The ACSC Essential Eight is the baseline cyber security framework for Australian organisations. Whether you are preparing for a cyber insurance review, a government contract, or simply trying to protect your business, understanding what the Essential Eight requires — and how to implement it — is the right starting point.
What is the Essential Eight?
The Essential Eight is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC) as a baseline for protecting Microsoft Windows-based internet-connected networks. It was originally designed to counter targeted cyber intrusions and is updated as the threat landscape evolves.
Unlike broader frameworks such as ISO 27001, the Essential Eight is specific, actionable, and focused on the controls that stop the most common attack techniques. It is not a compliance checkbox — it is a practical answer to the question: what do we implement first?
The 8 controls explained
Application Control
Prevent unapproved applications from executing on workstations and servers. Application control stops malware from running even if it arrives via email or a compromised website. At ML1, this means maintaining an allowlist of approved applications and blocking everything else from executing.
Patch Applications
Vulnerabilities in internet-facing applications — browsers, PDF readers, Office software, media players — are among the most common entry points for attackers. Patching within 48 hours of a critical patch release is the ML2 expectation. For ML1, patches should be applied within two weeks.
Configure Microsoft Office Macros
Macros embedded in Office documents are a primary delivery mechanism for malware. The control requires disabling macros by default and only allowing execution from trusted, digitally signed sources. This is one of the highest-impact controls for SMEs given how often macro-enabled documents appear in business email compromise attacks.
User Application Hardening
Harden browser and Office application settings to reduce their attack surface. This includes disabling Flash, Java, and other unsupported plugins, and configuring browsers to block content from untrusted sources.
Restrict Administrative Privileges
Limit who holds admin rights on workstations and servers — and review those privileges regularly. Admin accounts should not be used for general browsing or email. This control directly reduces the blast radius of an initial compromise.
Patch Operating Systems
Keep Windows and other operating systems current. OS vulnerabilities are regularly targeted by ransomware groups and automated scanning tools. At ML1, patching within 30 days of release is expected. At ML2, it is two weeks for critical patches.
Multi-Factor Authentication
MFA should be required for all users accessing the internet, email, and cloud services — and especially for privileged accounts and remote access. This single control stops the majority of credential-based attacks.
Regular Backups
Maintain daily backups of important data, software, and configuration settings. Backups should be disconnected from the network, protected against modification and deletion, and tested regularly. A backup your team has not tested is not a backup.
Understanding the maturity levels
The ACSC defines four maturity levels — ML0 through ML3. ML0 means controls are not implemented. ML3 represents full implementation with ongoing management and the strongest technical controls.
Most organisations begin working toward ML1, which establishes a baseline of implementation across all eight controls. From there, ML2 tightens timelines and broadens scope. ML3 adds the most rigorous requirements around access management, phishing-resistant MFA, and centralised logging.
The right target level depends on your risk profile. Businesses pursuing cyber insurance, government contracts, or handling sensitive personal information are increasingly expected to meet at least ML1 — and often ML2.
How to prioritise implementation
If you are starting from scratch, the order matters. Based on what we see in assessments, this sequence delivers the most risk reduction earliest:
- Multi-Factor Authentication — the single highest-return control. Implement for all external access first.
- Patch Applications and Operating Systems — automate this where possible.
- Restrict Administrative Privileges — review who holds admin rights today.
- Configure Office Macros — disable by default, create exceptions only where needed.
- User Application Hardening — work through browser and Office settings systematically.
- Regular Backups — review your current backup architecture against ML1 requirements.
- Application Control — plan carefully; it requires inventory work before enforcement.
Common gaps we find in SME assessments
Across the assessments we run, the same gaps appear repeatedly:
- MFA not enforced for cloud applications — particularly SharePoint and OneDrive.
- Admin accounts used for email and general browsing by IT staff.
- Macros enabled by default with no exception management process.
- Backup processes that exist but have not been tested against a simulated restore.
- No formal review cycle for administrative privileges.
The Essential Eight is not about being perfect. It is about closing the doors that attackers walk through most often.
Frequently asked questions
Is the Essential Eight mandatory for Australian businesses?
It is mandatory for Commonwealth entities under the Protective Security Policy Framework. For most SMEs it is not a legal requirement — but it is increasingly expected by insurers, government procurement teams, and enterprise supply chains. That expectation is tightening.
How long does it take to reach ML1?
A focused programme with proper resourcing typically reaches ML1 across most controls within three to six months. The hardest controls — application control and macro management — take longer because they require change management alongside technical implementation.
What is the difference between the Essential Eight and ISO 27001?
ISO 27001 is a broad information security management framework covering governance, policies, risk management, and controls. The Essential Eight is a specific technical baseline focused on the controls that stop the most common cyber attacks. They are complementary — ISO 27001 is the management system; the Essential Eight defines baseline technical hygiene.
