94%Of cyber attacks start with a phishing email
$39KAverage cost of a cyber breach for an Australian SMB
60%Of small businesses close within 6 months of a major breach
How to use this checklist: Work through each section and tick the items your business currently has in place. Use the priority ratings (Critical / High / Medium) to guide your remediation roadmap. Aim to complete all Critical items within 30 days.
Essential 8 Control 1 — Application Control
Prevent unapproved software from executing on your systems.
Application whitelisting is enforced on all workstations CriticalOnly approved applications can run. Unapproved executables are blocked by default.
Application whitelisting is enforced on servers CriticalServers are locked down to only run necessary approved applications.
User application installs are restricted HighStandard users cannot install software without IT administrator approval.
Essential 8 Control 2 — Patch Applications
Keep all software updated to close known vulnerabilities.
Critical patches applied within 48 hours of release CriticalInternet-facing applications are patched immediately when critical vulnerabilities are disclosed.
All applications patched within 30 days HighA monthly patch cycle is in place for all business applications.
Unsupported/end-of-life software is not in use CriticalNo software is running past its vendor support date (e.g. Windows 10, Office 2016).
Patch compliance is reported monthly MediumYou receive a monthly report showing patch status across all devices.
Essential 8 Control 3 — Configure Microsoft Office Macros
Macros are disabled for users who don't need them CriticalMost staff do not need macros. They should be disabled by default in your Microsoft 365 policy.
Macros from the internet are blocked CriticalDocuments downloaded from email or the web cannot run macros.
Macro antivirus scanning is enabled HighAll macros are scanned before execution.
Essential 8 Control 4 — User Application Hardening
Web browsers block Flash, Java, and ads HighBrowser-based attack vectors are minimised through hardened browser policies.
Internet Explorer is disabled or removed CriticalIE is end-of-life and a significant security risk.
PDF reader is restricted from running JavaScript MediumAdobe Acrobat JavaScript execution is disabled in settings.
Essential 8 Control 5 — Restrict Administrative Privileges
Staff do not use admin accounts for daily work CriticalAdmin accounts are separate from standard user accounts. Daily tasks use standard accounts only.
Admin account usage is logged and audited HighAll administrative actions are recorded and reviewed regularly.
Privileged access is time-limited and request-based MediumWhen admin access is needed, it is granted on request and expires automatically.
Number of admin accounts is minimised HighFewer than 5% of users have administrative privileges.
Essential 8 Control 6 — Patch Operating Systems
OS patches applied within 48 hours for critical vulnerabilities Critical
All operating systems are within vendor support CriticalNo devices running Windows 7, Windows 8, or unsupported server versions.
Automated OS updates are enabled where possible High
Essential 8 Control 7 — Multi-Factor Authentication (MFA)
MFA is enabled for all email accounts CriticalMicrosoft 365 / Google Workspace MFA enforced for every user without exception.
MFA is enabled for all remote access (VPN, RDP) Critical
MFA is enabled for cloud services and SaaS applications High
Authenticator app used (not SMS) where possible MediumAuthenticator apps are more secure than SMS-based MFA.
Essential 8 Control 8 — Daily Backups
Daily automated backups of all critical business data Critical
Backups stored offsite or in the cloud (not local-only) CriticalLocal-only backups are destroyed in the same ransomware attack as your data.
Backups are tested with restore drills every quarter HighAn untested backup is not a backup. Quarterly restore tests confirm your data is recoverable.
Backup systems are isolated from production (ransomware-protected) Critical
Retention policy of at least 90 days in place HighSome ransomware sits dormant for weeks before activating. 90-day retention ensures clean restore points.
Additional Security Controls
Staff have completed cybersecurity awareness training this year High
Phishing simulation tests have been conducted Medium
An incident response plan exists and is documented High
Cyber insurance is in place High
A professional security audit has been conducted in the last 12 months High
Network segmentation separates guest and corporate Wi-Fi Medium
DNS filtering is in place to block malicious websites Medium
Endpoint detection and response (EDR) is deployed on all devices High
Your Maturity Level
Count your ticked items to determine your current Essential 8 maturity level.
| Maturity Level | Score | What It Means |
|---|---|---|
| Level 0 | 0–10 items | Significant exposure. Immediate action required on Critical items. |
| Level 1 | 11–25 items | Basic controls in place. Focus on Critical and High priority gaps. |
| Level 2 | 26–38 items | Moderate protection. Target Level 3 for full Essential 8 compliance. |
| Level 3 | 39–50 items | Strong security posture. Maintain and continuously improve. |
Next Step: For any items you couldn't tick, prioritise Critical items first. If you have 5 or more unticked Critical items, your business is at significant risk and should seek professional help immediately.