July 12, 2026
Updated: July 12, 2026
A practical Australian guide to implementation evidence, maturity assessment and authorised control validation
Mohammed Khalil

Important guidance noteThis article is educational and should be read alongside the current Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) guidance. Essential Eight requirements and government policy can change. Applicability and target maturity may depend on government policy, contracts, sector requirements and organisational risk. Penetration testing can support technical assurance, but it does not replace a complete Essential Eight assessment or establish legal compliance.
The Essential Eight is an Australian cybersecurity baseline maintained by ASD and the ACSC. It groups eight prioritised mitigation strategies with a maturity model that helps organisations evaluate how consistently those controls are implemented. An assessment normally considers policy, technical configuration, coverage, logs, exceptions and test evidence. Technical testing may confirm that a selected control works on in-scope systems, but it cannot by itself prove complete maturity or legal compliance. The Essential Eight should therefore be treated as a practical security baseline supported by evidence, remediation and ongoing review not as a certification or a guarantee that an organisation cannot be compromised.
The Essential Eight sits within ASD’s broader Strategies to Mitigate Cyber Security Incidents. The framework prioritises a small group of controls that address recurring intrusion paths such as unpatched software, malicious code execution, credential compromise, excessive privilege and loss of recoverable data.
The word baseline matters. The Essential Eight does not cover every governance, detection, incident-response, personnel, physical-security, supply-chain or application-security requirement. Organisations still need a broader risk-management program suited to their systems, data and threat environment.
The framework is also not universally mandatory for every Australian business. Some government policies, procurement terms and contracts may set explicit obligations. Private organisations may adopt the framework because it is useful, because customers require it or because it fits their risk-management approach. Applicability should be confirmed against the current policy, contract, regulator or legal advice relevant to the organisation.
ASD’s model is designed to be applied consistently. A strong result in one control does not automatically compensate for a material weakness in another. Organisations should understand the requirements for their selected target level, define the systems and users covered, record exceptions and maintain evidence over time.

Figure 1. The eight Essential Eight mitigation strategies at a glance.
| Mitigation strategy | Primary objective | Typical evidence | Example validation |
|---|---|---|---|
| Application control | Allow approved applications and code to run while restricting unapproved execution. | Rule exports; coverage reports; blocked-event logs. | Run a benign unapproved executable on an authorised test system. |
| Patch applications | Reduce exposure to known application vulnerabilities. | Asset and version inventory; patch reports; vulnerability results. | Confirm a sampled application no longer presents the remediated exposure. |
| Configure Microsoft Office macro settings | Restrict untrusted macros and control approved macro use. | Policy export; trusted publishers or locations; block logs. | Open a benign test document and confirm the expected policy response. |
| User application hardening | Reduce risky functionality and attack surface in user applications. | Security baselines; MDM/GPO exports; compliance reports. | Check that a restricted feature or content type is blocked on a sample device. |
| Restrict administrative privileges | Limit privileged access and separate administrative from standard use. | Admin inventories; group membership; PAM and access-review records. | Confirm a standard account cannot perform an administrative action without approved elevation. |
| Patch operating systems | Reduce exposure to known operating-system vulnerabilities. | Supported-OS inventory; patch reports; scan and change records. | Validate remediation on a representative host using an approved non-destructive check. |
| Multi-factor authentication | Require strong additional authentication for relevant access paths. | Identity-policy exports; coverage reports; authentication logs. | Confirm an in-scope account cannot access a protected service without the required factor. |
| Regular backups | Preserve recoverability and protect backup data from alteration or deletion. | Job logs; retention settings; access controls; restoration evidence. | Restore a representative file, service or system and verify integrity. |
Official strategy names follow ASD’s Essential Eight guidance; organisations should use the current wording and criteria when conducting an assessment.
Application control allows approved applications, scripts, libraries and installers to run while restricting unapproved code. Its security value depends on enforcement coverage: a policy applied only to selected servers, file types or user groups may leave meaningful execution paths open.
Useful evidence includes the approved-software inventory, rule exports, endpoint coverage, exception records and blocked-execution logs. A safe validation uses a benign unapproved executable or script on a representative, authorised test system and checks whether execution is prevented and logged.
Common gaps include audit-only deployment, broad allow rules, incomplete script coverage, unmanaged endpoints, expired exceptions and administrators who can disable enforcement. Penetration testing may demonstrate an exploitable gap on tested systems, but it cannot prove that every device and execution path is covered.
This strategy addresses known vulnerabilities in applications and internet-facing services. Effective implementation starts with accurate asset and version data, prioritisation based on the current maturity criteria, controlled deployment and confirmation that patches are operational not merely marked as installed.
Evidence can include inventories, patch-management reports, vendor notices, change records, vulnerability results and exception approvals. Because patching timeframes vary by maturity level and guidance version, organisations should apply the timeframes in the current ASD Essential Eight Maturity Model for their selected target.
Typical weaknesses include unknown software, failed updates, pending restarts, end-of-life products and inconsistent coverage of desktop or third-party applications. Technical validation can confirm that a sampled exposure is no longer present, but it does not prove organisation-wide patch compliance.
The control reduces the risk from untrusted Microsoft Office macros while allowing approved business use through managed rules. Assessment scopes, control mappings and evidence records should use the current official strategy name consistently.
Evidence may include Group Policy or cloud-policy exports, trusted publisher or location records, exception approvals and endpoint logs. A safe validation uses a benign macro-enabled test file under an approved scenario and confirms that the policy blocks, warns or permits it exactly as intended.
Common gaps include unmanaged devices, inconsistent settings across Office applications, broad trusted locations, long-lived exceptions and policies that exist in a central console but do not reach endpoints. A penetration test can validate selected paths, not every Office installation or approved-macro process.
User application hardening reduces risky functionality in browsers, document readers, collaboration tools and other applications exposed to untrusted content. Current implementation should focus on the features and content types named in the applicable ASD maturity criteria rather than relying on outdated examples.
Evidence includes security baselines, MDM or Group Policy exports, endpoint compliance reports, exception registers and relevant logs. Technical validation can confirm that a selected risky feature or content type is disabled on representative devices.
Frequent gaps include inconsistent browser policies, unmanaged contractor devices, unsupported applications and exceptions without ownership or expiry. This control depends on patching, application control and administrative privilege restrictions; users with excessive privilege may otherwise reverse hardening settings.
This strategy limits who can perform privileged actions, separates administrative accounts from everyday use and reduces the impact of compromised credentials. It should cover local, domain, cloud, application and service administration as applicable to the environment.
Assessment evidence may include privileged-account inventories, role and group membership, approval records, access reviews, PAM reports and logs of administrative activity. A controlled validation can confirm that a standard user cannot complete an administrative action without an approved elevation path.
Common gaps include permanent local administrator access, shared accounts, privilege creep, unmanaged service accounts, weak recovery accounts and inconsistent cloud roles. Identity attack-path testing can reveal escalation opportunities, but it does not replace a complete review of account ownership, entitlement and governance.
Operating-system patching addresses known vulnerabilities in servers, workstations and other supported platforms. The process should include asset discovery, supported-version tracking, prioritisation under the selected maturity criteria, deployment, restart management and verification.
Evidence includes supported-OS inventories, patch and change reports, vulnerability results, failed-deployment records and approved exceptions for systems that cannot be patched immediately. Organisations should use the exact timeframes in the current ASD Essential Eight Maturity Model rather than relying on older summaries.
Typical gaps include forgotten hosts, appliances outside central tooling, end-of-life systems, incomplete restarts and dashboards that disagree with observed exposure. Authorised technical validation can confirm a sampled fix, but it remains a point-in-time test of selected systems.
MFA reduces the value of compromised passwords by requiring another approved authentication factor. Scope is critical: the control may need to cover privileged users, remote access, cloud administration, sensitive repositories and other pathways defined by the current maturity criteria.
Evidence includes identity-policy exports, account and application coverage reports, authentication logs, exception records and recovery-process documentation. A safe check confirms that a protected account cannot access an in-scope service when the required factor is absent or fails.
Common weaknesses include legacy protocols, unmanaged service accounts, weak fallback and recovery paths, inconsistent cloud tenants and break-glass accounts without adequate controls. Testing may identify a specific unprotected path, but cannot prove that every account, service and recovery route is covered.
Regular backups protect the organisation’s ability to recover data and services after destructive activity or operational failure. Evidence should cover what is backed up, frequency, retention, protection from alteration or deletion, privileged access and restoration testing.
A successful backup job is not the same as proven recoverability. Strong evidence includes restoration records showing that representative data or systems were recovered, checked for integrity and evaluated against business recovery objectives.
Common gaps include missing SaaS data, backup repositories reachable through production credentials, short retention, untested recovery procedures and undocumented ownership. Penetration testing may examine selected access paths to backup infrastructure, but restoration assurance requires planned recovery exercises.
The current Essential Eight Maturity Model defines Levels 0 to 3. Level 0 indicates that the organisation does not meet Level 1. Levels 1 to 3 address progressively more capable adversaries and require stronger, more consistently implemented controls. The official threat descriptions and control requirements should be read directly from the current model rather than reconstructed from older summaries.
Maturity should be considered across all eight strategies. An organisation should not select only the easiest controls at a higher level and describe the whole environment as having reached that level. Coverage, implementation, exceptions and evidence must be evaluated against the applicable criteria.
| Maturity level | General intent | Typical organisational challenge | Important caveat |
|---|---|---|---|
| 0 | Level 1 requirements are not met. | Major visibility, implementation or coverage gaps. | A starting condition, not a target. |
| 1 | Reduce exposure to common, opportunistic attack methods. | Consistent baseline deployment across relevant systems. | Incomplete coverage can undermine the whole result. |
| 2 | Address more capable adversaries using targeted techniques. | Stronger identity, patching, enforcement and exception control. | Requires repeatable processes, not isolated technical fixes. |
| 3 | Address advanced, adaptive adversaries. | Broad, closely governed and continuously reviewed control operation. | Does not make compromise impossible; broader security capabilities remain necessary. |

High-level summary only. Refer to the current ASD Essential Eight Maturity Model for authoritative control-by-control requirements.
| Control | Level 1 focus | Level 2 progression | Level 3 progression | Evidence focus |
|---|---|---|---|---|
| Application control | Establish enforceable coverage. | Tighten rules and reduce bypass paths. | Broaden and continuously review enforcement. | Rules, coverage, exceptions, blocked events. |
| Patch applications | Meet baseline priorities and coverage. | Shorten exposure for higher-risk applications. | Apply the strictest current criteria and verification. | Inventory, deployment and observed exposure. |
| Office macro settings | Block untrusted use under managed policy. | Strengthen trusted-use conditions and coverage. | Use tightly controlled, auditable exceptions. | Policy exports, trust records, logs. |
| User application hardening | Apply required baseline settings. | Expand and standardise protected application scope. | Maintain strict controls with active exception review. | Baselines, compliance reports, exceptions. |
| Administrative privileges | Remove unnecessary privilege. | Strengthen separation and oversight. | Use tightly governed, time-bound privileged access. | Account inventories, approvals, access reviews. |
| Patch operating systems | Cover supported systems under baseline criteria. | Increase speed and verification for higher risk. | Apply the strictest current criteria across scope. | OS inventory, patch evidence, validation results. |
| MFA | Protect required accounts and services. | Expand coverage and strengthen authentication paths. | Use the strongest current criteria and recovery controls. | Policy, coverage, logs, exceptions. |
| Regular backups | Back up and test representative recovery. | Strengthen isolation, access and restoration evidence. | Maintain resilient, regularly exercised recovery capability. | Scope, job logs, access controls, restore tests. |
This matrix provides a high-level progression view and does not replace the detailed criteria in the current ASD Essential Eight Maturity Model.
A target maturity level should be justified by risk and obligation, not selected for marketing value. Government policy or a contract may set a minimum. Where no external mandate applies, decision-makers should consider who may target the organisation, which systems matter most, what a compromise would affect and how consistently the current controls operate.
| Decision factor | Questions to ask | Effect on target selection |
|---|---|---|
| Threat profile and exposure | Who is likely to target the organisation? Which systems are internet-facing? | Greater exposure or targeted threat activity may justify a higher target. |
| Data and service impact | What would loss of confidentiality, integrity or availability cause? | High-impact systems and data normally warrant stronger controls. |
| Privileged and identity pathways | How many administrative, remote and cloud access paths exist? | Complex identity environments increase the need for stronger coverage and evidence. |
| Government, contract or sector obligations | Does a current policy, procurement term or regulator set a requirement? | The verified requirement takes precedence over an informal internal preference. |
| Current maturity and dependencies | Are Level 1 controls consistently implemented across scope? | Fix baseline weaknesses before claiming progress at a higher level. |
| Resources and operating model | Can the organisation maintain the controls and evidence over time? | Choose a staged plan that can be operated reliably, not a temporary assessment-time configuration. |
Applicability cautionDo not state that every Australian organisation must reach a particular maturity level. Confirm the current government policy, contract, sector requirement or customer obligation that applies to the specific organisation.
The terms assessment, audit, scan and penetration test are often used interchangeably in marketing, but they answer different questions. A complete Essential Eight conclusion normally depends on broader evidence than a technical test alone.

For a broader comparison of technical assurance activities, see DeepStrike’s guide to vulnerability assessment and penetration testing.
| Activity | Main purpose | Typical evidence | Main limitation |
|---|---|---|---|
| Self-assessment | Internal comparison with the selected criteria. | Policies, exports, records and internal testing. | May miss gaps or rely too heavily on self-reported evidence. |
| Independent Essential Eight assessment | Evaluate maturity against defined Essential Eight criteria. | Governance, configuration, coverage, logs, sampling and tests. | Conclusion depends on scope, evidence quality and current guidance. |
| Internal or external audit | Provide assurance against defined criteria and scope. | Documentation, interviews, sampling and test evidence. | May cover more than Essential Eight or use a different assurance objective. |
| Configuration review | Check whether technical settings match requirements. | Exports, baselines, configuration and coverage reports. | A snapshot does not always prove effective operation. |
| Vulnerability scan | Identify known technical exposures at scale. | Scanner findings and asset coverage. | May contain false positives and cannot evaluate all governance or control requirements. |
| Vulnerability assessment | Analyse and validate technical weaknesses. | Tool output plus analyst review and risk context. | Still limited by scope and does not prove full maturity. |
| Penetration test | Assess exploitable attack paths in an authorised scope. | Validated findings, attack-path evidence and remediation advice. | Point-in-time and scenario-based; not an organisation-wide maturity assessment. |
| Red team exercise | Test detection and response against an objective-led scenario. | Scenario outcomes, control observations and response evidence. | Not designed to exhaustively assess each Essential Eight requirement. |
| Backup restoration test | Prove that selected data or services can be restored. | Restore records, integrity checks and recovery timing. | Covers selected recovery scenarios, not every backup or system. |
| Control-effectiveness test | Confirm that a specific control operates as intended. | Observed result, logs and supporting configuration. | Does not establish full policy coverage or overall maturity. |
Strong assessment evidence is current, representative and traceable. A policy can show intent, but it does not prove that a setting is deployed across the intended scope. A configuration export may show technical implementation, but still require coverage sampling and operational validation. Assessors therefore combine different evidence types and look for consistency between them. Use ASD’s current Essential Eight guidance and Maturity Model as the authoritative criteria.
| Evidence type | What it can demonstrate | Limitation |
|---|---|---|
| Policies, standards and procedures | Defined responsibility, scope and expected operation. | May be outdated or disconnected from actual implementation. |
| System and endpoint configuration | The settings applied to selected systems. | A point-in-time export may not represent every device. |
| Asset and patch records | Known systems, software versions and deployment activity. | Central records may omit unmanaged assets or failed changes. |
| Identity and access records | MFA coverage, privileged membership and access reviews. | May miss shadow accounts, recovery paths or separate cloud tenants. |
| Application-control evidence | Rules, approved software, coverage and blocked events. | A rule set alone does not prove full enforcement. |
| Backup and restoration records | Scope, retention, protection and tested recovery. | Successful jobs do not prove all data can be restored. |
| Exceptions and risk acceptances | Known deviations, owners, compensating controls and review dates. | An exception documents risk; it does not remove the gap. |
| Technical test results | Observed exposure or control effectiveness on tested assets. | Time- and scope-limited; must be interpreted with other evidence. |
| Interviews and observation | How teams operate the control in practice. | Subjective and dependent on the people and samples selected. |
Evidence principleAvoid fixed labels such as “excellent”, “good” or “fair” unless the exact wording is confirmed in the current official assessment guidance. The practical point is that stronger conclusions normally combine documented intent, observed configuration, representative coverage and operating evidence.
The table below shows safe, high-level validation options. All testing must be authorised, scoped and non-destructive. It does not provide commands, payloads or bypass procedures.
| Control | Configuration review | Evidence review | Safe technical validation | Not proven by a pentest |
|---|---|---|---|---|
| Application control | Review rule and coverage exports. | Approved software, exceptions and blocked-event logs. | Use a benign unapproved executable on a test system. | Complete enforcement across every device and code path. |
| Patch applications | Review inventory, policy and deployment criteria. | Patch and vulnerability records. | Confirm a sampled remediated exposure is no longer present. | Every application is patched within the current criteria. |
| Office macro settings | Review managed macro policy and scope. | Trusted-use records, exceptions and logs. | Use a benign test document and observe the policy response. | All Office installations and business macro processes are covered. |
| User application hardening | Review browser and application baselines. | Compliance and exception reports. | Check a restricted feature on representative devices. | Every user application and unmanaged device is hardened. |
| Administrative privileges | Review roles, groups and elevation controls. | Admin inventory, approvals and access reviews. | Confirm a standard account cannot complete an admin action. | All privileged accounts and entitlements are correct. |
| Patch operating systems | Review OS inventory, policy and deployment status. | Patch, change and vulnerability records. | Validate remediation on a representative host. | All online, offline and unmanaged systems are patched. |
| MFA | Review policy, account and service coverage. | Authentication logs, reports and exceptions. | Confirm the required factor is enforced on an in-scope path. | Every account, protocol, recovery path and cloud tenant is covered. |
| Regular backups | Review scope, retention, access and isolation. | Job logs, restore records and integrity checks. | Restore representative data or a system in a controlled environment. | All critical data and recovery scenarios meet business needs. |
Use representative sampling and document the scope, expected result, observed result and evidence retained.
Penetration testing is most useful when the organisation needs evidence about realistic attack paths rather than only the existence of a setting. It may help evaluate selected internet-facing applications and APIs, cloud and identity pathways, segmentation, privilege escalation exposure, legacy systems and weaknesses that only become meaningful when combined.
The engagement should define the target maturity context, objective, assets, starting access, production constraints, testing windows, data-handling rules, critical-finding escalation and retesting expectations. Reports should explain which Essential Eight control or dependency a finding affects without presenting the penetration test as a formal maturity certificate.
Not every assessment needs a pentestThe decision should follow risk, complexity and the evidence question being answered. Patch records, configuration exports, coverage reports and restoration tests may be more appropriate for some controls.
A penetration test examines selected systems and scenarios during a defined period. It cannot by itself establish complete Essential Eight maturity, because maturity also depends on coverage, governance, evidence, exceptions and ongoing operation.
An absence of findings means that no relevant finding was identified within the agreed scope and method. It does not mean that the organisation is certified, fully mature or immune from compromise.
A practical, source-aligned process can be organised into the following stages. This is an operational workflow, not an official certification procedure.
| Preparation area | Question | Evidence owner | Status |
|---|---|---|---|
| Target maturity level | Is the target and rationale documented? | CISO / risk owner | To complete |
| Scope and boundaries | Are systems, users, cloud services and exclusions defined? | Security / IT lead | To complete |
| Asset and software inventory | Is the inventory current and does it include unmanaged or legacy assets? | IT operations | To complete |
| Patching | Are application and OS criteria, deployment and verification documented? | IT operations | To complete |
| Application control | Are rules, coverage and exceptions known? | Endpoint team | To complete |
| Macro settings and hardening | Are managed baselines consistently applied? | Endpoint / security team | To complete |
| Administrative privileges | Are privileged accounts, roles and reviews complete? | IAM / IT administration | To complete |
| MFA | Are all required accounts, services and recovery paths covered? | IAM team | To complete |
| Backups and restoration | Are scope, protection, retention and successful restores evidenced? | Backup / continuity owner | To complete |
| Exceptions and risk | Does every deviation have an owner, treatment and review date? | Risk / governance | To complete |
| Technical validation | Is each planned test authorised, safe and mapped to an evidence question? | Security testing team | To complete |
| Remediation and retesting | Are gaps tracked to verified closure? | Control owners | To complete |
| Evidence retention | Are artefacts current, timestamped and protected? | Compliance / records owner | To complete |
| Executive reporting | Are maturity, limitations and residual risks reported clearly? | CISO / executive sponsor | To complete |
Preparation checklist only; it does not replace the current official guidance.
Cloud services change who operates a control, but they do not remove the customer’s responsibility for the systems, identities, configuration and data under its control. Scope should distinguish provider-managed components from customer-managed components and identify the evidence available for each.
Smaller organisations should not invent a weaker maturity model, but they can sequence implementation sensibly. Start with accurate knowledge of critical assets, users and data; enable the controls that materially reduce exposure; document managed-service responsibilities; and assign ownership for evidence and exceptions.
A practical sequence may begin with supported software, timely updates, MFA on critical access, reduced administrative privilege and tested backups, while the organisation plans broader application control and hardening. The selected maturity target should still be justified by risk and any applicable customer or contractual requirement.
| Framework | Primary purpose | Relationship to Essential Eight | Important caveat |
|---|---|---|---|
| Essential Eight | Prioritised Australian mitigation baseline and maturity model. | The subject of this guide. | Not a complete ISMS, risk framework or certification. |
| Information Security Manual | Broader Australian Government security-control guidance. | Contains wider controls and context related to Essential Eight topics. | Much broader than the eight mitigation strategies. |
| PSPF | Australian Government protective-security policy framework. | May set policy obligations for applicable entities. | Confirm the current policy and applicability before making a maturity claim. |
| ISO/IEC 27001:2022 | International information-security management-system standard. | Essential Eight evidence may support parts of the ISMS control environment. | Mapping depends on scope, risk treatment and the applicable Annex A controls. |
| NIST Cybersecurity Framework 2.0 | Risk-management outcomes organised across Govern, Identify, Protect, Detect, Respond and Recover. | Essential Eight controls contribute mainly to selected protective and recovery outcomes. | The CSF is broader and does not prescribe the Essential Eight maturity criteria. |
| CIS Controls | Prioritised technical and operational safeguards. | Overlaps in inventory, patching, access, application control and recovery. | Control names and implementation groups are not one-to-one with Essential Eight. |
| PCI DSS | Security requirements for payment account data environments. | Some controls overlap, including patching, MFA and privilege restriction. | PCI DSS has its own scope, evidence and testing requirements. |
Buyers comparing delivery models can also review DeepStrike’s overview of cybersecurity audit companies, while still evaluating current-guidance competence, evidence method, safety and reporting quality.
| Buyer criterion | What to ask | Warning sign |
|---|---|---|
| Current-guidance competence | Which official version and criteria will you assess? | Generic claims without a version or source trail. |
| Assessment vs testing clarity | Will the engagement assess maturity, validate controls, perform a pentest or combine defined activities? | Calling a vulnerability scan a complete Essential Eight audit. |
| Scope and sampling | How will systems, users, cloud services and samples be selected? | A one-size-fits-all scope with no exclusions or sampling rationale. |
| Evidence method | Which configuration, coverage, log and restoration evidence will be reviewed? | Reliance on interviews or screenshots alone. |
| Production safety | What constraints, testing windows and escalation procedures apply? | Destructive testing or unclear authorisation. |
| Data handling | How will sensitive evidence and reports be stored, transferred and deleted? | No documented handling, retention or residency approach. |
| Report quality | Will the report separate criteria, evidence, gaps, limitations and remediation? | A tool-generated list with no maturity or business context. |
| Remediation and retesting | How are fixes tracked and verified? | No defined closure or retesting process. |
| Independence and claims | What does the engagement not prove? | Promises of certification, guaranteed maturity or audit approval. |
| Phase | Primary activities |
|---|---|
| 1. Establish scope and ownership | Confirm current guidance, obligations, target maturity, boundaries and evidence owners. |
| 2. Baseline current state | Inventory assets, software, identities, cloud services, backups, configurations and known exceptions. |
| 3. Prioritise gaps | Use exposure, privilege, exploitability, business impact and recovery risk. |
| 4. Implement and validate | Deploy controls, confirm representative coverage and retain operating evidence. |
| 5. Remediate and retest | Track findings to closure and update the evidence set after fixes. |
| 6. Maintain | Monitor coverage, review exceptions, repeat restore tests and reassess after material change or guidance updates. |
The Essential Eight is an ASD and ACSC baseline of eight prioritised mitigation strategies supported by a maturity model. It focuses on common intrusion paths such as unpatched software, malicious code execution, credential compromise, excessive privilege and failed recovery. It is not a complete cybersecurity program or a certification.
Application control; patch applications; configure Microsoft Office macro settings; user application hardening; restrict administrative privileges; patch operating systems; multi-factor authentication; and regular backups. Organisations conducting an assessment should confirm the current wording in ASD’s Essential Eight guidance.
Not for every organisation. Some Australian Government policies, contracts, procurement terms or sector arrangements may set requirements for specific entities. Other organisations adopt the framework voluntarily. Applicability and any required maturity level should be confirmed against the current policy or contract that applies.
The model uses Levels 0 to 3. Level 0 means Level 1 is not met. Levels 1 to 3 address progressively more capable adversaries and require stronger, more consistently implemented controls. The detailed criteria for each strategy must come from the current ASD Maturity Model.
Level 0 indicates that the organisation does not meet the requirements for Level 1. It should be treated as a gap condition and a starting point for remediation, not as a target maturity level.
Use risk, exposure, business impact, identity complexity, existing maturity and any government, contractual or sector requirement. The target should be documented and achievable across all eight strategies rather than selected control by control for convenience.
It is a structured comparison of current implementation and evidence against the selected Essential Eight maturity criteria. It can include policy and governance review, configuration analysis, coverage sampling, logs, interviews, restoration evidence and authorised technical validation.
Not necessarily. “Audit” describes a broader assurance activity with defined criteria, scope and independence. An Essential Eight assessment focuses on the maturity criteria for the eight strategies. The engagement should state its objective, method, scope, limitations and whether it provides any formal assurance.
A penetration test is not automatically required for every Essential Eight assessment. It may be useful when the evidence question involves realistic attack paths or technical effectiveness. Configuration, coverage, patch, identity and restoration evidence may be more appropriate for other requirements.
No. A scan can identify missing patches and selected misconfigurations, but it cannot evaluate all control coverage, policy, exception, identity, backup and governance requirements. Scan results need scope validation, analyst review and supporting evidence.
Evidence commonly includes policies, current configuration exports, asset and patch records, application-control rules, privileged-access and MFA reports, logs, backup and restoration records, exception registers, interviews and relevant technical test results. The evidence should be current, representative and traceable.
There is no universal interval suitable for every organisation. Reassessment should follow applicable policy or contract requirements and be triggered by material system changes, incidents, control changes or updates to official guidance. Continuous monitoring and regular evidence maintenance reduce assessment-time surprises.
The Essential Eight gives Australian organisations a focused starting point for reducing common cyber intrusion paths. Its value depends on consistent implementation across the selected scope, a justified target maturity level and evidence that the controls operate as intended.
Assessment should therefore connect policy, configuration, coverage, logs, exceptions and technical validation. Vulnerability scanning and penetration testing can strengthen selected conclusions, but they do not replace the broader evidence required for maturity. Remediation, retesting and ongoing review are necessary to keep the control environment aligned with changes in systems, threats and official guidance.
An Essential Eight assessment normally requires broader evidence than penetration testing alone. Where technical validation is appropriate, DeepStrike can help authorised security teams examine attack paths across applications, APIs, cloud environments, networks and identity systems, then verify remediation through focused retesting. The final scope should be aligned with the organisation’s target maturity level and assessment requirements.
Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specialising in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP and OSWE, his work focuses on application security, API security, cloud security, identity exposure, attack-path validation, remediation and security assurance in regulated environments.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us