logo svg
logo

July 12, 2026

Updated: July 12, 2026

Essential Eight: Controls, Maturity Levels and Security Testing Explained

A practical Australian guide to implementation evidence, maturity assessment and authorised control validation

Mohammed Khalil

Mohammed Khalil

Featured Image

Important guidance noteThis article is educational and should be read alongside the current Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) guidance. Essential Eight requirements and government policy can change. Applicability and target maturity may depend on government policy, contracts, sector requirements and organisational risk. Penetration testing can support technical assurance, but it does not replace a complete Essential Eight assessment or establish legal compliance.

Executive Summary

Quick Answer: What Is the Essential Eight?

The Essential Eight is an Australian cybersecurity baseline maintained by ASD and the ACSC. It groups eight prioritised mitigation strategies with a maturity model that helps organisations evaluate how consistently those controls are implemented. An assessment normally considers policy, technical configuration, coverage, logs, exceptions and test evidence. Technical testing may confirm that a selected control works on in-scope systems, but it cannot by itself prove complete maturity or legal compliance. The Essential Eight should therefore be treated as a practical security baseline supported by evidence, remediation and ongoing review not as a certification or a guarantee that an organisation cannot be compromised.

What Is the Essential Eight?

The Essential Eight sits within ASD’s broader Strategies to Mitigate Cyber Security Incidents. The framework prioritises a small group of controls that address recurring intrusion paths such as unpatched software, malicious code execution, credential compromise, excessive privilege and loss of recoverable data.

The word baseline matters. The Essential Eight does not cover every governance, detection, incident-response, personnel, physical-security, supply-chain or application-security requirement. Organisations still need a broader risk-management program suited to their systems, data and threat environment.

The framework is also not universally mandatory for every Australian business. Some government policies, procurement terms and contracts may set explicit obligations. Private organisations may adopt the framework because it is useful, because customers require it or because it fits their risk-management approach. Applicability should be confirmed against the current policy, contract, regulator or legal advice relevant to the organisation.

ASD’s model is designed to be applied consistently. A strong result in one control does not automatically compensate for a material weakness in another. Organisations should understand the requirements for their selected target level, define the systems and users covered, record exceptions and maintain evidence over time.

Figure 1. The eight Essential Eight mitigation strategies at a glance.

Figure 1. The eight Essential Eight mitigation strategies at a glance.

What Are the Eight Essential Eight Controls?

Mitigation strategyPrimary objectiveTypical evidenceExample validation
Application controlAllow approved applications and code to run while restricting unapproved execution.Rule exports; coverage reports; blocked-event logs.Run a benign unapproved executable on an authorised test system.
Patch applicationsReduce exposure to known application vulnerabilities.Asset and version inventory; patch reports; vulnerability results.Confirm a sampled application no longer presents the remediated exposure.
Configure Microsoft Office macro settingsRestrict untrusted macros and control approved macro use.Policy export; trusted publishers or locations; block logs.Open a benign test document and confirm the expected policy response.
User application hardeningReduce risky functionality and attack surface in user applications.Security baselines; MDM/GPO exports; compliance reports.Check that a restricted feature or content type is blocked on a sample device.
Restrict administrative privilegesLimit privileged access and separate administrative from standard use.Admin inventories; group membership; PAM and access-review records.Confirm a standard account cannot perform an administrative action without approved elevation.
Patch operating systemsReduce exposure to known operating-system vulnerabilities.Supported-OS inventory; patch reports; scan and change records.Validate remediation on a representative host using an approved non-destructive check.
Multi-factor authenticationRequire strong additional authentication for relevant access paths.Identity-policy exports; coverage reports; authentication logs.Confirm an in-scope account cannot access a protected service without the required factor.
Regular backupsPreserve recoverability and protect backup data from alteration or deletion.Job logs; retention settings; access controls; restoration evidence.Restore a representative file, service or system and verify integrity.

Official strategy names follow ASD’s Essential Eight guidance; organisations should use the current wording and criteria when conducting an assessment.

Essential Eight Controls Explained

Application Control

Application control allows approved applications, scripts, libraries and installers to run while restricting unapproved code. Its security value depends on enforcement coverage: a policy applied only to selected servers, file types or user groups may leave meaningful execution paths open.

Useful evidence includes the approved-software inventory, rule exports, endpoint coverage, exception records and blocked-execution logs. A safe validation uses a benign unapproved executable or script on a representative, authorised test system and checks whether execution is prevented and logged.

Common gaps include audit-only deployment, broad allow rules, incomplete script coverage, unmanaged endpoints, expired exceptions and administrators who can disable enforcement. Penetration testing may demonstrate an exploitable gap on tested systems, but it cannot prove that every device and execution path is covered.

Patch Applications

This strategy addresses known vulnerabilities in applications and internet-facing services. Effective implementation starts with accurate asset and version data, prioritisation based on the current maturity criteria, controlled deployment and confirmation that patches are operational not merely marked as installed.

Evidence can include inventories, patch-management reports, vendor notices, change records, vulnerability results and exception approvals. Because patching timeframes vary by maturity level and guidance version, organisations should apply the timeframes in the current ASD Essential Eight Maturity Model for their selected target.

Typical weaknesses include unknown software, failed updates, pending restarts, end-of-life products and inconsistent coverage of desktop or third-party applications. Technical validation can confirm that a sampled exposure is no longer present, but it does not prove organisation-wide patch compliance.

Configure Microsoft Office Macro Settings

The control reduces the risk from untrusted Microsoft Office macros while allowing approved business use through managed rules. Assessment scopes, control mappings and evidence records should use the current official strategy name consistently.

Evidence may include Group Policy or cloud-policy exports, trusted publisher or location records, exception approvals and endpoint logs. A safe validation uses a benign macro-enabled test file under an approved scenario and confirms that the policy blocks, warns or permits it exactly as intended.

Common gaps include unmanaged devices, inconsistent settings across Office applications, broad trusted locations, long-lived exceptions and policies that exist in a central console but do not reach endpoints. A penetration test can validate selected paths, not every Office installation or approved-macro process.

User Application Hardening

User application hardening reduces risky functionality in browsers, document readers, collaboration tools and other applications exposed to untrusted content. Current implementation should focus on the features and content types named in the applicable ASD maturity criteria rather than relying on outdated examples.

Evidence includes security baselines, MDM or Group Policy exports, endpoint compliance reports, exception registers and relevant logs. Technical validation can confirm that a selected risky feature or content type is disabled on representative devices.

Frequent gaps include inconsistent browser policies, unmanaged contractor devices, unsupported applications and exceptions without ownership or expiry. This control depends on patching, application control and administrative privilege restrictions; users with excessive privilege may otherwise reverse hardening settings.

Restrict Administrative Privileges

This strategy limits who can perform privileged actions, separates administrative accounts from everyday use and reduces the impact of compromised credentials. It should cover local, domain, cloud, application and service administration as applicable to the environment.

Assessment evidence may include privileged-account inventories, role and group membership, approval records, access reviews, PAM reports and logs of administrative activity. A controlled validation can confirm that a standard user cannot complete an administrative action without an approved elevation path.

Common gaps include permanent local administrator access, shared accounts, privilege creep, unmanaged service accounts, weak recovery accounts and inconsistent cloud roles. Identity attack-path testing can reveal escalation opportunities, but it does not replace a complete review of account ownership, entitlement and governance.

Patch Operating Systems

Operating-system patching addresses known vulnerabilities in servers, workstations and other supported platforms. The process should include asset discovery, supported-version tracking, prioritisation under the selected maturity criteria, deployment, restart management and verification.

Evidence includes supported-OS inventories, patch and change reports, vulnerability results, failed-deployment records and approved exceptions for systems that cannot be patched immediately. Organisations should use the exact timeframes in the current ASD Essential Eight Maturity Model rather than relying on older summaries.

Typical gaps include forgotten hosts, appliances outside central tooling, end-of-life systems, incomplete restarts and dashboards that disagree with observed exposure. Authorised technical validation can confirm a sampled fix, but it remains a point-in-time test of selected systems.

Multi-Factor Authentication

MFA reduces the value of compromised passwords by requiring another approved authentication factor. Scope is critical: the control may need to cover privileged users, remote access, cloud administration, sensitive repositories and other pathways defined by the current maturity criteria.

Evidence includes identity-policy exports, account and application coverage reports, authentication logs, exception records and recovery-process documentation. A safe check confirms that a protected account cannot access an in-scope service when the required factor is absent or fails.

Common weaknesses include legacy protocols, unmanaged service accounts, weak fallback and recovery paths, inconsistent cloud tenants and break-glass accounts without adequate controls. Testing may identify a specific unprotected path, but cannot prove that every account, service and recovery route is covered.

Regular Backups

Regular backups protect the organisation’s ability to recover data and services after destructive activity or operational failure. Evidence should cover what is backed up, frequency, retention, protection from alteration or deletion, privileged access and restoration testing.

A successful backup job is not the same as proven recoverability. Strong evidence includes restoration records showing that representative data or systems were recovered, checked for integrity and evaluated against business recovery objectives.

Common gaps include missing SaaS data, backup repositories reachable through production credentials, short retention, untested recovery procedures and undocumented ownership. Penetration testing may examine selected access paths to backup infrastructure, but restoration assurance requires planned recovery exercises.

How the Essential Eight Maturity Model Works

The current Essential Eight Maturity Model defines Levels 0 to 3. Level 0 indicates that the organisation does not meet Level 1. Levels 1 to 3 address progressively more capable adversaries and require stronger, more consistently implemented controls. The official threat descriptions and control requirements should be read directly from the current model rather than reconstructed from older summaries.

Maturity should be considered across all eight strategies. An organisation should not select only the easiest controls at a higher level and describe the whole environment as having reached that level. Coverage, implementation, exceptions and evidence must be evaluated against the applicable criteria.

Maturity levelGeneral intentTypical organisational challengeImportant caveat
0Level 1 requirements are not met.Major visibility, implementation or coverage gaps.A starting condition, not a target.
1Reduce exposure to common, opportunistic attack methods.Consistent baseline deployment across relevant systems.Incomplete coverage can undermine the whole result.
2Address more capable adversaries using targeted techniques.Stronger identity, patching, enforcement and exception control.Requires repeatable processes, not isolated technical fixes.
3Address advanced, adaptive adversaries.Broad, closely governed and continuously reviewed control operation.Does not make compromise impossible; broader security capabilities remain necessary.
Figure 2. High-level progression from Maturity Level 0 to Level 3.

High-level summary only. Refer to the current ASD Essential Eight Maturity Model for authoritative control-by-control requirements.

Control-by-Control Maturity Progression

ControlLevel 1 focusLevel 2 progressionLevel 3 progressionEvidence focus
Application controlEstablish enforceable coverage.Tighten rules and reduce bypass paths.Broaden and continuously review enforcement.Rules, coverage, exceptions, blocked events.
Patch applicationsMeet baseline priorities and coverage.Shorten exposure for higher-risk applications.Apply the strictest current criteria and verification.Inventory, deployment and observed exposure.
Office macro settingsBlock untrusted use under managed policy.Strengthen trusted-use conditions and coverage.Use tightly controlled, auditable exceptions.Policy exports, trust records, logs.
User application hardeningApply required baseline settings.Expand and standardise protected application scope.Maintain strict controls with active exception review.Baselines, compliance reports, exceptions.
Administrative privilegesRemove unnecessary privilege.Strengthen separation and oversight.Use tightly governed, time-bound privileged access.Account inventories, approvals, access reviews.
Patch operating systemsCover supported systems under baseline criteria.Increase speed and verification for higher risk.Apply the strictest current criteria across scope.OS inventory, patch evidence, validation results.
MFAProtect required accounts and services.Expand coverage and strengthen authentication paths.Use the strongest current criteria and recovery controls.Policy, coverage, logs, exceptions.
Regular backupsBack up and test representative recovery.Strengthen isolation, access and restoration evidence.Maintain resilient, regularly exercised recovery capability.Scope, job logs, access controls, restore tests.

This matrix provides a high-level progression view and does not replace the detailed criteria in the current ASD Essential Eight Maturity Model.

How to Choose a Target Maturity Level

A target maturity level should be justified by risk and obligation, not selected for marketing value. Government policy or a contract may set a minimum. Where no external mandate applies, decision-makers should consider who may target the organisation, which systems matter most, what a compromise would affect and how consistently the current controls operate.

Decision factorQuestions to askEffect on target selection
Threat profile and exposureWho is likely to target the organisation? Which systems are internet-facing?Greater exposure or targeted threat activity may justify a higher target.
Data and service impactWhat would loss of confidentiality, integrity or availability cause?High-impact systems and data normally warrant stronger controls.
Privileged and identity pathwaysHow many administrative, remote and cloud access paths exist?Complex identity environments increase the need for stronger coverage and evidence.
Government, contract or sector obligationsDoes a current policy, procurement term or regulator set a requirement?The verified requirement takes precedence over an informal internal preference.
Current maturity and dependenciesAre Level 1 controls consistently implemented across scope?Fix baseline weaknesses before claiming progress at a higher level.
Resources and operating modelCan the organisation maintain the controls and evidence over time?Choose a staged plan that can be operated reliably, not a temporary assessment-time configuration.

Applicability cautionDo not state that every Australian organisation must reach a particular maturity level. Confirm the current government policy, contract, sector requirement or customer obligation that applies to the specific organisation.

Essential Eight Assessment vs Audit vs Technical Testing

The terms assessment, audit, scan and penetration test are often used interchangeably in marketing, but they answer different questions. A complete Essential Eight conclusion normally depends on broader evidence than a technical test alone.

Figure 3. Essential Eight assessment, vulnerability scanning and penetration testing answer different evidence questions.

For a broader comparison of technical assurance activities, see DeepStrike’s guide to vulnerability assessment and penetration testing.

ActivityMain purposeTypical evidenceMain limitation
Self-assessmentInternal comparison with the selected criteria.Policies, exports, records and internal testing.May miss gaps or rely too heavily on self-reported evidence.
Independent Essential Eight assessmentEvaluate maturity against defined Essential Eight criteria.Governance, configuration, coverage, logs, sampling and tests.Conclusion depends on scope, evidence quality and current guidance.
Internal or external auditProvide assurance against defined criteria and scope.Documentation, interviews, sampling and test evidence.May cover more than Essential Eight or use a different assurance objective.
Configuration reviewCheck whether technical settings match requirements.Exports, baselines, configuration and coverage reports.A snapshot does not always prove effective operation.
Vulnerability scanIdentify known technical exposures at scale.Scanner findings and asset coverage.May contain false positives and cannot evaluate all governance or control requirements.
Vulnerability assessmentAnalyse and validate technical weaknesses.Tool output plus analyst review and risk context.Still limited by scope and does not prove full maturity.
Penetration testAssess exploitable attack paths in an authorised scope.Validated findings, attack-path evidence and remediation advice.Point-in-time and scenario-based; not an organisation-wide maturity assessment.
Red team exerciseTest detection and response against an objective-led scenario.Scenario outcomes, control observations and response evidence.Not designed to exhaustively assess each Essential Eight requirement.
Backup restoration testProve that selected data or services can be restored.Restore records, integrity checks and recovery timing.Covers selected recovery scenarios, not every backup or system.
Control-effectiveness testConfirm that a specific control operates as intended.Observed result, logs and supporting configuration.Does not establish full policy coverage or overall maturity.

What Evidence Is Reviewed in an Essential Eight Assessment?

Strong assessment evidence is current, representative and traceable. A policy can show intent, but it does not prove that a setting is deployed across the intended scope. A configuration export may show technical implementation, but still require coverage sampling and operational validation. Assessors therefore combine different evidence types and look for consistency between them. Use ASD’s current Essential Eight guidance and Maturity Model as the authoritative criteria.

Evidence typeWhat it can demonstrateLimitation
Policies, standards and proceduresDefined responsibility, scope and expected operation.May be outdated or disconnected from actual implementation.
System and endpoint configurationThe settings applied to selected systems.A point-in-time export may not represent every device.
Asset and patch recordsKnown systems, software versions and deployment activity.Central records may omit unmanaged assets or failed changes.
Identity and access recordsMFA coverage, privileged membership and access reviews.May miss shadow accounts, recovery paths or separate cloud tenants.
Application-control evidenceRules, approved software, coverage and blocked events.A rule set alone does not prove full enforcement.
Backup and restoration recordsScope, retention, protection and tested recovery.Successful jobs do not prove all data can be restored.
Exceptions and risk acceptancesKnown deviations, owners, compensating controls and review dates.An exception documents risk; it does not remove the gap.
Technical test resultsObserved exposure or control effectiveness on tested assets.Time- and scope-limited; must be interpreted with other evidence.
Interviews and observationHow teams operate the control in practice.Subjective and dependent on the people and samples selected.

Evidence principleAvoid fixed labels such as “excellent”, “good” or “fair” unless the exact wording is confirmed in the current official assessment guidance. The practical point is that stronger conclusions normally combine documented intent, observed configuration, representative coverage and operating evidence.

How Essential Eight Controls Can Be Tested

The table below shows safe, high-level validation options. All testing must be authorised, scoped and non-destructive. It does not provide commands, payloads or bypass procedures.

ControlConfiguration reviewEvidence reviewSafe technical validationNot proven by a pentest
Application controlReview rule and coverage exports.Approved software, exceptions and blocked-event logs.Use a benign unapproved executable on a test system.Complete enforcement across every device and code path.
Patch applicationsReview inventory, policy and deployment criteria.Patch and vulnerability records.Confirm a sampled remediated exposure is no longer present.Every application is patched within the current criteria.
Office macro settingsReview managed macro policy and scope.Trusted-use records, exceptions and logs.Use a benign test document and observe the policy response.All Office installations and business macro processes are covered.
User application hardeningReview browser and application baselines.Compliance and exception reports.Check a restricted feature on representative devices.Every user application and unmanaged device is hardened.
Administrative privilegesReview roles, groups and elevation controls.Admin inventory, approvals and access reviews.Confirm a standard account cannot complete an admin action.All privileged accounts and entitlements are correct.
Patch operating systemsReview OS inventory, policy and deployment status.Patch, change and vulnerability records.Validate remediation on a representative host.All online, offline and unmanaged systems are patched.
MFAReview policy, account and service coverage.Authentication logs, reports and exceptions.Confirm the required factor is enforced on an in-scope path.Every account, protocol, recovery path and cloud tenant is covered.
Regular backupsReview scope, retention, access and isolation.Job logs, restore records and integrity checks.Restore representative data or a system in a controlled environment.All critical data and recovery scenarios meet business needs.

Use representative sampling and document the scope, expected result, observed result and evidence retained.

Where Penetration Testing Supports Essential Eight Assurance

Penetration testing is most useful when the organisation needs evidence about realistic attack paths rather than only the existence of a setting. It may help evaluate selected internet-facing applications and APIs, cloud and identity pathways, segmentation, privilege escalation exposure, legacy systems and weaknesses that only become meaningful when combined.

The engagement should define the target maturity context, objective, assets, starting access, production constraints, testing windows, data-handling rules, critical-finding escalation and retesting expectations. Reports should explain which Essential Eight control or dependency a finding affects without presenting the penetration test as a formal maturity certificate.

Not every assessment needs a pentestThe decision should follow risk, complexity and the evidence question being answered. Patch records, configuration exports, coverage reports and restoration tests may be more appropriate for some controls.

What Penetration Testing Cannot Prove

A penetration test examines selected systems and scenarios during a defined period. It cannot by itself establish complete Essential Eight maturity, because maturity also depends on coverage, governance, evidence, exceptions and ongoing operation.

An absence of findings means that no relevant finding was identified within the agreed scope and method. It does not mean that the organisation is certified, fully mature or immune from compromise.

Essential Eight Assessment Process

A practical, source-aligned process can be organised into the following stages. This is an operational workflow, not an official certification procedure.

  1. Confirm applicability, current guidance and the target maturity level.
  2. Define the assessment scope, system boundaries, users, cloud services and exclusions.
  3. Assign control owners and evidence owners.
  4. Baseline assets, applications, operating systems, identities and backup scope.
  5. Collect policies, standards, architecture, configuration, logs and exception records.
  6. Review technical implementation and representative coverage.
  7. Perform approved sampling and control validation where needed.
  8. Compare evidence with the selected maturity criteria and document gaps.
  9. Prioritise remediation based on exposure, privilege and business impact.
  10. Implement fixes, retest selected controls and update evidence.
  11. Record residual risk and time-bound exceptions.
  12. Report the conclusion, limitations and next review triggers to stakeholders.

Essential Eight Gap Assessment Checklist

Preparation areaQuestionEvidence ownerStatus
Target maturity levelIs the target and rationale documented?CISO / risk ownerTo complete
Scope and boundariesAre systems, users, cloud services and exclusions defined?Security / IT leadTo complete
Asset and software inventoryIs the inventory current and does it include unmanaged or legacy assets?IT operationsTo complete
PatchingAre application and OS criteria, deployment and verification documented?IT operationsTo complete
Application controlAre rules, coverage and exceptions known?Endpoint teamTo complete
Macro settings and hardeningAre managed baselines consistently applied?Endpoint / security teamTo complete
Administrative privilegesAre privileged accounts, roles and reviews complete?IAM / IT administrationTo complete
MFAAre all required accounts, services and recovery paths covered?IAM teamTo complete
Backups and restorationAre scope, protection, retention and successful restores evidenced?Backup / continuity ownerTo complete
Exceptions and riskDoes every deviation have an owner, treatment and review date?Risk / governanceTo complete
Technical validationIs each planned test authorised, safe and mapped to an evidence question?Security testing teamTo complete
Remediation and retestingAre gaps tracked to verified closure?Control ownersTo complete
Evidence retentionAre artefacts current, timestamped and protected?Compliance / records ownerTo complete
Executive reportingAre maturity, limitations and residual risks reported clearly?CISO / executive sponsorTo complete

Preparation checklist only; it does not replace the current official guidance.

Common Essential Eight Implementation Gaps

Essential Eight for Cloud, SaaS and Hybrid Environments

Cloud services change who operates a control, but they do not remove the customer’s responsibility for the systems, identities, configuration and data under its control. Scope should distinguish provider-managed components from customer-managed components and identify the evidence available for each.

Essential Eight for Small and Medium Businesses

Smaller organisations should not invent a weaker maturity model, but they can sequence implementation sensibly. Start with accurate knowledge of critical assets, users and data; enable the controls that materially reduce exposure; document managed-service responsibilities; and assign ownership for evidence and exceptions.

A practical sequence may begin with supported software, timely updates, MFA on critical access, reduced administrative privilege and tested backups, while the organisation plans broader application control and hardening. The selected maturity target should still be justified by risk and any applicable customer or contractual requirement.

Essential Eight vs Other Frameworks

FrameworkPrimary purposeRelationship to Essential EightImportant caveat
Essential EightPrioritised Australian mitigation baseline and maturity model.The subject of this guide.Not a complete ISMS, risk framework or certification.
Information Security ManualBroader Australian Government security-control guidance.Contains wider controls and context related to Essential Eight topics.Much broader than the eight mitigation strategies.
PSPFAustralian Government protective-security policy framework.May set policy obligations for applicable entities.Confirm the current policy and applicability before making a maturity claim.
ISO/IEC 27001:2022International information-security management-system standard.Essential Eight evidence may support parts of the ISMS control environment.Mapping depends on scope, risk treatment and the applicable Annex A controls.
NIST Cybersecurity Framework 2.0Risk-management outcomes organised across Govern, Identify, Protect, Detect, Respond and Recover.Essential Eight controls contribute mainly to selected protective and recovery outcomes.The CSF is broader and does not prescribe the Essential Eight maturity criteria.
CIS ControlsPrioritised technical and operational safeguards.Overlaps in inventory, patching, access, application control and recovery.Control names and implementation groups are not one-to-one with Essential Eight.
PCI DSSSecurity requirements for payment account data environments.Some controls overlap, including patching, MFA and privilege restriction.PCI DSS has its own scope, evidence and testing requirements.

How to Choose an Essential Eight Assessment or Testing Provider

Buyers comparing delivery models can also review DeepStrike’s overview of cybersecurity audit companies, while still evaluating current-guidance competence, evidence method, safety and reporting quality.

Buyer criterionWhat to askWarning sign
Current-guidance competenceWhich official version and criteria will you assess?Generic claims without a version or source trail.
Assessment vs testing clarityWill the engagement assess maturity, validate controls, perform a pentest or combine defined activities?Calling a vulnerability scan a complete Essential Eight audit.
Scope and samplingHow will systems, users, cloud services and samples be selected?A one-size-fits-all scope with no exclusions or sampling rationale.
Evidence methodWhich configuration, coverage, log and restoration evidence will be reviewed?Reliance on interviews or screenshots alone.
Production safetyWhat constraints, testing windows and escalation procedures apply?Destructive testing or unclear authorisation.
Data handlingHow will sensitive evidence and reports be stored, transferred and deleted?No documented handling, retention or residency approach.
Report qualityWill the report separate criteria, evidence, gaps, limitations and remediation?A tool-generated list with no maturity or business context.
Remediation and retestingHow are fixes tracked and verified?No defined closure or retesting process.
Independence and claimsWhat does the engagement not prove?Promises of certification, guaranteed maturity or audit approval.

Essential Eight Implementation Roadmap

PhasePrimary activities
1. Establish scope and ownershipConfirm current guidance, obligations, target maturity, boundaries and evidence owners.
2. Baseline current stateInventory assets, software, identities, cloud services, backups, configurations and known exceptions.
3. Prioritise gapsUse exposure, privilege, exploitability, business impact and recovery risk.
4. Implement and validateDeploy controls, confirm representative coverage and retain operating evidence.
5. Remediate and retestTrack findings to closure and update the evidence set after fixes.
6. MaintainMonitor coverage, review exceptions, repeat restore tests and reassess after material change or guidance updates.

Frequently Asked Questions

What is the Essential Eight?

The Essential Eight is an ASD and ACSC baseline of eight prioritised mitigation strategies supported by a maturity model. It focuses on common intrusion paths such as unpatched software, malicious code execution, credential compromise, excessive privilege and failed recovery. It is not a complete cybersecurity program or a certification.

What are the eight Essential Eight controls?

Application control; patch applications; configure Microsoft Office macro settings; user application hardening; restrict administrative privileges; patch operating systems; multi-factor authentication; and regular backups. Organisations conducting an assessment should confirm the current wording in ASD’s Essential Eight guidance.

Is the Essential Eight mandatory in Australia?

Not for every organisation. Some Australian Government policies, contracts, procurement terms or sector arrangements may set requirements for specific entities. Other organisations adopt the framework voluntarily. Applicability and any required maturity level should be confirmed against the current policy or contract that applies.

What are the Essential Eight maturity levels?

The model uses Levels 0 to 3. Level 0 means Level 1 is not met. Levels 1 to 3 address progressively more capable adversaries and require stronger, more consistently implemented controls. The detailed criteria for each strategy must come from the current ASD Maturity Model.

What is Maturity Level Zero?

Level 0 indicates that the organisation does not meet the requirements for Level 1. It should be treated as a gap condition and a starting point for remediation, not as a target maturity level.

How do you choose a target maturity level?

Use risk, exposure, business impact, identity complexity, existing maturity and any government, contractual or sector requirement. The target should be documented and achievable across all eight strategies rather than selected control by control for convenience.

What is an Essential Eight assessment?

It is a structured comparison of current implementation and evidence against the selected Essential Eight maturity criteria. It can include policy and governance review, configuration analysis, coverage sampling, logs, interviews, restoration evidence and authorised technical validation.

Is an Essential Eight assessment the same as an audit?

Not necessarily. “Audit” describes a broader assurance activity with defined criteria, scope and independence. An Essential Eight assessment focuses on the maturity criteria for the eight strategies. The engagement should state its objective, method, scope, limitations and whether it provides any formal assurance.

Does the Essential Eight require penetration testing?

A penetration test is not automatically required for every Essential Eight assessment. It may be useful when the evidence question involves realistic attack paths or technical effectiveness. Configuration, coverage, patch, identity and restoration evidence may be more appropriate for other requirements.

Can a vulnerability scan prove Essential Eight maturity?

No. A scan can identify missing patches and selected misconfigurations, but it cannot evaluate all control coverage, policy, exception, identity, backup and governance requirements. Scan results need scope validation, analyst review and supporting evidence.

What evidence is needed for an Essential Eight assessment?

Evidence commonly includes policies, current configuration exports, asset and patch records, application-control rules, privileged-access and MFA reports, logs, backup and restoration records, exception registers, interviews and relevant technical test results. The evidence should be current, representative and traceable.

How often should the Essential Eight be reassessed?

There is no universal interval suitable for every organisation. Reassessment should follow applicable policy or contract requirements and be triggered by material system changes, incidents, control changes or updates to official guidance. Continuous monitoring and regular evidence maintenance reduce assessment-time surprises.

Conclusion

The Essential Eight gives Australian organisations a focused starting point for reducing common cyber intrusion paths. Its value depends on consistent implementation across the selected scope, a justified target maturity level and evidence that the controls operate as intended.

Assessment should therefore connect policy, configuration, coverage, logs, exceptions and technical validation. Vulnerability scanning and penetration testing can strengthen selected conclusions, but they do not replace the broader evidence required for maturity. Remediation, retesting and ongoing review are necessary to keep the control environment aligned with changes in systems, threats and official guidance.

An Essential Eight assessment normally requires broader evidence than penetration testing alone. Where technical validation is appropriate, DeepStrike can help authorised security teams examine attack paths across applications, APIs, cloud environments, networks and identity systems, then verify remediation through focused retesting. The final scope should be aligned with the organisation’s target maturity level and assessment requirements.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specialising in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP and OSWE, his work focuses on application security, API security, cloud security, identity exposure, attack-path validation, remediation and security assurance in regulated environments.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us