Essential Eight
ASD Essential Eight Maturity Model — Strategies to Mitigate Cyber Security Incidents
Standard Introduction
Essential Eight is an active (guidelines - not certifiable) standard published by Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD). It is commonly used across Government, Technology, Finance & Banking, Services and applies in Australia, Asia Pacific.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with Essential Eight.
Implementation Roadmap
Define Australian cyber mitigation maturity scope
Identify the products, services, systems, entities, jurisdictions, teams, vendors, data flows, and stakeholders covered by Essential Eight. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, regular backups, target maturity, exceptions, and monitoring.
Assess obligations and gaps
Compare current practices with the expected Australian cyber mitigation maturity approach. Review maturity target selection, control scoping, allowlisting, patch SLAs, macro controls, browser and application hardening, privileged access management, MFA enforcement, backup testing, exception governance, and continuous assessment, then prioritize gaps by legal exposure, safety or security impact, customer commitments, operational dependency, reporting deadlines, and assurance readiness.
Implement controls and evidence
Deploy required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain maturity assessments, control registers, allowlist records, patch reports, macro policy evidence, hardening baselines, privileged access reviews, MFA records, backup test results, exception approvals, and monitoring reports as traceable evidence.
Review, report, and improve
Run management reviews, internal checks, testing or independent assessments where applicable, corrective actions, and change reviews. Refresh the program when products, vendors, laws, incidents, reporting cycles, or stakeholder expectations change.
Compliance Checklist
checklist Scope and accountability
checklist Controls and records
checklist Monitoring and assurance
Frequently Asked Questions
Who needs Essential Eight?
expand_more
Essential Eight is most relevant to Australian government entities, critical infrastructure organizations, enterprises, and suppliers implementing ASD mitigation strategies for internet-connected IT networks. The exact scope depends on products, services, jurisdictions, reporting duties, customer commitments, technical requirements, and the organization's role in the relevant ecosystem.
Is Essential Eight certifiable?
expand_more
The Essential Eight is ASD guidance and a maturity model, not a certification. Organizations select a target maturity level and implement the eight mitigation strategies progressively.
What should implementation focus on first?
expand_more
Start by defining scope, obligations, accountable owners, and the evidence expected by regulators, customers, auditors, assurance providers, certification bodies, or governance bodies. Then perform a gap assessment against current controls and prioritize remediation by risk and deadline.
What evidence is useful for Essential Eight?
expand_more
Useful evidence includes maturity assessments, control registers, allowlist records, patch reports, macro policy evidence, hardening baselines, privileged access reviews, MFA records, backup test results, exception approvals, and monitoring reports. Evidence should be version-controlled, attributable to owners, linked to obligations and controls, and retained for the required review or audit period.
How often should the program be reviewed?
expand_more
Review it at planned intervals and whenever laws, standards, products, vendors, incidents, reporting cycles, customer commitments, technical requirements, or assurance expectations change.
Official Documentation
Official PDF for Essential Eight
Official publication or summary for Essential Eight
Official online resource
Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for Essential Eight