Essential Eight Maturity Levels Explained

The Essential Eight maturity levels provide a structured progression framework that Australian organisations use to strengthen cyber security incrementally. Developed by the Australian Signals Directorate (ASD), the maturity model defines four levels, from Level 0 through to Level 3, each representing a progressively more robust implementation of the eight mitigation strategies.

This guide explains what each Essential Eight maturity level requires, what the eight controls cover, and how organisations approach implementation. Organisations seeking structured support to assess and uplift their current maturity can explore our Essential Eight compliance services Australia..

What is the ASD Essential Eight?

The ASD Essential Eight is a prioritised set of eight cybersecurity mitigation strategies developed by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate. First published in 2017 and regularly updated, the framework distils decades of cyber threat intelligence and incident response experience into eight foundational controls that organisations should implement as a baseline for cyber defence.

Unlike broader governance frameworks, the Essential Eight is deliberately focused and actionable. These eight strategies are not theoretical best practices but proven defensive measures that the ACSC has determined to be the most effective at preventing and limiting real-world cyber attacks, including ransomware, malware, and unauthorised access.

The framework evolved from the original Top 4 mitigation strategies, which were mandatory for Australian federal agencies from 2014. ASD research indicated that implementing just those four controls could prevent over 85% of unauthorised intrusions. The expansion to eight strategies provides more comprehensive coverage across a wider range of attack techniques.

The four Essential Eight maturity levels

Maturity Level 0

Maturity Level 0 indicates that controls have not been implemented, or that implementations are so incomplete they provide little meaningful protection. Organisations at this level have not yet aligned with the intent of the mitigation strategies and face significant exposure to common cyber threats.

Maturity Level 1

Maturity Level 1 provides basic protection against opportunistic attacks from adversaries using commodity tools and automated techniques. At this level, organisations implement fundamental versions of each control. For example, application control may cover executables but not scripts, MFA may apply only to remote access, and patches may be applied within longer timeframes than higher levels require.

Maturity Level 1 is the minimum baseline that all Australian organisations should achieve. It significantly reduces exposure to common threats without requiring extensive resources or sophisticated technical capability.

Maturity Level 2

Maturity Level 2 defends against adversaries who are moderately skilled and willing to invest effort into circumventing organisational controls. These adversaries may use social engineering, credential theft, or adaptive techniques to bypass specific security measures.

Maturity Level 2 is mandatory for Australian non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF), effective from July 2022. Many larger private organisations also target this level. Implementations at Level 2 involve more comprehensive control coverage, shorter patching timeframes, stricter access controls, and more sophisticated monitoring and logging.

Organisations unsure of their current maturity level can benchmark their posture through CyberPulse’s Essential Eight compliance services Australia before committing to a target level.

Maturity Level 3

Maturity Level 3 represents full alignment with the intent of each mitigation strategy. It protects against highly skilled and persistent adversaries who may conduct extensive reconnaissance, develop custom malware, and use sophisticated evasion techniques.

The ACSC recommends Maturity Level 3 for organisations handling highly sensitive data or operating critical infrastructure. This level requires near-immediate patching of critical vulnerabilities, comprehensive application control covering all executable code types, phishing-resistant MFA for all access scenarios, extensive logging and monitoring, and immutable backups with rigorous access controls. Achieving and maintaining Maturity Level 3 demands significant investment in technology, processes, and skilled personnel.

The eight mitigation strategies

The eight strategies are organised across three objectives: preventing cyber attacks, limiting the impact of attacks, and ensuring data recovery and availability.

Objective 1: Prevent cyber attacks

1. Application control

Application control restricts execution to approved applications only, preventing malicious software from running even after infiltrating a network. Implementation requires maintaining an approved application list and enforcing change management processes. At higher maturity levels, control coverage extends to scripts, installers, libraries, and drivers in addition to executables.

2. Patch applications

Unpatched software vulnerabilities remain one of the most exploited attack vectors. The Essential Eight requires organisations to patch applications promptly, with higher maturity levels requiring patches to be applied within increasingly tight timeframes. Critical vulnerabilities in internet-facing services, browsers, and office productivity software receive the highest priority.

3. Configure Microsoft Office macro settings

Malicious macros embedded in Office documents are a persistent threat vector used in ransomware and data theft campaigns. This control requires disabling macros by default and only permitting execution from trusted locations or when digitally signed by trusted publishers. At higher maturity levels, additional scrutiny and monitoring of macro activity is required.

4. User application hardening

Application hardening reduces the attack surface of commonly exploited applications by blocking or disabling unnecessary features. Key measures include blocking Flash content and web advertisements in browsers, disabling Java in browsers, blocking untrusted Office add-ins, and disabling OLE packages in Office applications.

Objective 2: Limit the impact of attacks

5. Restrict administrative privileges

Administrative accounts provide full control over systems and data. This control requires organisations to strictly limit who holds administrative privileges and when those privileges can be exercised. Dedicated administrative accounts must be separate from daily-use accounts, and robust access controls and monitoring must be applied to all privileged activity.

6. Patch operating systems

Operating systems require regular security updates alongside application patching. The Essential Eight mandates timely OS patching, with maturity level requirements specifying aggressive timelines for critical and high-severity vulnerabilities. Organisations must maintain current OS versions and have processes to deploy emergency patches rapidly following zero-day disclosures.

7. Multi-factor authentication (MFA)

MFA adds a verification step beyond passwords, significantly reducing the impact of credential theft. Requirements expand at higher maturity levels to cover remote access, privileged accounts, important data repositories, and cloud services. At Level 3, MFA implementations must resist phishing attacks, meaning SMS-based authentication is insufficient. Hardware tokens, biometric authentication, and FIDO2-compliant methods satisfy higher-level requirements.

Objective 3: Data recovery and availability

8. Regular backups

Regular tested backups are the last line of defence against ransomware and destructive attacks. The Essential Eight requires daily backups of important data, software, and configurations, retention for at least three months, offline or segmented storage to prevent ransomware from reaching backups, and regular restoration testing to verify that recovery procedures actually work. At Maturity Level 3, backups must be immutable.

How to implement the Essential Eight

Step 1: Assess current maturity

Begin by assessing current security posture against all eight strategies using the ACSC Essential Eight Assessment Process Guide. Document existing controls and their effectiveness, identify gaps, determine current maturity levels per control, and prioritise areas requiring immediate attention based on risk.

Step 2: Define target maturity level

Not every organisation needs to achieve Maturity Level 3. Select a target level appropriate to industry sector, data sensitivity, regulatory obligations, threat profile, and available resources. For most small to medium businesses, Level 1 or 2 provides strong protection against common threats. Government agencies and critical infrastructure operators should target Level 2 or 3.

Step 3: Develop an implementation roadmap

Create a phased plan that progressively builds maturity across all eight controls. The ACSC recommends achieving the same maturity level across all eight strategies before advancing, as the controls are designed to work together. The roadmap should include quick wins, medium-term projects, long-term initiatives, budget allocations, staff training, and timeline milestones.

Step 4: Implement controls systematically

Execute the plan with quality over speed. Poorly implemented controls at a higher maturity level provide less protection than well-implemented controls at a lower level. For each control, select appropriate technical solutions, configure systems according to ACSC guidance, document policies and configurations, test implementations, and train relevant staff.

Step 5: Monitor, maintain, and improve

Essential Eight compliance is not a one-time project. Cyber threats evolve continuously and the ACSC regularly updates the framework to address emerging attack patterns. Organisations must monitor control effectiveness through logging and regular reviews, maintain patches and configurations as new vulnerabilities emerge, conduct periodic reassessments, and address any drift in implementation.

Common Essential Eight implementation challenges

Australian organisations consistently encounter several challenges during implementation. Resource constraints affect smaller organisations that lack dedicated security staff or budget for advanced tooling. Managed security service providers specialising in the Essential Eight can address this gap effectively.

Legacy systems present challenges where older platforms do not support modern controls such as application whitelisting or rapid patching. In these cases, organisations must implement compensating controls, document exceptions through formal risk acceptance, and plan migration paths to supported platforms.

Operational friction is common, particularly around application control and restricted administrative privileges, which can initially disrupt normal operations. Involving users in planning, piloting controls with smaller groups, and providing adequate training reduces disruption significantly.

Complexity at higher maturity levels requires increasingly sophisticated technical implementations and monitoring capabilities. Organisations should progress incrementally, build internal expertise or partner with specialists, and leverage automation where possible.

Essential Eight and other frameworks

The Essential Eight does not exist in isolation. It complements and maps to several frameworks relevant to Australian organisations. The eight controls serve as foundational technical controls within a broader ISO 27001 ISMS, with many organisations using the Essential Eight as their technical baseline while using ISO 27001 for governance and risk management. Control overlap between the Essential Eight and APRA CPS 234 is also significant, particularly around patching, access controls, and backup resilience, allowing organisations to capture evidence once and use it across multiple compliance obligations.

For government agencies and their suppliers, the Essential Eight forms a subset of the broader ASD Information Security Manual. Achieving Essential Eight maturity supports ISM alignment but does not satisfy full ISM compliance. Organisations pursuing IRAP assessment for government contracts should understand this distinction early.

CyberPulse’s Essential Eight compliance services Australia are designed to harmonise Essential Eight uplift with ISO 27001 and APRA CPS 234 obligations, reducing duplication across compliance programmes.

Summary

The Essential Eight maturity levels provide a clear, structured path for Australian organisations to strengthen cyber defences incrementally.

• Level 0 indicates no meaningful protection.
• Level 1 addresses opportunistic attacks.
• Level 2 is mandatory for Commonwealth entities and represents a strong baseline for private organisations.
• Level 3 is required for organisations handling sensitive data or facing advanced persistent threats.

For organisations ready to assess their current maturity and build a structured uplift programme, CyberPulse’s Essential Eight compliance services Australia provide end-to-end gap assessment, remediation planning, and compliance support..

Useful Links

• Essential Eight Compliance Services Australia
• How to Perform an Essential Eight Maturity Assessment
• ISO 27001 Audit and Certification Services
• Managed Compliance Services
• IRAP Assessment Services Australia

External Resources

• ASD Essential Eight Maturity Model
• ACSC Essential Eight Assessment Process Guide
• NIST Cybersecurity Framework