agilient-logo-white
MENU

Where the Essential Eight Sits in Your Security and Governance Posture

Security operations centre team collaborating, illustrating Essential Eight cyber governance

The Essential Eight is a set of eight baseline cyber security mitigation strategies published by the Australian Signals Directorate. It is widely referenced, and sometimes misunderstood as the whole of cyber security. In practice it is a foundation that sits within a broader security and governance posture, and it is most useful when an organisation understands where it fits rather than treating it as a standalone checklist.

Key takeaways

  • The Essential Eight is produced by the Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC).
  • It comprises eight mitigation strategies and is measured against a four-level maturity model, from Maturity Level Zero to Maturity Level Three.
  • It is a baseline, not a complete security program, and it connects to the broader PSPF and ISM.
  • The right maturity target depends on the organisation’s risk, not a one-size-fits-all level.
  • This page is context for governance and risk leaders, not a maturity assessment service.

What is the Essential Eight?

The Essential Eight is a prioritised set of mitigation strategies that the ASD recommends as a baseline to make it harder for adversaries to compromise systems. The eight are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.1

How is Essential Eight maturity measured?

Implementation is measured against the Essential Eight Maturity Model, which defines four levels from Maturity Level Zero, through Maturity Level One and Two, to Maturity Level Three. Higher levels reflect more capable adversaries. The appropriate target level is a risk decision: an organisation chooses the level that matches the threat it faces and the sensitivity of its systems, rather than defaulting to the highest level everywhere.

Where the Essential Eight sits in your posture

The Essential Eight is a baseline of technical controls. It does not, on its own, cover governance, personnel security, physical security or the wider risk picture. For Commonwealth entities it complements the PSPF, which sets the overarching protective security policy, and it draws on the same body of guidance as the Information Security Manual. The starting point for deciding how far to take it is a clear security risk assessment, which sets the priorities the controls should serve. For critical infrastructure operators, cyber and information security is one of the hazard categories that must be managed under the critical infrastructure regime.

Common misunderstandings

Two misreadings are common. The first is to treat the Essential Eight as the entire security program, when it is a technical baseline that needs governance, people and physical controls around it. The second is to aim for the highest maturity level everywhere regardless of risk, which wastes effort on low-risk systems and can still leave high-risk ones exposed.

How Agilient can assist

Agilient helps organisations place the Essential Eight in the context of their overall security and governance posture: how it relates to the PSPF, how it connects to the risk picture, and where it fits alongside personnel and physical security. Agilient’s role is governance and protective security advice rather than performing Essential Eight maturity assessments, which sit in the technical cyber domain. The aim is to ensure cyber baselines support, and are supported by, the wider security program.

To connect cyber baselines to governance, explore protective security consulting or book a short briefing.

Frequently asked questions

Who publishes the Essential Eight?

The Essential Eight is published by the Australian Signals Directorate, through the Australian Cyber Security Centre.

What are the Essential Eight maturity levels?

There are four: Maturity Level Zero, One, Two and Three. The right target depends on the organisation’s risk and the threats it faces.

Is the Essential Eight enough on its own?

No. It is a technical baseline. It needs governance, personnel security, physical security and a broader risk approach around it to form a complete security program.

How does the Essential Eight relate to the PSPF?

It complements the PSPF. The PSPF sets the overarching protective security policy and outcomes, while the Essential Eight provides a set of baseline cyber mitigations that support the technology and information aspects.

References

  1. Australian Signals Directorate, Australian Cyber Security Centre, Essential Eight and the Essential Eight Maturity Model, cyber.gov.au
Picture of Mark Bezzina

Mark Bezzina

Blog Categories

Agilient News Updates 1
Business Continuity & Resilience 8
Counter-Terrorism & Public Safety 47
Crisis & Emergency Management 9
Cyber Security & Data Privacy 169
Physical & Protective Security 36
Risk Management & Compliance 51

Recent Posts

Where the Essential Eight Sits in Your Security and Governance Posture
How the ISM Fits the PSPF and Your Security Risk Posture
How to Run a PSPF Maturity Assessment: A Practical Guide
How to Assess Building Security: A Step-by-Step Guide for Australian Facilities
The Security Risk Assessment Process: A Step-by-Step Guide for Australian Organisations