ML0 to ML3
Compliance with the essential eight cyber security controls isn’t binary. The framework uses four maturity levels, rated ML0 to ML3.
ML0 means the control is not implemented or doesn’t meet the criteria for ML1. Organisations at ML0 for any control have a documented gap.
ML1 is the baseline. At this level, controls are in place to mitigate commodity-level threats using widely available attack tools. This is the floor for any organisation taking security seriously.
ML2 represents implementation against targeted attacks. Most Australian private sector organisations working toward compliance use ML2 as their target, particularly those in regulated industries or seeking government contracts.
ML3 is full implementation against sophisticated, well-resourced adversaries. This level is typically required for Commonwealth entities and organisations handling sensitive government data.
| Maturity Level | What It Mitigates |
|---|---|
| ML0 | Not implemented |
| ML1 | Commodity threats using publicly available tools |
| ML2 | Targeted attacks from capable adversaries |
| ML3 | Advanced persistent threats and sophisticated attackers |
Who Actually Needs to Comply?
The Essential Eight is mandatory for non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). For the private sector, it’s voluntary.
In practice, two situations make it effectively mandatory.
The first is government contracting. Federal and state government agencies increasingly require suppliers to demonstrate a minimum maturity level. If you’re bidding for government work, expect to be asked. The requirement usually sits at ML1 or ML2, depending on the sensitivity of the data or systems involved.
The second is regulated industries. Financial services firms operating under APRA guidance, healthcare organisations handling patient data, and operators of critical infrastructure are all facing increasing scrutiny around what constitutes reasonable security. Regulators and courts are treating the Essential Eight as a benchmark.
The October 2025 Federal Court ruling clarified this. The ruling confirmed that ‘reasonable steps’ under Australia’s Privacy Act are assessed against the threat environment at the time. If the threat environment is well-documented (it is), and the Essential Eight is publicly available as a mitigation standard (it is), an organisation that hasn’t implemented it will find it harder to argue it took reasonable precautions.
For businesses in financial services, healthcare, or critical infrastructure, or those pursuing government contracts, the Essential Eight is as close to required as it gets without being law.
Essential Eight vs ISO 27001: What’s the Difference?
This is a common question, and the distinction is worth understanding clearly.
The Essential Eight is prescriptive. It tells you which specific controls to implement. It’s a technical baseline, not a management system.
ISO 27001 is a management system standard. It tells you how to design, implement, and maintain an information security programme across your organisation. It’s broader and more flexible. Achieving certification requires an independent audit.
In practice: the Essential Eight tells you what to do, ISO 27001 tells you how to manage it as an ongoing programme.
Some organisations need both. Enterprise clients and government agencies may require Essential Eight compliance as a technical baseline while also expecting ISO 27001 certification as evidence of mature security governance. Others achieve Essential Eight compliance first and pursue ISO 27001 once their security programme is more mature.
Where to Start
Start with a gap assessment. Map your current controls against each of the eight, assess your maturity level per control, and identify where the gaps are.
Don’t try to reach ML3 across all controls at once. The more useful approach is to identify your current level per control, set a target maturity level that matches your risk profile and compliance obligations, and sequence the remediation work.
Some controls are faster than others. Enabling MFA is typically straightforward. Application control in a complex environment with legacy systems takes longer and requires careful planning.
A qualified assessor can run an Essential Eight assessment that produces a maturity rating per control, identifies the gaps, and gives you a prioritised remediation roadmap. For most organisations, that assessment is the most efficient starting point, particularly if you’re working toward a specific compliance target or contract requirement.
Learn more about how we support this through our Cyber Security Services.
Conclusion
If you’re working toward Essential Eight compliance, a gap assessment is where to begin. It tells you where you stand, what your target maturity level should be, and what the remediation path looks like. Gridware’s team can run that assessment and deliver a rated, prioritised report.
Frequently Asked Questions
What are the ASD Essential Eight controls?
The eight controls are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Each targets a different class of attack or vulnerability. The post above covers each one in plain language.
Is the Essential Eight mandatory for private companies in Australia?
No, not as a matter of law for most private businesses. It is mandatory for non-corporate Commonwealth entities. For the private sector, it becomes effectively mandatory in practice if you’re bidding for government contracts, operating in regulated industries like financial services or healthcare, or meeting the requirements of certain cyber insurance underwriters.
What is the difference between Essential Eight Maturity Level 1, 2, and 3?
ML1 is the baseline: controls are in place to stop opportunistic attacks using publicly available tools. ML2 extends this to defend against targeted attacks from capable adversaries. ML3 is full implementation against sophisticated, well-resourced attackers. Most private sector organisations target ML2. ML0 means the control isn’t implemented at all.
How is the Essential Eight different from ISO 27001?
The Essential Eight is prescriptive. It tells you which specific controls to implement. ISO 27001 is a management system standard that tells you how to design and maintain an information security programme. The Essential Eight is a technical baseline; ISO 27001 is a broader governance framework. Some organisations need both.
How long does it take to become Essential Eight compliant?
It depends on your starting point and target maturity level. Reaching ML1 from scratch in a well-managed environment typically takes three to six months. ML2 commonly takes six to twelve months for a mid-market organisation. ML3 is a multi-year programme for most. The honest answer varies based on environment complexity and how many controls are already partially in place.
What happens if my business isn’t compliant with the Essential Eight?
For most private sector businesses, there’s no direct legal penalty. The risk is indirect: losing government contracts, difficulty obtaining or renewing cyber insurance, and weaker protection against attack. Following the October 2025 Federal Court ruling, non-compliance may also be used as evidence that your business didn’t take ‘reasonable steps’ under the Privacy Act, which has direct legal consequences if you experience a notifiable data breach.
Do I need all eight controls or can I implement them selectively?
The framework is designed to be implemented as a whole. Each control addresses a different attack category, and gaps leave your environment exposed to the attacks that control is designed to stop. The maturity model supports a staged approach: set a target maturity level across all eight controls and sequence the work to get there. Permanently skipping controls is not recommended.
