Australian Cyber Security Centre Essential Eight
The Essential Eight is an ACSC baseline of eight prioritized mitigation strategies, assessed against a four-level maturity model, that most effectively reduce common cyber risks. It is mandatory for Australian Commonwealth entities and widely recommended elsewhere.
What the Essential Eight Is and Why It Exists
The Essential Eight is a set of eight prioritized mitigation strategies published by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate. First released in 2017 and refined since, it distills a larger catalogue of mitigation strategies into the eight that most effectively reduce the risk of common cyber attacks. The ACSC recommends it as a sensible baseline for organizations seeking to protect their internet-connected systems.
It exists because organizations often struggle to know where to start. The Essential Eight provides a focused, evidence-based ordering of the controls that block the most prevalent attack techniques.
Who It Applies To
The Essential Eight is mandatory for Australian non-corporate Commonwealth entities under government policy and is strongly recommended for state agencies, businesses, and other organizations. While aimed at Microsoft Windows internet-connected networks, its principles generalize to most environments. Many Australian enterprises adopt it as a yardstick for supplier and internal security.
Key Requirements
The eight strategies are:
- Application control to prevent execution of unapproved programs.
- Patch applications to fix vulnerabilities quickly.
- Configure Microsoft Office macro settings to block untrusted macros.
- User application hardening, such as disabling unneeded browser features.
- Restrict administrative privileges based on need.
- Patch operating systems promptly.
- Multi-factor authentication for users and remote access.
- Regular backups that are tested and protected.
Each strategy is assessed against a maturity model with levels zero to three, allowing organizations to set and demonstrate a target maturity.
Penalties for Non-Compliance
The Essential Eight itself is a framework rather than a penalty-bearing statute. For Commonwealth entities, however, it sits within mandatory government policy, and shortfalls can be raised in audits and oversight reports. For private organizations, the consequences are practical: weaker defenses, possible exclusion from government work, and increased exposure during incidents and insurance assessments.
How to Comply
- Assess your current maturity for each of the eight strategies against the ACSC maturity model.
- Choose a target maturity level appropriate to your threat profile, commonly Level Two for many organizations.
- Prioritize patching and multi-factor authentication, which deliver large early gains.
- Implement application control and privilege restriction, which are often the hardest but most valuable.
- Test backups and rehearse recovery.
- Reassess regularly, since maturity can regress as systems change.
The model rewards consistent, measurable implementation rather than partial coverage of all eight.
Choosing and Sustaining a Maturity Level
The maturity model is the part organizations most often misuse. Maturity is assessed per strategy, and a meaningful posture requires reaching the target level consistently across all eight, rather than excelling at a few. The ACSC frames the levels against increasingly capable adversaries, so the right target depends on the threats an organization realistically faces. Sustaining maturity is as important as achieving it: application control allow-lists drift, patching cadence slips, and privilege creep returns over time. Continuous configuration management, automated patch deployment, and periodic re-assessment keep an organization from quietly regressing between formal reviews, which is a common cause of failed audits.