Compliance — Essential Eight
Essential Eight maturity
all the way to Level 3.
The Australian Signals Directorate's Essential Eight is the baseline for cyber security in Australia. Cliffside helps organisations assess their current maturity level, remediate gaps, and implement solutions to achieve their target maturity — including the demanding requirements of Maturity Level 3.
Eight strategies. Four maturity levels. One baseline.
The Essential Eight is a set of prioritised mitigation strategies developed by the Australian Signals Directorate (ASD) to help organisations protect against cyber threats. It represents the minimum baseline for Australian organisations — and is increasingly expected by government agencies, regulators, and enterprise procurement teams.
Each strategy has four maturity levels (0–3), where Level 0 indicates significant gaps and Level 3 represents the strongest implementation. The Australian Government expects all non-corporate Commonwealth entities to achieve at least Maturity Level 2.
Most organisations stop at Level 2. Level 3 is where it gets hard.
Maturity Level 1 and Level 2 are achievable with reasonable effort for most organisations. Maturity Level 3 is a fundamentally different challenge. It requires granular technical controls, rigorous enforcement, and often significant changes to how your IT environment operates.
Cliffside has the experience to help you get there — not just by documenting controls, but by implementing the technical solutions that actually achieve ML3 compliance. We know where the hard parts are because we've done them.
The eight strategies
ASD's Essential Eight mitigation strategies.
Prevent execution of unapproved and malicious programs — including .exe, DLL, scripts, and installers — on workstations and servers.
Patch, update, or mitigate vulnerabilities in internet-facing applications and high-risk applications within 48 hours when exploits or critical patches exist.
Block macros from the internet, only allow vetted macros in trusted locations, and implement macro signing and notification for users.
Configure web browsers to block Flash, ads, and Java. Disable unneeded features in Microsoft Office, web browsers, and PDF viewers.
Restrict admin privileges to only those who need them. Use separate privileged and unprivileged accounts. Validate need for privileges regularly.
Patch, update, or mitigate vulnerabilities in operating systems within 48 hours when exploits or critical patches exist. Replace unsupported operating systems.
Implement MFA for remote access, privileged access, and access to important data repositories. Use phishing-resistant MFA where possible at ML3.
Perform regular backups of important data, software, and configuration settings. Test restoration of backups. Store backups disconnected and retain for at least three months.
From baseline gaps to full implementation.
Each maturity level increases the difficulty and rigour of implementation. We help organisations assess where they are and build a practical roadmap to where they need to be.
Significant weaknesses in the implementation of the mitigation strategy. This is where most organisations start before a formal assessment.
Basic implementation that addresses some but not all aspects of the mitigation strategy. Typically achievable with moderate effort.
Strong implementation across most aspects. The minimum expectation for Commonwealth entities and increasingly expected by enterprise procurement.
Comprehensive implementation. Requires granular technical controls, strict enforcement, and often significant environment changes. This is where Cliffside excels.
Our services
How Cliffside helps with Essential Eight.
A thorough assessment of your current Essential Eight maturity level across all eight strategies. We provide an honest evaluation with clear evidence of where you meet, partially meet, or fail to meet each maturity level's requirements.
Hands-on remediation to close the gaps identified in your assessment. We don't just write reports — we implement the technical solutions required to achieve your target maturity level, working alongside your IT team.
Specialist support for organisations targeting Maturity Level 3. This includes application control whitelisting, advanced MFA deployment, privileged access management, and the granular technical controls that ML3 demands.
Essential Eight maturity isn't a one-time assessment — it requires ongoing maintenance as your environment changes. We provide periodic reassessment and continuous monitoring to ensure you maintain your target maturity level.
Know your maturity level.
Start with an honest assessment. We'll tell you exactly where you stand across all eight strategies and give you a practical roadmap to your target maturity level — whether that's Level 1, 2, or 3.