The Essential Eight is a prioritized set of cybersecurity mitigation strategies developed by the Australian Cyber Security Centre to help organizations protect themselves against various cyber threats. While originally designed for Australian government entities under the Protective Security Policy Framework, the Essential Eight has been widely adopted by private sector organizations in Australia and internationally as a practical baseline for cybersecurity.
The July 2024 update refined maturity level requirements and clarified implementation guidance across all eight strategies.
Essential Eight Overview
The Essential Eight derives from the ACSC’s Strategies to Mitigate Cyber Security Incidents, prioritizing eight mitigation strategies that provide the most effective protection against targeted cyber intrusions. These strategies are organized into three objectives: preventing malware delivery and execution, limiting the extent of incidents, and recovering data and system availability.
Maturity Levels
Maturity Level 0 indicates weaknesses exist that could be exploited. Maturity Level 1 provides partial alignment focused on adversaries using widely available tools and techniques. Maturity Level 2 aligns with adversaries with moderate capability who invest more effort in tools and targeting. Maturity Level 3 aligns with adversaries using more sophisticated techniques including exploiting weaknesses in target networks.
Organizations should assess their threat environment and determine the appropriate target maturity level. Australian government entities are generally expected to achieve Maturity Level 2 or 3 depending on their risk profile.
The Eight Mitigation Strategies
1. Application Control
Application control prevents execution of unapproved or malicious programs including executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets.
Maturity Level 1 requires application control implemented on workstations, application control restricts execution to an approved set, application control blocks execution from user-writable locations, and Microsoft’s recommended block rules are implemented.
Maturity Level 2 adds application control implemented on internet-facing servers, application control restricts execution to an organization-approved set, Microsoft’s recommended driver block rules implemented, and logging of allowed and blocked execution events.
Maturity Level 3 adds application control implemented on all servers, all rule sets validated annually or after changes, and centralized logging and monitoring of application control events.
Implementation guidance includes using Microsoft Defender Application Control or AppLocker for Windows environments, implementing on workstations before servers, starting with audit mode before enforcement, and maintaining an approved application inventory with regular reviews.
2. Patch Applications
Patches, updates, or vendor mitigations for security vulnerabilities in applications are applied within appropriate timeframes based on severity.
Maturity Level 1 requires an automated method of asset discovery implemented at least fortnightly, vulnerability scanner used for applications at least daily, patches for extreme risk vulnerabilities applied within 48 hours, patches for high risk vulnerabilities applied within two weeks, and applications no longer supported by vendors removed.
Maturity Level 2 adds patches for extreme risk vulnerabilities in internet-facing services applied within 48 hours and patches for moderate and low risk vulnerabilities applied within one month.
Maturity Level 3 adds patches for all vulnerabilities applied within 48 hours if exploits exist and vulnerability scanner run at least weekly.
Implementation guidance includes prioritizing internet-facing applications and applications processing untrusted content, maintaining application inventory with version tracking, using automated patching tools where possible, and documenting exception processes for delayed patches.
3. Configure Microsoft Office Macro Settings
Microsoft Office macros are configured to reduce the attack surface while maintaining necessary business functionality.
Maturity Level 1 requires Microsoft Office macros disabled for users who do not require them, Microsoft Office macros in files from the internet blocked, antivirus scanning of Microsoft Office macros enabled, and Microsoft Office macro security settings cannot be changed by users.
Maturity Level 2 adds only Microsoft Office macros running from Trusted Locations are allowed to execute, only approved Microsoft Office macros digitally signed by trusted publishers are allowed to execute, and Microsoft Office’s list of trusted publishers validated annually.
Maturity Level 3 adds Microsoft Office macros digitally signed by trusted publishers, Trusted Locations configured to prevent users adding new Trusted Locations, and logging of allowed and blocked macro execution centrally stored and protected.
Implementation guidance includes conducting business impact assessment before disabling macros, using Attack Surface Reduction rules in Microsoft Defender, implementing signed macro policy for users requiring macros, and training users on macro risks.
4. User Application Hardening
Web browsers and other applications are configured to reduce their attack surface.
Maturity Level 1 requires web browsers configured to block or disable Java, web browsers configured to block or disable web advertisements, web browsers configured to block or disable Flash, and Internet Explorer 11 disabled or removed.
Maturity Level 2 adds web browser security settings cannot be changed by users, Microsoft Office configured to prevent activation of OLE packages, PDF software configured to disable JavaScript, and web browser extensions are controlled.
Maturity Level 3 adds PowerShell constrained language mode enabled, PowerShell script block logging enabled, and .NET Framework 3.5 including .NET 2.0 disabled or removed.
Implementation guidance includes using Group Policy to enforce browser settings, deploying an approved web browser extension list, configuring PDF readers to disable JavaScript, and monitoring for attempts to bypass hardening.
5. Restrict Administrative Privileges
Administrative privileges are restricted to personnel who require them, used for administrative tasks only, and subject to regular review.
Maturity Level 1 requires privileged access limited to tasks requiring privileges, separate accounts for privileged and unprivileged activities, privileged accounts prevented from accessing internet, email, and web services, and privileged access reviewed at least annually.
Maturity Level 2 adds privileged access limited to specific administrative activities, just-in-time administration implemented where possible, credentials for break glass accounts stored securely, and privileged access reviewed at least every six months.
Maturity Level 3 adds privileged access disabled after 45 days of inactivity, privileged access to systems and applications limited to 12 months maximum, and privileged access reviewed at least monthly.
Implementation guidance includes implementing separate admin workstations or PAWs, using just-in-time privileged access management, disabling direct internet access from privileged accounts, and maintaining privileged access inventory with regular certification.
6. Patch Operating Systems
Patches for security vulnerabilities in operating systems are applied within appropriate timeframes.
Maturity Level 1 requires automated method of asset discovery at least fortnightly, vulnerability scanner for operating systems at least daily, patches for extreme risk vulnerabilities applied within 48 hours, patches for high risk vulnerabilities applied within two weeks, and operating systems no longer supported by vendors replaced.
Maturity Level 2 adds patches for extreme risk vulnerabilities in internet-facing services within 48 hours and patches for moderate and low risk vulnerabilities within one month.
Maturity Level 3 adds patches for all vulnerabilities applied within 48 hours if exploits exist, latest release or previous release of operating systems used, and vulnerability scanner run at least weekly.
Implementation guidance includes maintaining OS inventory with version and patch level, prioritizing internet-facing and critical systems, implementing automated patch management, and documenting rollback procedures for problematic patches.
7. Multi-Factor Authentication
Multi-factor authentication is implemented for access to sensitive data and systems.
Maturity Level 1 requires MFA for remote access to systems, MFA for privileged users, and MFA uses either something the user has and knows, or something the user has unlocked by something they know or are.
Maturity Level 2 adds MFA for users accessing important data repositories, MFA for all users accessing internet-facing services, and MFA using phishing-resistant methods for privileged users.
Maturity Level 3 adds MFA for all users of all systems, MFA using phishing-resistant methods for all users of important systems, and MFA events centrally logged and monitored.
Implementation guidance includes implementing FIDO2 or certificate-based authentication for privileged users, using conditional access policies based on risk, disabling legacy authentication protocols, and monitoring for MFA bypass attempts.
8. Regular Backups
Backups of important data, software, and configuration settings are performed and retained in accordance with business continuity requirements.
Maturity Level 1 requires backups performed at least daily for important data, backups synchronized to enable restoration to a common point in time, backups retained for at least three months, and restoration of backups tested as part of disaster recovery exercises annually.
Maturity Level 2 adds backups of software and configuration settings, unprivileged accounts cannot access backups belonging to other accounts, unprivileged accounts cannot modify or delete backups, and restoration tested at least once when initially implemented and each time changes are made.
Maturity Level 3 adds backups stored offline or immutable, backup and restoration processes tested semi-annually, and centralized and time-synchronized logging of backup activities.
Implementation guidance includes implementing 3-2-1 backup strategy with three copies on two different media types with one offsite, testing restoration to isolated environment, implementing immutable backups where possible, and documenting recovery time and recovery point objectives.
Implementation Approach
Prioritization
The Essential Eight strategies are listed in priority order for implementation. Organizations should focus first on application control, patching applications, and configuring Microsoft Office macro settings as these prevent malware delivery and execution. Next priority is user application hardening and restricting administrative privileges to limit incident extent. Operating system patching and MFA strengthen the environment further. Regular backups ensure recovery capability.
Quick Wins
Common quick wins include disabling macros for users who do not require them, blocking web advertisements and Flash, implementing MFA for remote access and privileged users, disabling Internet Explorer 11, reviewing and reducing administrative privileges, and validating backup restoration procedures.
Common Gaps
Frequently identified gaps include incomplete asset inventory affecting patch visibility, application control not covering all executable types, macros still enabled for all users, privileged accounts with internet and email access, infrequent backup restoration testing, and MFA not implemented for all internet-facing services.
Assessment and Reporting
Self-Assessment
Organizations can conduct self-assessment using the Essential Eight Assessment Process Guide from ACSC. Assessment should evaluate each strategy against each maturity level requirement, document evidence of implementation, identify gaps and remediation actions, and track progress over time.
External Assessment
External assessment may be conducted by certified assessors for organizations requiring independent validation. ACSC maintains a list of organizations providing Essential Eight assessment services.
Board Reporting
Board reports should include current maturity level for each strategy, target maturity level and timeline, key gaps and remediation status, and risk implications of current maturity state.
Recent Updates
July 2024 Changes
The July 2024 update included refined patching timeframes based on vulnerability severity, clarified application control requirements for different system types, updated MFA guidance emphasizing phishing-resistant methods, enhanced backup requirements for immutability, and additional logging requirements at higher maturity levels.
Relationship to ISM
The Essential Eight is a subset of the broader Information Security Manual published by ACSC. Organizations implementing Essential Eight should consider full ISM implementation for comprehensive security coverage. ISM provides detailed technical controls mapping to Essential Eight strategies.
Comparison to Other Frameworks
The Essential Eight aligns with CIS Controls through mapping to Controls 2, 4, 5, 6, 7, 10, and 11. NIST CSF mapping includes Protect function categories PR.AC, PR.DS, PR.IP, and PR.MA. ISO 27001 alignment includes controls in Annex A covering access control, operations security, and communications security.
Key differences include the Essential Eight’s prescriptive nature with specific technical requirements versus frameworks providing general guidance, explicit maturity levels providing clear progression path, Australian government mandate for covered entities, and focus on eight highest-impact strategies rather than comprehensive control coverage.
The Essential Eight provides a practical, prioritized approach to baseline cybersecurity. Organizations that systematically implement these strategies at appropriate maturity levels significantly reduce their exposure to common cyber threats while building foundation for more comprehensive security programs.