verified_user
Standardful
Homechevron_rightStandardschevron_rightEssential Eight
Active (Guidelines - Not Certifiable)International Standardupdate Standard Updated: November 2023fact_check Fact checked: Jun 28, 2026

Essential Eight

ASD Essential Eight Maturity Model — Strategies to Mitigate Cyber Security Incidents

apartmentPublishing Organization:Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD)

Standard Introduction

Essential Eight is an active (guidelines - not certifiable) standard published by Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD). It is commonly used across Government, Technology, Finance & Banking, Services and applies in Australia, Asia Pacific.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with Essential Eight.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define Australian cyber mitigation maturity scope

Identify the products, services, systems, entities, jurisdictions, teams, vendors, data flows, and stakeholders covered by Essential Eight. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, regular backups, target maturity, exceptions, and monitoring.

2
Phase 2schedule Duration: 4-10 weeks

Assess obligations and gaps

Compare current practices with the expected Australian cyber mitigation maturity approach. Review maturity target selection, control scoping, allowlisting, patch SLAs, macro controls, browser and application hardening, privileged access management, MFA enforcement, backup testing, exception governance, and continuous assessment, then prioritize gaps by legal exposure, safety or security impact, customer commitments, operational dependency, reporting deadlines, and assurance readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and evidence

Deploy required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain maturity assessments, control registers, allowlist records, patch reports, macro policy evidence, hardening baselines, privileged access reviews, MFA records, backup test results, exception approvals, and monitoring reports as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, report, and improve

Run management reviews, internal checks, testing or independent assessments where applicable, corrective actions, and change reviews. Refresh the program when products, vendors, laws, incidents, reporting cycles, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and assurance

Frequently Asked Questions

Who needs Essential Eight?

expand_more

Essential Eight is most relevant to Australian government entities, critical infrastructure organizations, enterprises, and suppliers implementing ASD mitigation strategies for internet-connected IT networks. The exact scope depends on products, services, jurisdictions, reporting duties, customer commitments, technical requirements, and the organization's role in the relevant ecosystem.

Is Essential Eight certifiable?

expand_more

The Essential Eight is ASD guidance and a maturity model, not a certification. Organizations select a target maturity level and implement the eight mitigation strategies progressively.

What should implementation focus on first?

expand_more

Start by defining scope, obligations, accountable owners, and the evidence expected by regulators, customers, auditors, assurance providers, certification bodies, or governance bodies. Then perform a gap assessment against current controls and prioritize remediation by risk and deadline.

What evidence is useful for Essential Eight?

expand_more

Useful evidence includes maturity assessments, control registers, allowlist records, patch reports, macro policy evidence, hardening baselines, privileged access reviews, MFA records, backup test results, exception approvals, and monitoring reports. Evidence should be version-controlled, attributable to owners, linked to obligations and controls, and retained for the required review or audit period.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever laws, standards, products, vendors, incidents, reporting cycles, customer commitments, technical requirements, or assurance expectations change.

Official Documentation

View All

Related Categories