What the Essential Eight actually is
The Essential Eight is the Australian Cyber Security Centre’s prioritised set of eight mitigation strategies against the most common cyber threats[1]. It exists because boards needed a defensible answer to: "how do we know we have done enough?". The eight controls are deliberately limited so they are achievable, and deliberately specific so they are auditable.
- Application control (only approved applications can execute)
- Patch applications (mitigate exploits of unpatched software)
- Configure Microsoft Office macro settings (block untrusted macros)
- User application hardening (restrict browser, Office, PDF risks)
- Restrict administrative privileges (admin rights as the exception, not the default)
- Patch operating systems (close OS-level vulnerabilities promptly)
- Multi-factor authentication (MFA on all internet-facing and privileged access)
- Regular backups (tested restoration, not just successful backup completion)
The four maturity levels
Each control is rated on a four-level scale: Maturity Level 0 (not meeting requirements), Maturity Level 1 (partly aligned), Maturity Level 2 (mostly aligned, the floor for Australian government non-corporate Commonwealth entities), and Maturity Level 3 (fully aligned with the ACSC strategy)[1]. The maturity level is not aspirational, it is the description of where each control actually sits today.
A common mid-market pattern is to score Maturity Level 1 on five or six controls and Maturity Level 0 on the rest. The MSP may describe this honestly internally and aspirationally externally. The gap matters because the controls at Maturity Level 0 are usually the ones that get exploited in real incidents documented in the ACSC Annual Cyber Threat Report[3].
Where MSPs commonly oversell maturity
- Application control quoted as deployed organisation-wide, then exclusions for "developer machines" and "executive laptops" omitted from board reporting
- Patch cadence quoted in days, then critical-application coverage scoped only to operating systems and Microsoft products
- Privileged access restricted on paper, then admin accounts shared across the service desk for operational convenience
- MFA mandated, then service accounts and break-glass accounts excluded with no compensating controls
- Backup completion reported, restoration to production-similar systems never tested at the cadence the framework requires
What the board should ask quarterly
- For each of the eight controls: which Maturity Level is it at this quarter, evidenced how?
- Where the level has dropped since last quarter, what changed and what is the remediation plan?
- Which Maturity Level 0 controls would have prevented or contained incidents in the most recent ACSC threat report[3]?
- When was the last independent (not the implementing MSP) review of the maturity score?
- What is the planned trajectory of the lowest-scoring control over the next four quarters?
How independent oversight closes the gap
Independent oversight is not a penetration test (which assumes the controls exist). It is the validation that the controls described in the contract actually exist, function as described, and have the audit evidence the framework requires. From practice experience, the gap between MSP-reported and audit-validated Maturity Levels is rarely small[5]. Closing it is one of the highest-yield exercises a mid-market board can run.
One note on longevity: in June 2026 ASD announced it will evolve the Essential Eight into a domain-specific "Essentials" series over roughly the next two years[4]. The eight controls are not disappearing, but the framing and assessment approach will change, so treat any current Maturity Level report as a point-in-time position rather than a permanent one.