Compliance | Essential Eight
Essential Eight maturity
all the way to Level 3.
The Australian Signals Directorate's Essential Eight is the baseline for cyber security in Australia. Cliffside helps organisations assess their current maturity level, remediate gaps, and implement solutions to achieve their target maturity, including the demanding requirements of Maturity Level 3.
The Essential Eight Maturity Model: ML0 through ML3 at a glance.
The ASD assesses each of the eight mitigation strategies against four maturity levels. The levels are cumulative: ML2 includes everything required at ML1, and ML3 includes everything required at ML2. The November 2023 update raised the bar at every level, which is why most organisations now sit below the rung they assume they hold.
ML0: significant gaps. The starting point for organisations with no formal Essential Eight implementation. Common before a first maturity assessment, even when individual controls feel reasonably mature.
ML1: basic implementation. Targets opportunistic attackers using widely available tradecraft. Achievable with reasonable effort in most environments. The minimum any Australian organisation handling sensitive data should aim for.
ML2: strong implementation. Targets attackers with a degree of capability and targeting. The mandatory baseline for non-corporate Commonwealth entities under the PSPF, and the level enterprise procurement and APRA-regulated supply chains increasingly expect.
ML3: comprehensive implementation. Targets adaptive attackers willing to invest time in compromising the target. Requires granular technical controls and strict enforcement. Most organisations stall at ML2; ML3 is a fundamentally different programme. Read our Essential Eight Maturity Level 3 guide for what ML3 actually requires in practice.
Which level do you need? Non-corporate Commonwealth entities must achieve ML2 under the PSPF. APRA-regulated entities are typically expected at ML2 or higher to satisfy CPS 234 expectations. Critical infrastructure operators covered by the SOCI Act usually need ML2 with selected ML3 controls. Commercial mid-market organisations without a regulatory mandate should treat ML1 as the floor and ML2 as the durable target. ML3 is appropriate for entities holding highly sensitive data or running systems whose compromise would carry wide downstream impact.
Eight strategies. Four maturity levels. One baseline.
The Essential Eight (also known as the Essential 8 or E8) is a set of prioritised mitigation strategies developed by the Australian Signals Directorate (ASD) to help organisations protect against cyber threats. It represents the minimum baseline for Australian organisations, and is increasingly expected by government agencies, regulators, and enterprise procurement teams.
Each strategy has four maturity levels (0–3), where Level 0 indicates significant gaps and Level 3 represents the strongest implementation. The Australian Government expects all non-corporate Commonwealth entities to achieve at least Maturity Level 2.
Most organisations stop at Level 2. Level 3 is where it gets hard.
Maturity Level 1 and Level 2 are achievable with reasonable effort for most organisations. Maturity Level 3 is a fundamentally different challenge. It requires granular technical controls, rigorous enforcement, and often significant changes to how your IT environment operates.
Cliffside has the experience to help you get there, not just by documenting controls, but by implementing the technical solutions that actually achieve ML3 compliance. We know where the hard parts are because we've done them.
The eight strategies
ASD's Essential Eight mitigation strategies.
Prevent execution of unapproved and malicious programs, including .exe, DLL, scripts, and installers, on workstations and servers.
Patch, update, or mitigate vulnerabilities in internet-facing applications and high-risk applications within 48 hours when exploits or critical patches exist.
Block macros from the internet, only allow vetted macros in trusted locations, and implement macro signing and notification for users.
Configure web browsers to block Flash, ads, and Java. Disable unneeded features in Microsoft Office, web browsers, and PDF viewers.
Restrict admin privileges to only those who need them. Use separate privileged and unprivileged accounts. Validate need for privileges regularly.
Patch, update, or mitigate vulnerabilities in operating systems within 48 hours when exploits or critical patches exist. Replace unsupported operating systems.
Implement MFA for remote access, privileged access, and access to important data repositories. Use phishing-resistant MFA where possible at ML3.
Perform regular backups of important data, software, and configuration settings. Test restoration of backups. Store backups disconnected and retain for at least three months.
From baseline gaps to full implementation.
Each maturity level increases the difficulty and rigour of implementation. We help organisations assess where they are and build a practical roadmap to where they need to be.
Significant weaknesses in the implementation of the mitigation strategy. This is where most organisations start before a formal assessment.
Basic implementation that addresses some but not all aspects of the mitigation strategy. Typically achievable with moderate effort.
Strong implementation across most aspects. The minimum expectation for Commonwealth entities and increasingly expected by enterprise procurement.
Comprehensive implementation. Requires granular technical controls, strict enforcement, and often significant environment changes. This is where Cliffside excels.
Our services
How Cliffside helps with Essential Eight.
A thorough assessment of your current Essential Eight maturity level across all eight strategies. We provide an honest evaluation with clear evidence of where you meet, partially meet, or fail to meet each maturity level's requirements.
Hands-on remediation to close the gaps identified in your assessment. We don't just write reports; we implement the technical solutions required to achieve your target maturity level, working alongside your IT team.
Specialist support for organisations targeting Maturity Level 3. This includes application control whitelisting, advanced MFA deployment, privileged access management, and the granular technical controls that ML3 demands.
Essential Eight maturity isn't a one-time assessment; it requires ongoing maintenance as your environment changes. We provide periodic reassessment and continuous monitoring to ensure you maintain your target maturity level.
Checklist
Essential Eight compliance checklist.
Use these self-assessment questions to evaluate your current state across each of the eight strategies before a formal maturity assessment.
Have you identified all approved applications? Are unapproved executables, scripts, and installers blocked on workstations and servers? Is your application control solution tested regularly?
Are internet-facing application patches applied within 48 hours of release? Do you have visibility of all installed applications and their versions? Are unsupported applications removed or isolated?
Are macros from the internet blocked? Are only vetted macros allowed in trusted locations? Is macro execution logged and monitored for anomalies?
Are web browsers configured to block ads, Flash, and Java? Are unnecessary features disabled in Office, browsers, and PDF viewers? Are security settings enforced via group policy?
Do administrators use separate privileged and unprivileged accounts? Is privileged access limited to only those who need it? Are admin privileges validated and reviewed regularly?
Are OS patches for internet-facing systems applied within 48 hours? Are unsupported operating systems replaced or isolated? Do you have automated patch compliance reporting?
Is MFA enforced for remote access, privileged access, and sensitive data? Are you using phishing-resistant MFA methods for ML3? Is MFA coverage complete across all applicable systems?
Are backups of important data performed regularly and tested? Are backups stored disconnected from the network? Are backup retention periods at least three months? Can you restore within your target timeframe?
Frequently asked questions.
What maturity level should our organisation target?
How long does an Essential Eight assessment take?
What is the difference between Essential Eight and ISO 27001?
Does Essential Eight apply to state government and private sector?
Is there an official Essential Eight checklist?
Know your maturity level.
Start with an honest assessment. We'll tell you exactly where you stand across all eight strategies and give you a practical roadmap to your target maturity level, whether that's Level 1, 2, or 3.