Is the Essential Eight mandatory for our business?

For Australian Government entities and their suppliers, compliance with the Essential Eight is mandated. For private sector businesses, it's not legally required, but it's become the de facto baseline that clients, insurers and boards expect. Many enterprise procurement processes now include Essential Eight questions. Beyond compliance, the controls are genuinely effective at reducing the most common attack vectors, so the case for implementation stands even without a mandate.

What maturity level should we be targeting?

Maturity Level 2 is the right target for most businesses, it provides meaningful defence against targeted attacks, satisfies most client and insurer requirements, and is achievable without enterprise-scale resources. Maturity Level 3 is appropriate for organisations that hold sensitive government or defence data, or that face sophisticated threat actors. We assess your risk profile and recommend the right target before any remediation work begins.

How long does it take to reach a target maturity level?

Starting from a typical baseline, reaching Maturity Level 1 takes three to six months. ML2 typically takes six to twelve months, depending on your current controls and how quickly your team can implement changes. The timeline is driven by the complexity of your environment and the pace your business can absorb change, not by technical difficulty. We build a realistic roadmap in the gap assessment phase so you know what you're committing to.

Information Security · ACSC Essential Eight · Maturity Level Assessment

Essential Eight compliance, done properly.

The Australian Cyber Security Centre's Essential Eight is the baseline cybersecurity framework for Australian organisations. We assess your current maturity, identify gaps, and build a remediation roadmap, whether you're targeting Maturity Level 1, 2 or 3.

Book a Discovery Call What's included

The Australian standard, applied properly

Assess, remediate, maintain.
Not just a report on a shelf.

We've seen too many Essential Eight assessments that produce a gap report and nothing else. Our engagements are built around closure: understanding where you are, remediating the gaps, and keeping you there through ongoing monitoring and evidence collection. We've run Essential Eight assessments for South Australian businesses from Maturity Level 1 baselines through to Maturity Level 3 targets.

Framework by

Back to Cyber Security →

ACSC Essential Eight

All eight strategies, assessed, prioritised, actioned.

The Essential Eight isn't one thing. It's eight distinct controls, each with three maturity levels. We assess all eight, show you where you stand, and build a remediation plan that sequences work logically and minimises disruption.

The eight strategies covered in every engagement

Prevent cyber attacks

Application control: Preventing unapproved programs from running on your systems
Patch applications: Keeping internet-facing software updated and vulnerabilities closed
Office macro settings: Blocking malicious macros from executing
Application hardening: Disabling features commonly exploited by attackers

Limit the extent of incidents

Admin privileges: Limiting who can make system-level changes
Patch operating systems: Keeping OS software current and fully supported
Multi-factor authentication: Requiring more than a password to access systems

Recover data & system availability

Regular backups: Tested, protected and stored to survive a ransomware attack

Maturity level evidence that holds up

Self-assessed maturity is easy to inflate. We produce evidence-based assessments, screenshots, configurations, logs, so your maturity rating reflects actual controls in place, not best intentions. That's what survives an audit or insurer review.

Essential Eight sits naturally inside a broader GRC programme. We manage the full compliance picture so you're not running separate workstreams for every framework.

Maturity levels

Three levels. One target. We help you pick the right one.

Each maturity level represents a meaningful step up in security posture. Most businesses start from Maturity Level 0, where controls exist but don't yet consistently meet Maturity Level 1 requirements, and that's a completely normal starting point. Most should be targeting Maturity Level 2: the sweet spot between achievable and genuinely effective.

ML 1

Partly Aligned

Maturity Level 1

Protection against opportunistic, volume-based attacks. Good baseline for businesses starting from scratch, but not sufficient against targeted attacks or for regulated sectors. The floor, not the goal.

Recommended

ML 2

Mostly Aligned

Maturity Level 2

Protection against moderately sophisticated adversaries. Satisfies most client, insurer and government supply chain requirements. The right target for most South Australian businesses.

ML 3

Fully Aligned

Maturity Level 3

Protection against sophisticated, targeted attacks. Required for businesses handling sensitive government or defence data. Demands significant investment, but if you need it, there's no substitute.

From the Blog

Related insights.

From the Blog

What Is SMB1001? The Cyber Security Standard Built for Australian Small Business

SMB1001 gives Australian small businesses a practical, tiered path to improving their security posture, without the complexity of the Essential Eight.

Cameron Weymouth · 8 May 2026

Read the article →

From the Blog

Cybersecurity Compliance: A Growing Priority for Australian Financial Firms

Financial firms face mounting pressure to tighten cyber security. What ASIC's rules mean for AFS licensees.

Alex Macklin · 4 Dec 2025

Read the article →