Assess your maturity. Close the gaps. Demonstrate genuine capability. Built for Australian businesses by a team that's spent 18 years in Australian regulation.
The Essential Eight is a set of baseline mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). Originally published in 2017 and updated regularly, these eight strategies are prioritised based on their effectiveness at mitigating cyber security incidents. They are not aspirational guidelines - they are the minimum an Australian organisation should implement.
While Essential Eight is technically "recommended" rather than legally mandated for private sector organisations, the reality is far more demanding:
Non-corporate Commonwealth entities are required to implement Essential Eight at a minimum of Maturity Level 2 under the Protective Security Policy Framework (PSPF). This is not optional.
Organisations contracting with government agencies are increasingly required to demonstrate Essential Eight maturity. Procurement evaluations now routinely include Essential Eight self-assessments.
APRA-regulated financial institutions must demonstrate security controls commensurate with threats under CPS 234. Essential Eight strategies map directly to these expectations. Health, energy, and critical infrastructure sectors face similar pressures.
Enterprise customers, cyber insurers, and boards are adopting Essential Eight as the de facto benchmark for cyber security maturity in Australia. Without demonstrable alignment, you face commercial disadvantage.
The eight strategies are organised around three objectives that reflect the primary attack lifecycle:
Application control, patch applications, configure Microsoft Office macro settings, and user application hardening. These four strategies aim to stop malicious code from reaching and running on your systems in the first place.
Restrict administrative privileges and patch operating systems. These strategies limit the damage an adversary can do once they've gained initial access, by reducing the privileges available and the vulnerabilities exploitable.
Multi-factor authentication and regular backups. MFA prevents credential theft from escalating, and backups ensure you can recover when other defences fail.
Together they form the most effective baseline for cyber resilience in Australia. CyberHeed assesses, tracks, and validates each one across all maturity levels.
Prevent execution of unapproved or malicious programs. Only approved applications are allowed to run on workstations and servers. This blocks malware, ransomware, and unauthorised software from executing - even if it reaches your environment.
ML1: Application control on workstations. ML2: Extended to internet-facing servers, event logs centralised. ML3: Microsoft's recommended block rules, annual validation.
Patch applications with known security vulnerabilities within defined timeframes. Unpatched applications are the primary entry point for targeted attacks. Internet-facing services, office productivity suites, web browsers, and email clients require priority attention.
ML1: Patches within 1 month. ML2: Within 2 weeks for internet-facing, 1 month for others. ML3: Within 48 hours for critical, automated scanning.
Block macros from the internet, only allow vetted macros in trusted locations, and use macro signing. Office macros remain one of the most common delivery mechanisms for malware in Australian organisations.
ML1: Macros disabled for users who don't require them. ML2: Blocked from internet, only signed macros. ML3: Macros blocked from internet, sandboxed, validated.
Configure web browsers and applications to block ads, Java, and Flash. Disable unneeded features in office applications. Reduce the attack surface by removing functionality that adversaries exploit for initial access.
ML1: Block Flash, ads, Java in browsers. ML2: Block PowerShell, .NET, HTA, OLE. ML3: Child process restrictions, AMSI bypass protections.
Limit admin access to those who need it for their role. Use separate accounts for privileged and unprivileged work. Validate the need regularly. Compromised admin accounts give adversaries full control - restricting privileges limits the blast radius.
ML1: Requests validated, separate accounts, no internet/email from privileged accounts. ML2: PAM, just-in-time admin. ML3: Full PAM with session recording.
Patch operating systems with known security vulnerabilities within defined timeframes. Replace end-of-life operating systems that no longer receive vendor support. Unpatched operating systems on workstations and servers are high-value targets.
ML1: Patches within 1 month, no unsupported OS. ML2: Within 2 weeks for internet-facing. ML3: Within 48 hours for critical, automated scanning.
Require MFA for all users when accessing internet-facing services, third-party providers, and important data. Phishing-resistant MFA where possible. Stolen credentials are the most common initial access technique - MFA blocks the majority of credential-based attacks.
ML1: MFA for internet-facing services and privileged users. ML2: MFA for all users, phishing-resistant where available. ML3: Phishing-resistant MFA for all, verifier impersonation resistant.
Perform backups of important data, software, and configuration settings. Store backups offline or disconnected. Test restoration regularly. When everything else fails - when ransomware encrypts your systems - backups are the last line of defence.
ML1: Backups performed, stored disconnected, retention. ML2: Backups tested for restoration. ML3: Unprivileged accounts can't modify/delete, tested quarterly.
The Essential Eight Maturity Model defines four levels for each strategy. Most organisations target Maturity Level 1 initially, with regulated entities and government agencies expected to achieve Level 2 or 3.
Weaknesses exist that could be exploited. The mitigation strategy is not implemented, or is implemented so poorly that it provides negligible protection. This is not a target - it's a baseline finding.
Partly aligned with the intent of the mitigation strategy. Provides some protection against adversaries who are content to use widely available tradecraft. The entry point for most organisations.
Mostly aligned with the intent. Provides protection against adversaries who invest more effort in their targeting. Expected for organisations handling sensitive data or serving government.
Fully aligned. Provides protection against adversaries who are more adaptive and less reliant on public tools. The target for critical infrastructure and high-value targets.
CyberHeed assesses your current maturity level for each of the eight strategies, identifies exactly what's needed to reach your target level, and tracks remediation progress over time. Not a snapshot - a trajectory.
What started as recommended guidance is rapidly becoming a requirement - contractual, regulatory, and commercial.
Australian government agencies increasingly require Essential Eight alignment - often Maturity Level 2 or above - from suppliers and contractors. Without it, you're excluded from procurement processes before the conversation starts.
Large enterprises are embedding Essential Eight requirements in vendor assessments. When your prospective customer asks about your security posture, Essential Eight maturity is the language they speak in Australia.
Australian cyber insurers are tightening underwriting requirements. Essential Eight alignment is increasingly factored into premium calculations and coverage eligibility. Demonstrable maturity means better terms.
Australian boards are asking their CISOs for measurable security baselines. Essential Eight maturity levels provide a clear, comparable metric that boards can understand and track over time. If you can't report on it, you can't govern it.
CyberHeed manages your Essential Eight compliance through the same Prepare-Comply-Manage cycle used across every framework.
SmartPrep guides your team through a structured assessment of each mitigation strategy. AI adapts based on your answers, follows up on gaps, and captures your current implementation across all eight strategies and all maturity levels.
For each strategy, CyberHeed identifies exactly where you fall short of your target maturity level. Specific, actionable gaps - not vague recommendations. You know precisely what needs to change and why.
Each gap becomes a tracked action item with owners, deadlines, and evidence requirements. As your team implements changes, evidence is uploaded and validated. Your maturity score updates in real time.
Upload evidence of your implementations. AI validates whether your evidence genuinely demonstrates the capability required at your target maturity level. No rubber-stamping - honest assessment of what you've built.
Essential Eight isn't a one-time assessment. Patches fall behind, access reviews lapse, backups go untested. CyberHeed monitors your posture and flags when controls drift below your target maturity level.
Australian organisations rarely need just one framework. CyberHeed maps controls across frameworks automatically. Evidence collected for Essential Eight counts toward ISO 27001 and CPS 234. Answer once. Comply everywhere.
Patch management maps to A.8.8. MFA maps to A.8.5. Application control maps to A.8.19. Admin privileges map to A.8.2. Your Essential Eight work counts toward ISO 27001 technological controls.
CPS 234 requires information security capability commensurate with threats. Each Essential Eight strategy directly demonstrates capability in the areas CPS 234 expects. The frameworks are complementary by design.
Essential Eight strategies map to NIST CSF Protect and Detect functions. Patch management, access control, and application hardening all have direct NIST equivalents. More frameworks, less rework.
Other frameworks: [Links to: iso-27001.html], [Links to: cps-234.html], [Links to: cps-230.html], [Links to: nist-csf.html], [Links to: pci-dss.html], [Links to: desc-isr.html], [Links to: nca-ecc.html], [Links to: dfsa.html]
Structured assessment. Clear gap analysis. Remediation tracked to completion. Built for Australian businesses.
Book a Demo