Cyber security protects an organisation’s information systems and data from compromise. In Australia, the baseline is the Australian Signals Directorate’s Essential Eight, a set of eight mitigation strategies assessed against a four-level maturity model, supported by the Information Security Manual and, for a certifiable management system, ISO/IEC 27001:2022. Cyber sits alongside protective security rather than replacing it.
This pillar provides the cyber baseline that the other frameworks reference and is kept deliberately concise. For the broader picture, cyber is one part of a wider security and resilience program.
Overview
What is the Essential Eight?
The Essential Eight is the Australian Signals Directorate’s set of baseline mitigation strategies for protecting against cyber threats. It is the most widely used cyber baseline in Australia, and meeting it to a defined maturity level is increasingly a condition of doing business with government and, through the DISP, with Defence.
The model
The eight mitigation strategies and the maturity model
The eight strategies are application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups. Each is assessed against four maturity levels, from Maturity Level Zero, where the requirements are not met, to Maturity Level Three, which defends against the most capable adversaries. An organisation chooses a target maturity level based on the threats it faces.
The standards
The Information Security Manual and the ISO 27000 series
The Essential Eight sits within a wider body of guidance. The Information Security Manual (ISM), updated regularly by the Australian Signals Directorate, provides the detailed cyber security controls that the Essential Eight maps to. For organisations seeking a certifiable information security management system, ISO/IEC 27001:2022 is the international standard, complemented by the controls in ISO/IEC 27002.
The bigger picture
How cyber fits the wider framework program
Cyber security is one domain of a broader program, not the whole of it. It is a domain of the PSPF for government, an obligation under APRA’s CPS 234 for financial services, and a condition of DISP membership for defence suppliers, who must meet the Essential Eight at Maturity Level 2. In each case, cyber is best managed as part of a single risk-based security program rather than in isolation.
How we help
How Agilient supports cyber security
Agilient assesses cyber security against the Essential Eight and the ISM, independent of any product, and aligns it with the wider security program.
Essential Eight assessment
Where you sit against the eight strategies and the maturity model.
ISM and ISO 27001 alignment
Aligning controls to the ISM and ISO/IEC 27001:2022.
Maturity uplift
A plan to reach the maturity level your obligations require.
Know where your cyber security stands
An Essential Eight assessment shows your current maturity and what it takes to reach the level your obligations require.
FAQs
Frequently asked questions
What is the Essential Eight?
What are the Essential Eight maturity levels?
What is the Information Security Manual?
How does the Essential Eight relate to ISO 27001?
Who has to meet the Essential Eight?
References
- Australian Signals Directorate, Essential Eight maturity model, cyber.gov.au
- Australian Signals Directorate, Information Security Manual, cyber.gov.au
- ISO/IEC, ISO/IEC 27001:2022 Information security management systems, iso.org