What is Australian Essential Eight?

The Australian Essential Eight is a set of eight cybersecurity mitigation strategies published by the Australian Signals Directorate (ASD) / Australian Cyber Security Centre (ACSC) to mitigate cybersecurity incidents.

Definition

The Essential Eight evolved from earlier ASD “Top 4” guidance and has become the dominant cybersecurity baseline for Australian government and government-adjacent organisations. The ACSC maintains the published Essential Eight Maturity Model that defines specific implementation requirements at each maturity level.

The eight strategies are: (1) Application control, (2) Patch applications, (3) Configure Microsoft Office macro settings, (4) User application hardening, (5) Restrict administrative privileges, (6) Patch operating systems, (7) Multi-factor authentication, (8) Regular backups.

Maturity Level 1 is the baseline; ML2 adds further controls and shorter timelines; ML3 adds the most rigorous controls including 48-hour application patching for internet-facing services. For Australian government contractors, the Essential Eight at the contract-specified maturity level is a procurement gate.

Core components

  • Strategy 1: Application control. Allowlisting of executables, software libraries, scripts, installers, and other code to prevent execution of unapproved programmes.
  • Strategy 2: Patch applications. Patch internet-facing applications on prescribed timelines (48 hours at ML3 for internet-facing services with known exploits).
  • Strategy 3: Configure Microsoft Office macro settings. Block macros from the internet; allow only digitally signed macros; specific implementation prescribed at higher maturity levels.
  • Strategy 4: User application hardening. Web browser, PDF reader, and Office configuration to disable risky features (Flash, ads from untrusted, OLE, etc.).
  • Strategy 5: Restrict administrative privileges. Limit administrative privileges to those who need them; just-in-time elevation at higher maturity levels.
  • Strategy 6: Patch operating systems. Patch operating systems on prescribed timelines aligned to severity.
  • Strategy 7: Multi-factor authentication. MFA for privileged accounts, internet-facing services, and additional services at higher maturity levels.
  • Strategy 8: Regular backups. Backup of important data, software, and configuration with retention, restoration testing, and protection against destructive cyber events.

Why it matters

For Australian government contractors, Essential Eight compliance at the specified maturity level is a procurement gate. The Australian Government Information Security Manual (ISM) and Protective Security Policy Framework (PSPF) require Essential Eight implementation for government entities.

For Australian MSPs serving government and government-adjacent clients, delivering Essential Eight readiness has become a billable service. The MSP itself is also typically expected to maintain Essential Eight at the level matching the client's requirement.

Beyond Australia, the Essential Eight is influential as a model of prescriptive cybersecurity guidance. Organisations in other countries cite it as a maturity benchmark.

How Lavawall® helps with Australian Essential Eight

Lavawall® includes the Australian Essential Eight as a first-class framework at all three Maturity Levels. The strategy-by-strategy mapping reflects the prescriptive implementation requirements ASD calls out, not generic interpretation.

Strategy 1 (Application control) is delivered by Lavawall®'s kernel-free application control. Strategies 2 and 6 (patching) are delivered by the 7,500+ application patch catalog across Windows, macOS, and Linux. Strategies 3, 4, and 5 (Office macros, user-application hardening, privileged-access) are delivered by configuration assessment. Strategy 7 (MFA) is delivered through the M365 / Entra / Google Workspace ITDR connectors. Strategy 8 (backups) is delivered through backup-system monitoring.

Frequently asked

What is the difference between ML1, ML2, and ML3?
ML1 is baseline implementation; ML2 adds further controls and shorter timelines; ML3 adds the most rigorous controls including 48-hour application patching for internet-facing services and stricter macro / privileged-access requirements.
Is Essential Eight the same as the Australian Information Security Manual (ISM)?
No. The ISM is the Australian Government's comprehensive cybersecurity standard. Essential Eight is a subset of mitigation strategies the ACSC has identified as the most effective baseline.
Are MSPs required to be Essential Eight compliant themselves?
MSPs serving Australian government clients are increasingly expected to maintain Essential Eight at the level matching the client's requirement.