What Is the Essential Eight? The Complete Australian Guide (2026)

The Essential Eight is a cybersecurity framework published by the Australian Signals Directorate (ASD). It defines eight strategies that, when implemented properly, prevent the vast majority of cyberattacks.

If someone told you your business needs it, they're probably right. Cyber insurers ask about it. Government contracts require it. And the breaches that keep making the news? Almost all of them could have been prevented or contained by these eight controls.

But most guides to the Essential Eight are written for IT people. This one isn't. This is what the framework actually does, explained in plain English, with real Australian breaches mapped to the controls that would have stopped them.

Where It Came From

The ASD (Australian Signals Directorate, whose Australian Cyber Security Centre publishes the framework) first published a list of 35 mitigation strategies in 2010. They were ranked by effectiveness.

In April 2013, the top four strategies became mandatory for federal government agencies. In 2017, the ASD expanded the recommended set to eight, publishing the Essential Eight Maturity Model. The full Essential Eight became mandatory for non-corporate Commonwealth entities in 2022 under the PSPF.

The most recent update landed in November 2023. It raised the bar significantly, especially around MFA requirements and patching timeframes. We'll get to the specifics.

The framework applies to all Australian organisations, not just government. But while federal agencies are required to meet it, private businesses adopt it voluntarily. Voluntarily in the sense that nobody forces you. Practically, your cyber insurer, your enterprise customers, and your government clients increasingly expect it.

The Eight Controls, Explained

Each control tackles a specific attack vector. Together, they cover the most common ways businesses get breached.

1. Application Control

What it does: Only approved software is allowed to run on your systems. Everything else is blocked.

Why it matters: Ransomware, cryptominers, remote access trojans. They all need to execute code on your machine. If your systems only allow approved applications to run, most malware can't even start.

Real breach: In September 2019, several Victorian hospitals in the Gippsland Health Alliance and South West Alliance of Rural Health networks were hit by ransomware that disrupted patient services for weeks. The attackers deployed malware across hospital networks. Application control policies would have blocked the unauthorised executables from running in the first place.

2. Patch Applications

What it does: Software (web browsers, PDF readers, Microsoft Office, email clients) is patched within defined timeframes. At Maturity Level 2, internet-facing applications must be patched within two weeks. Critical vulnerabilities within 48 hours.

Why it matters: Attackers scan for known vulnerabilities. Once a patch is released, the clock starts. Unpatched software is an open door.

Real breach: The DP World Australia attack in November 2023 exploited a known vulnerability in Citrix NetScaler (CVE-2023-4966, known as "CitrixBleed"). The patch had been available for weeks. The breach shut down container operations at Sydney, Melbourne, Brisbane, and Fremantle ports for three days, disrupting 40% of Australia's container trade.

3. Configure Microsoft Office Macro Settings

What it does: Macros in Microsoft Office documents are blocked or restricted based on the source. At ML2, macros are blocked from the internet, and only approved macros from trusted locations can execute.

Why it matters: Macros are one of the oldest and most effective malware delivery methods. "Please enable macros to view this invoice" has compromised thousands of businesses. The technique is decades old and still works because too many organisations leave macros wide open.

Real breach: The 2019 Victorian hospital attacks involved malicious documents delivered via email. Macro-enabled Office documents were a key vector for the initial Emotet infection. Proper macro restrictions would have stopped the payload from executing even if staff opened the attachment.

4. User Application Hardening

What it does: Web browsers, email clients, and PDF viewers are configured to block risky features. Flash, Java, ads, and unnecessary scripting are disabled. Internet Explorer and other legacy browsers are blocked.

Why it matters: Your browser is the most exposed application on your network. Malicious ads, drive-by downloads, and phishing sites all target browser features. Hardening reduces the attack surface.

Real breach: The 2022 Optus breach exposed personal data of 9.8 million Australians. While the root cause was an exposed, unauthenticated API, the broader lesson applies: every internet-facing application needs to be locked down. Optus reserved $140 million for breach-related costs, and the OAIC subsequently filed separate civil penalty proceedings.

5. Restrict Administrative Privileges

What it does: Admin accounts are limited to people who actually need them, used only for admin tasks, and monitored. Daily work happens on standard accounts.

Why it matters: When an attacker compromises a regular user account, the damage is limited. When they compromise an admin account, they own the network. Restricting admin privileges contains breaches.

Real breach: The 2023 Latitude Financial breach started with an employee's credentials. The attackers used those credentials to escalate privileges and access systems holding over 14 million customer records, including 7.9 million driver's licence numbers and 6.1 million other records dating back to 2005. The total cost exceeded $76 million. If admin privileges had been properly segmented, the initial compromise wouldn't have given the attackers access to historical customer databases.

6. Patch Operating Systems

What it does: Windows, macOS, and Linux are kept current. At ML2, internet-facing operating systems are patched within two weeks, and unsupported versions (like Windows 10 after October 2025) are replaced.

Why it matters: Same principle as patching applications, but for the foundation everything runs on. An unpatched OS can be exploited regardless of how secure your applications are.

The reality: Microsoft ended support for Windows 10 in October 2025. Any business still running it is now running an operating system that receives no security updates. Every new vulnerability discovered in Windows 10 from here on stays open forever.

7. Multi-Factor Authentication

What it does: Logging in requires a second factor beyond a password. At ML2, that second factor must be phishing-resistant: FIDO2 security keys, Windows Hello for Business, or smart cards. SMS codes and push notifications no longer meet the ML2 requirement after the November 2023 update.

Why it matters: Stolen passwords are the most common way into business systems. MFA means a stolen password alone isn't enough. And phishing-resistant MFA means even sophisticated phishing attacks that intercept one-time codes don't work.

Real breach: The Medibank breach in October 2022 was traced to stolen VPN credentials from a contractor. No MFA was required to access the VPN with admin-level privileges. 9.7 million customer records were stolen, including sensitive health claims data. The attackers published it on the dark web. APRA later imposed a $250 million capital adequacy increase (requiring Medibank to hold an additional $250M in reserve). The total cost has exceeded $126 million in direct expenses, with the OAIC's civil penalty proceedings seeking further penalties.

8. Regular Backups

What it does: Critical data and system configurations are backed up regularly, stored offline or immutable (can't be modified or deleted by ransomware), and tested for recovery.

Why it matters: If everything else fails and you get hit, backups are your last line of defence. But only if they actually work. Untested backups are not backups. Backups stored on the same network as production are just another target.

Real breach: MediSecure, an electronic prescriptions provider, was hit by ransomware in April 2024 (publicly disclosed in May). The attack compromised 12.9 million records. MediSecure went into voluntary administration and was ultimately wound up. The company was destroyed. Veeam's 2023 Ransomware Trends Report found that 93% of ransomware attacks target backup systems. If your backups aren't isolated, they'll be encrypted along with everything else.

The Maturity Model: Levels 0 to 3

The Essential Eight isn't binary. You don't just "have it" or "not have it." Each control is assessed against four maturity levels.

Level 0: Not aligned. Significant gaps across the control.

Level 1: Partly aligned. Basic implementation. This is the minimum, suitable for low-risk environments.

Level 2: Mostly aligned. This is the target for most businesses. It's what cyber insurers expect and what the Protective Security Policy Framework (PSPF) requires for Commonwealth entities.

Level 3: Fully aligned. Designed to resist sophisticated adversaries, including nation-state actors. Most private businesses don't need this level.

That number dropped from 25% in 2023 to 15% in 2024 after the November 2023 update raised the bar, then partially recovered to 22% in 2025. The update didn't make organisations less secure. It made the measurement more honest about what "good" actually looks like.

Which Level Do You Need?

What the November 2023 Update Changed

The ASD published an updated Essential Eight Maturity Model in November 2023. It didn't add new controls, but it raised requirements across most maturity levels. The biggest changes:

Phishing-resistant MFA at ML2. Previously, any MFA met ML2. Now it has to be phishing-resistant (FIDO2 security keys, Windows Hello for Business, smart cards). This was the change that caused the most disruption. SMS codes no longer meet any maturity level. Authenticator app push notifications were downgraded to ML1 only.

Faster patching. ML2 now requires internet-facing applications to be patched within two weeks (tightened from one month), with critical vulnerabilities patched within 48 hours. However, OS patching for workstations and non-internet-facing systems was actually relaxed from two weeks to one month at ML2, rebalancing effort toward higher-risk systems.

Stricter application control. ML2 now requires implementation of Microsoft's recommended application blocklist and annual reviews of application control rulesets.

Macro restrictions tightened. ML2 requires macros to only execute from sandboxed, trusted locations. Macros digitally signed by untrusted publishers are blocked.

These changes are why the government compliance rate dropped from 25% to 15% in 2024 before recovering to 22% in 2025. The controls didn't get worse. The measurement got more realistic.

Australian Breaches Mapped to Essential Eight

Every major Australian breach in recent years maps directly to Essential Eight controls that weren't implemented. This isn't theoretical. These are real companies, real costs, and real consequences.

The Cost of Doing Nothing

The ASD's Annual Cyber Threat Report for 2024-25 puts hard numbers on it.

In the 2024-25 financial year:

• Over 84,700 cybercrime reports filed (one every 6 minutes)
• Over 1,200 cyber security incidents responded to by ASD (up 11% from the prior year)
• 14% increase in average cost per incident for small businesses

Meanwhile, 40% of cyber insurance claims are denied. The most common reason: the business couldn't demonstrate it had the controls it claimed on the application. An Essential Eight assessment creates the evidence that makes claims defensible.

How the Essential Eight Compares to Other Frameworks

If you're hearing about ISO 27001, SOC 2, NIST, and the Essential Eight all at once, here's how they relate.

Essential Eight is Australian, practical, and focused. Eight specific technical controls. Easy to measure. Designed to prevent the most common attacks. No formal certification (just assessment reports).

ISO 27001 is international, comprehensive, and process-heavy. 93 controls covering everything from physical security to HR. Formal certification via accredited auditors. Takes 6-12 months for most organisations.

SOC 2 is American, trust-based, and customer-facing. Five trust service principles. Audit report produced by a CPA firm. Primarily used when US enterprise customers require it.

NIST CSF is American, risk-based, and framework-level. Six functions: Govern, Identify, Protect, Detect, Respond, Recover (the Govern function was added in the 2024 update to CSF 2.0). More of a governance framework than a prescriptive control set.

Cyber Essentials is British, simplified, and entry-level. Five controls with self-assessment option. Required for UK government contracts.

The overlap is significant. Many Essential Eight controls map directly to ISO 27001 Annex A controls. If you need both, a combined assessment costs less than doing them separately.

For most Australian businesses, the Essential Eight is the right starting point. It's specific, measurable, and directly relevant to your cyber insurance and government contract requirements. If you later need ISO 27001 or SOC 2, you'll already have a strong foundation.

Common Misconceptions

"Essential Eight is only for government." The framework was developed for government, but it applies to any Australian organisation. And increasingly, the private sector is expected to implement it. Cyber insurers don't care that it was designed for government. They care that it works.

"There's an Essential Eight certification." There isn't. Unlike ISO 27001, there's no certificate to frame. What you get is an assessment report documenting your maturity level across each control. Some consultancies market "Essential Eight certification" as a service, but that's their branding, not an official designation.

"We need Maturity Level 3." Almost certainly not. ML3 is designed for organisations facing nation-state threats. Government intelligence agencies, defence contractors, critical infrastructure operators. Most private businesses need ML2, and many should start with ML1.

"We can do this ourselves." You can do a lot of the implementation internally if you have competent IT staff. But the assessment itself should involve someone independent who can objectively measure your maturity and produce a report your insurer will accept.

"It's a one-time thing." The framework is ongoing. Patches need applying within timeframes. Access reviews need running. Backups need testing. And your insurer will ask again next year.

Who Needs to Care

If you have cyber insurance (or plan to get it), your insurer is almost certainly asking about these controls in some form. An Essential Eight assessment makes the renewal questionnaire straightforward.

If you work with government, the PSPF requires ML2 for non-corporate Commonwealth entities. Government procurement increasingly expects it from contractors too.

If you hold customer data in healthcare, financial services, legal, or education, Essential Eight maps directly to the security controls regulators expect.

If you're a small business thinking this doesn't apply to you: 43% of cyberattacks target small businesses. Not because they're high-value targets, but because they're easy targets.

Getting Started

You don't need to implement all eight controls at ML3 tomorrow. That would be expensive, disruptive, and probably unnecessary.

Start with the controls that have the highest impact for the lowest effort:

1. MFA everywhere. This is the single most effective control. Enable it on every account that supports it. Start with email, VPN, and admin consoles.

2. Automated patching. Turn on automatic updates for operating systems and common applications. Configure your RMM or endpoint management tool to enforce patching timelines.

3. Test your backups. Not "check they're running." Actually restore from backup. Know how long it takes and whether the data is complete. Do this quarterly at minimum.

These three controls alone would have prevented or significantly limited most of the major breaches in the table above.

What an Assessment Costs

For most Australian SMEs, an Essential Eight assessment runs $5,000 to $15,000 depending on organisation size, environment complexity, and target maturity level. That covers a gap analysis, written report, and prioritised remediation roadmap.

Budget an additional $10,000 to $30,000 for remediation if you have significant gaps (deploying MFA, configuring application control, setting up immutable backups).

The assessment is a tax-deductible business expense. Complete it before June 30 and it's deductible this financial year.

For detailed pricing breakdowns by provider type, see our guide on Essential Eight assessment costs.