A plain-English guide to every Essential 8 control — with Maturity Level 1, 2, and 3 descriptions and a self-assessment scoring guide for Australian businesses.
8 ControlsFull ACSC framework
3 Maturity LevelsKnow where you stand
Self-AssessmentScore your business today
What is the Essential 8?
The Essential 8 is a set of eight cybersecurity strategies developed by the Australian Cyber Security Centre (ACSC) to help organisations protect their systems from cyberattacks. While originally developed for government, the ACSC strongly recommends all Australian businesses implement these controls.
Why it matters: The ACSC estimates that implementing the Essential 8 at Maturity Level 2 would prevent approximately 85% of cyberattacks targeting Australian organisations. For businesses in regulated industries (healthcare, finance, legal), compliance may also be a contractual or regulatory requirement.
Maturity Levels Explained
Level 0Controls are not in place or are largely ineffective
Level 1Partially aligned — basic controls in place, manually managed
Level 2Mostly aligned — controls are consistent and more automated
Level 3Fully aligned — controls are comprehensive, tested, and audited
Control 1 — Application Control
Prevents unapproved and potentially malicious programs (including malware) from executing on systems.
Level 1
Application control implemented on workstationsApproved applications are identified and only these can run. Unapproved executables are blocked on internet-facing workstations.
Level 2
Application control on servers + event loggingControls extend to servers. Application control events are captured in a centralised log. Rules are validated annually.
Level 3
Comprehensive control with allowlisting and auditingApplication allowlists are enforced across all systems. Unauthorised execution attempts are detected and responded to in real time.
Control 2 — Patch Applications
Ensures software vulnerabilities are fixed before attackers can exploit them. Unpatched software is one of the most common attack vectors.
Level 1
Patches applied within 30 days (non-critical)Critical patches on internet-facing services applied within 2 weeks. Unsupported software identified and documented.
Level 2
Critical patches within 48 hoursInternet-facing applications patched within 48 hours of release. All other applications within 2 weeks. Unsupported software removed.
Level 3
Automated patching and compliance reportingAutomated patch deployment across all systems. Compliance reported monthly. No unsupported software in use.
Control 3 — Configure Microsoft Office Macros
Macros in Office documents are a leading delivery mechanism for malware, particularly ransomware. Restricting them dramatically reduces attack surface.
Level 1
Macros blocked for users who don't need themMacros from the internet are blocked. Only trusted users can run macros. Antivirus scans macros before execution.
Level 2
Only signed macros from trusted publishers allowedUnsigned macros are blocked entirely. Trusted publisher list is maintained and reviewed.
Level 3
Macros blocked entirely or restricted to highly privileged usersMacros are completely blocked or only available to verified, named individuals with business justification.
Control 4 — User Application Hardening
Reduces attack surface by disabling unnecessary, insecure features in web browsers and other common applications.
Level 1
Browsers block Flash, Java, and web adsInternet Explorer disabled. PDF readers configured to not run JavaScript. Browser hardening applied to all staff devices.
Level 2
Browser extensions restrictedOnly approved browser extensions permitted. Web content filtering in place to block malicious categories.
Level 3
Comprehensive application hardening across all user applicationsAll user applications are hardened per vendor security guides. Hardening configurations validated and audited annually.
Control 5 — Restrict Administrative Privileges
Limits the damage an attacker can do if they compromise a user account. Admin accounts have far greater access and must be tightly controlled.
Level 1
Admin accounts separate from standard accountsPrivileged users have dedicated admin accounts. Daily tasks performed with standard accounts only.
Level 2
Just-in-time admin access with loggingAdmin rights are granted on request and expire. All privileged activity is logged and reviewed.
Level 3
Privileged access workstations and full audit capabilityPrivileged actions performed from dedicated, hardened workstations. Full privileged access management (PAM) solution in place.
Control 6 — Patch Operating Systems
Same principle as patching applications, but for operating systems. Unpatched OS vulnerabilities are frequently exploited in ransomware attacks.
Level 1
OS patches applied within 30 daysNo end-of-life operating systems in use. Automated updates enabled where possible.
Level 2
Critical OS patches within 48 hoursCentralised patch management in place. Compliance tracked and reported.
Level 3
Automated, verified OS patching across all systemsAll operating systems patched within 48 hours of critical releases. Patch compliance audited monthly.
Control 7 — Multi-Factor Authentication (MFA)
MFA makes it significantly harder for attackers to access systems even if they have a user's password. It is the single most impactful control for most SMBs.
Level 1
MFA for remote access and internet-facing servicesMFA enforced for all email, VPN, and cloud portals. Authenticator app preferred over SMS.
Level 2
MFA for all users on all systemsMFA enforced across all business applications. No exceptions for any user or role.
Level 3
Phishing-resistant MFA (hardware keys or passkeys)FIDO2 hardware keys or passkeys used for all privileged accounts and internet-facing systems.
Control 8 — Regular Backups
Ensures that if all else fails, you can recover your business data. Critical for ransomware recovery and business continuity.
Level 1
Daily backups of important data, stored offsiteBackups performed daily. Stored in a separate location from production systems. Restore tested at least annually.
Level 2
Backups are protected and tested quarterlyBackup systems are isolated from production. Restore procedures tested quarterly. 90-day retention maintained.
Level 3
Immutable backups with tested recovery proceduresBackups are immutable (cannot be encrypted or deleted by ransomware). Full disaster recovery tested at least annually with documented RTO/RPO.
