Answer eight quick questions about your environment and get an indicative ACSC Essential Eight maturity level, plus the strategies to fix first.
Indicative only, takes about three minutes
The Essential Eight is the ASD ACSC's set of eight baseline mitigation strategies. Your overall maturity is set by your weakest strategy, so this tool scores each one and shows where you stand.
Your indicative Essential Eight maturity
Not yet scored
Answer the questions to reveal your indicative maturity. Your overall level is set by your lowest-scoring strategy.
0 of 8 answered
Maturity by strategy
Tap any strategy to see exactly what would lift it to the next level.
Where to focus first
Want to know your real maturity?
This is indicative. We run formal Essential Eight assessments against the full ACSC criteria, then build and manage the remediation roadmap.
This self-assessment is indicative only and is not a formal ACSC Essential Eight assessment. It is based on your answers to one question per strategy and does not verify evidence. Use it as a starting point. A formal assessment validates each strategy against the full ACSC maturity criteria.
What is the ACSC Essential Eight?
The Essential Eight is a set of eight baseline mitigation strategies published by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC). It is the most widely used cyber security framework for Australian organisations, and a defined maturity level is increasingly expected in government tenders, supplier contracts and cyber insurance applications. The eight strategies work toward three goals: stopping malware from running, limiting the damage an attacker can do once inside, and making sure you can recover when something goes wrong.
This free Essential Eight assessment tool gives you an indicative maturity level in about three minutes, with no sign-up. It is a fast way to see roughly where your business stands before committing to a formal assessment.
The eight strategies at a glance
Patch applications. Keep software like browsers, Office and PDF readers up to date, and apply critical patches quickly.
Patch operating systems. Keep workstation and server operating systems current, and retire unsupported versions.
Multi-factor authentication. Require a second factor beyond a password, especially for email, remote access and important data.
Restrict administrative privileges. Limit who holds admin rights, and keep those accounts away from web and email.
Application control. Allow only approved applications to run, so unknown or malicious software is blocked.
Restrict Microsoft Office macros. Block macros for users who don't need them, and block macros that arrive from the internet.
User application hardening. Lock down browsers and applications, for example blocking web ads and Java.
Regular backups. Back up important data and test that you can actually restore it.
Essential Eight maturity levels explained
Each strategy is measured against four maturity levels. Your overall Essential Eight maturity is set by your weakest strategy, which is why this tool scores each one and then reports the lowest. You only reach Maturity Level One once all eight strategies meet Level One.
Maturity Level Zero. The strategy is not yet adequately implemented. There are foundational gaps to close.
Maturity Level One. Protects against common, opportunistic attacks that use widely available tools and techniques.
Maturity Level Two. Protects against attackers willing to invest more time and effort to get in.
Maturity Level Three. Protects against adaptive attackers who actively target your organisation.
Why the Essential Eight matters for South Australian businesses
Small and medium businesses are now squarely in the firing line. As the Five Eyes cyber agencies recently warned, AI is compressing the time between a vulnerability being found and being exploited from years to months, and automated attacks don't hand-pick victims, they scan everyone for whoever is easiest. The Essential Eight is the practical baseline that closes those easy doors.
It also matters commercially. More Adelaide businesses are being asked to demonstrate an Essential Eight maturity level to win work, satisfy insurers, or meet obligations like Australia's mandatory ransomware reporting. As an ISO 27001 certified provider, InterIntra runs formal Essential Eight assessments for South Australian organisations, from a Maturity Level One baseline through to Level Three, and manages the remediation that follows.
How this self-assessment works
You answer one plain-English question for each of the eight strategies, choosing the option that best matches how your business operates today. As you go, the tool builds a live maturity radar, scores each strategy against the four ACSC levels, and calculates your overall maturity from your weakest control. For every strategy below Level Three it shows exactly what would lift it to the next level.
This is an indicative self-assessment, not a formal ACSC assessment. It is based on a single question per strategy and does not verify evidence, so treat it as a starting point. A formal assessment validates each strategy against the full ACSC criteria and produces an evidence-backed maturity rating. You can book a formal Essential Eight assessment whenever you're ready.
Frequently asked questions
The Essential Eight is a set of eight mitigation strategies recommended by the ACSC to help organisations protect themselves against common cyber threats: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening, and regular backups.
The ACSC defines four levels. Level Zero means the strategy is not yet adequately implemented. Level One protects against common, non-targeted attacks. Level Two protects against attackers willing to invest more effort. Level Three protects against adaptive, targeted attackers. Your overall maturity is the lowest level achieved consistently across all eight strategies.
No. This is a free, indicative self-assessment to help you understand roughly where you stand and where to focus. A formal assessment verifies evidence against the full ACSC criteria for each strategy. InterIntra can run a proper Essential Eight maturity assessment and build a remediation roadmap from there.
Yes, it is completely free and there is no sign-up. You answer the eight questions in your browser and your results appear instantly. We never ask for your email to show your maturity level.
About three minutes. There are eight questions, one for each strategy, and your indicative maturity level and per-strategy breakdown update as you answer.
Because your overall maturity is set by your weakest strategy, start with whichever strategies scored lowest, then lift the whole set together toward your target level. InterIntra can validate your real position, prioritise the gaps and manage the remediation.
