How Much Does an Essential Eight Assessment Cost in Australia? (2026)

You Googled "Essential Eight assessment cost" because someone told you that you need one. Maybe your cyber insurer sent a questionnaire you couldn't answer. Maybe a government contract requires it. Maybe your broker mentioned it on a call and you nodded along.

Now you need a number. Here's what it actually costs, who charges what, and where most businesses overspend.

The Short Answer

That's the range for a standalone assessment. Not implementation. Not remediation. Just someone qualified looking at your systems, measuring you against the eight controls, and telling you where you stand.

The range is wide because the variables are wide. A 15-person company with one office and standard Microsoft 365 is a different job than a 200-person company with legacy systems, remote workers, and a custom ERP.

What Drives the Price

Four things determine where you land in that range.

Organisation size. More endpoints, more users, more systems to review. A 20-person company takes 2-3 days of assessor time. A 150-person company takes 1-2 weeks.

Environment complexity. All Microsoft 365 on one domain? Straightforward. Mix of Windows, macOS, on-prem Active Directory, three different cloud providers, and an app server someone set up in 2019 that nobody wants to touch? That's more work.

Maturity level target. Most businesses need Maturity Level 2. ML2 is what cyber insurers expect and what Commonwealth contracts require. ML1 is a lighter assessment. ML3 is significantly more rigorous and expensive, but most SMEs don't need it.

What's included. A bare assessment tells you your score. A good one includes a prioritised remediation roadmap, specific recommendations, and evidence you can hand to your insurer. Make sure you're comparing like for like when you get quotes.

Who Charges What

Big 4 firms (Deloitte, PwC, KPMG, EY) start at $30,000 and go well above $100,000 for comprehensive engagements. They're building a brand-name report for your board and your insurer's underwriting team. If you're a mid-market company with complex compliance needs across multiple frameworks, that might make sense. For most SMEs, it's overkill.

The pattern you want to avoid: the partner sells, the graduate delivers. It happens at every tier, but it's more common at larger firms. Ask directly: "Who will be doing the hands-on assessment work, and what's their background?"

What You're Actually Paying For

An Essential Eight assessment covers eight specific controls defined by the Australian Signals Directorate (ASD). They are:

1. Application control - only approved software runs on your systems
2. Patch applications - software is kept up to date
3. Configure Microsoft Office macro settings - macros are locked down
4. User application hardening - browsers and email clients are configured securely
5. Restrict administrative privileges - admin access is limited and monitored
6. Patch operating systems - Windows, macOS, Linux are current
7. Multi-factor authentication - MFA on everything, especially external-facing systems
8. Regular backups - tested, offsite, and recoverable

The assessor reviews each control against the maturity level criteria, collects evidence (configuration screenshots, policy documents, system logs), and rates you 0-3 on each one.

Maturity Level 2: What It Actually Requires

ML2 is the standard most businesses should target. It's what cyber insurers expect and what the PSPF requires for Commonwealth entities.

The November 2023 update made ML2 significantly harder. The biggest changes:

MFA got stricter. ML2 now requires phishing-resistant MFA. That means FIDO2 security keys, Windows Hello for Business, or smart cards. SMS codes and authenticator app push notifications don't cut it anymore at ML2.

Patching got faster. Internet-facing applications must be patched within two weeks. Critical vulnerabilities within 48 hours. That's a real operational commitment.

Application control got specific. Microsoft's recommended application blocklist must be implemented. Annual reviews of rulesets required.

How hard is this? For context, only 22% of Australian federal government entities met ML2 in 2025. These are organisations with dedicated IT teams and security budgets. The bar is real.

The Hidden Costs Most People Miss

The assessment itself is a line item. But it's not the whole picture.

Remediation. The assessment finds gaps. Fixing those gaps costs money. Deploying phishing-resistant MFA across 50 users. Configuring application control policies. Setting up immutable backups. Budget $10,000-$30,000 for remediation on top of the assessment, depending on how many gaps exist.

Tooling. Some controls require specific tools. EDR (endpoint detection and response) runs $5-$15 per device per month. Backup solutions with immutability features. Privileged access management. You might already have some of these through Microsoft 365 E5 licensing.

Ongoing maintenance. Essential Eight isn't a one-time exercise. Patches need applying within timeframes. Access reviews need running. Backups need testing. Budget 10-20 hours per month of someone's time to maintain compliance.

Reassessment. Your insurer will ask again next year. And the year after. Most businesses reassess annually. Second assessments are cheaper (typically 40-60% of the first) because the assessor already understands your environment.

The Managed Service Alternative

Some providers offer Essential Eight as a monthly managed service instead of a one-off assessment. Monitoring from $15 per user per month. Full managed services from $30 per user per month.

For a 50-person company, that's $9,000-$18,000 per year. More than a standalone assessment, but it includes ongoing monitoring, patching management, and regular reporting.

This makes sense if you don't have in-house IT capable of maintaining the controls. It doesn't make sense if you have a competent IT team and just need the initial assessment and roadmap.

Is It Tax Deductible?

Yes. Cybersecurity assessments are a deductible business expense. If you complete the assessment before June 30, it's deductible in this financial year.

Some businesses also explore the instant asset write-off for associated hardware (security keys, servers for backup infrastructure). Talk to your accountant about the specifics, but the assessment itself is straightforward.

Government Support

The federal government runs the Small Business Cyber Resilience Service, an $8.1 million program providing free, tailored cybersecurity support for small businesses. It includes one-on-one consultations and tailored improvement plans. Check business.gov.au for current availability.

The Australian Small Business Advisory Services program also covers digital security advisory. Worth checking whether your state has active providers.

These programs won't replace a formal assessment, but they can help you prepare for one and understand what you actually need.

How to Get the Most Value From Your Assessment

Do some prep work first. Run through the Innitor compliance scorecard to understand roughly where you stand. It takes 5 minutes and gives you a baseline before you engage an assessor. You'll ask better questions and waste less of the assessor's time (which is your money).

Get your documentation together. Before the assessor arrives, pull together: your current IT asset list, any existing security policies, your backup configuration, your MFA setup, and your patch management process (even if it's informal). Having this ready can cut 20-30% off the assessment time.

Ask for the insurer letter. A good assessor will write the report in a format your cyber insurer can directly use. Some will even help you fill out the insurer's specific questionnaire. Ask for this upfront. It's the most valuable part of the engagement for most SMEs.

Bundle if it makes sense. If you also need ISO 27001 or SOC 2, there's significant overlap with Essential Eight. A combined gap analysis across multiple frameworks costs less than separate assessments. About 60-70% of Essential Eight controls map directly to ISO 27001 Annex A controls.

The Bottom Line

For most Australian SMEs, an Essential Eight assessment costs $5,000-$15,000 and takes 1-3 weeks. Budget another $10,000-$30,000 for remediation if you have significant gaps.

The real question isn't whether you can afford the assessment. It's whether you can afford not to do it. 40% of cyber insurance claims get denied globally, often because the business couldn't demonstrate basic controls. A $6,000 assessment looks different when the alternative is a denied $280,000 claim.