The Essential Eight maturity model is the Australian Signals Directorate's primary framework for helping organisations defend against the most common cyber threats. First published in 2017 and updated several times since, the model lays out eight mitigation strategies across four maturity levels: zero through three. For most Australian entities, government agencies in particular, reaching at least Maturity Level Two is now a baseline expectation, not an aspiration. For many, the push toward Maturity Level Three is already underway in 2026.
Understanding the Essential Eight is not just a compliance exercise. The strategies target the attack paths that real-world adversaries use most: phishing, credential theft, exploitation of unpatched software, and lateral movement through privileged accounts. If you close those gaps, you disrupt the majority of incidents before they escalate.
What the eight strategies actually cover
The ASD groups the eight mitigations into three broad goals: preventing malware delivery and execution, limiting the impact of an incident, and recovering data and system availability. Each strategy has specific technical requirements at each maturity level.
- Application control: Restricts execution to approved software. At higher maturity levels this extends to script interpreters and installers, not just executables.
- Patch applications: Focuses on internet-facing and user-facing software. The ASD expects critical patches applied within 48 hours at Maturity Level Three.
- Configure Microsoft Office macro settings: Blocks macros from the internet by default, with exceptions managed centrally. A common vector for initial access that remains undercontrolled in many Australian environments.
- User application hardening: Covers web browsers, PDF readers, and Office applications, including blocking Flash, ads, and untrusted Java.
- Restrict administrative privileges: Limits admin access to those who genuinely need it, with separate accounts for privileged tasks. This aligns closely with privileged access management practices that security teams are increasingly expected to formalise.
- Patch operating systems: Similar in logic to patching applications, but applied to the OS layer, including network devices. Timeframes tighten significantly at higher maturity levels.
- Multi-factor authentication: Required for internet-facing services, remote access, and privileged accounts. The ASD's guidance here has evolved to address phishing-resistant MFA, not just any second factor. For a deeper read on where MFA still falls short, see why MFA alone is not enough in many Australian environments.
- Regular backups: Covers frequency, protection from deletion or encryption, and tested restoration. Without this, the other seven strategies may still leave an organisation crippled after a ransomware attack.
How the maturity levels work in practice
The four maturity levels are not a simple checklist. They describe increasing levels of implementation rigour, detection capability, and resilience. Maturity Level Zero means the organisation has not started. Maturity Level One indicates some controls exist but they are incomplete and can be bypassed by an opportunistic attacker. Maturity Level Two requires controls to resist more sophisticated adversaries. Maturity Level Three represents a hardened posture against targeted, persistent attackers.
A common mistake organisations make is claiming a higher maturity level than they have actually achieved. Self-assessment without evidence collection tends to produce optimistic results. The ASD recommends using the Essential Eight Assessment Process Guide, and government entities are increasingly expected to provide documented evidence rather than declarations. Third-party assessors are becoming more common in agency contexts, and the Australian government's cyber security procurement landscape has grown to support exactly this kind of independent assessment.
Where Australian organisations most commonly fall short
Across the eight strategies, application control and patching are the two areas where Australian organisations most frequently over-claim their maturity. Application control at Maturity Level Two requires blocking script interpreters such as PowerShell and Windows Script Host from running unsigned code, which is technically demanding and often missed in self-assessments. Patching timelines are frequently achieved on servers but not on end-user devices or legacy systems that require more careful change management.
Macro configuration is another persistent weakness. Organisations that migrated to Microsoft 365 several years ago sometimes retained legacy macro permissions that were never tightened. The modern guidance from the ASD requires macros to be digitally signed by a trusted publisher and for internet-sourced documents to be blocked from running any macros at all.
Backups are often the control that looks strongest on paper but fails in practice. Many organisations back up data regularly but have not tested whether backups can be restored under incident conditions, particularly when the backup infrastructure itself might be targeted by ransomware. The ASD's updated guidance emphasises immutability and offline or out-of-band copies as markers of higher maturity.
The 2025 updates and what changed
The ASD updated the Essential Eight Maturity Model in late 2025, and those changes are now the operating baseline in 2026. The most significant shifts involved phishing-resistant MFA requirements, more prescriptive patch timelines, and a clarified definition of what counts as a privileged account. The MFA update explicitly calls out authenticator app-based one-time passwords as insufficient for Maturity Level Three contexts, requiring instead hardware security keys or certificate-based authentication for the highest-risk roles.
The updated patch guidance reduced the window for critical vulnerabilities on internet-facing systems to 48 hours at Maturity Level Two, down from what had been a more permissive timeframe in earlier versions. For organisations running legacy infrastructure, this is a significant operational challenge that often requires either emergency change processes or architectural separation of legacy systems from internet exposure.
Building a credible uplift programme
Organisations that approach the Essential Eight as a one-off audit exercise consistently struggle to sustain their maturity over time. Controls degrade as systems change, new software is deployed without going through hardening processes, and staff turnover removes institutional knowledge. A credible uplift programme treats the Essential Eight as an ongoing operational discipline, not a point-in-time certification.
Practical approaches that work in Australian environments include: integrating Essential Eight controls into change and release processes so new systems are assessed before they are deployed; running automated scanning against Essential Eight criteria using tools like the ASD's own assessment guides or commercial equivalents; and assigning ownership of each strategy to a named team rather than treating it as a shared responsibility that belongs to no one.
Smaller organisations without a dedicated security function often benefit from working with a managed security service provider that has specific Essential Eight experience. The ACSC publishes guidance on finding credible partners, and the federal government's panel arrangements provide a starting point for agencies that need external help.
Reporting and accountability in 2026
Federal government entities are required to report their Essential Eight maturity to the ASD annually under the Australian Cyber Security Centre's reporting obligations. The 2026 reporting cycle now expects entities to report at the individual strategy level rather than as a single aggregate score, which increases transparency but also increases the pressure to be accurate about gaps.
For private sector organisations, the Essential Eight is not legally mandated in most industries, but it increasingly features in contract requirements, insurance applications, and due diligence processes. Organisations bidding on federal government work will commonly encounter Essential Eight maturity as a threshold requirement, and the bar is rising. Reaching Maturity Level Two across all eight strategies is now the minimum that most procurement officers will accept for sensitive work.
The Essential Eight is not the ceiling of cyber maturity. It sits alongside other controls, frameworks, and sector-specific requirements. But it remains the most practically focused and widely referenced baseline in the Australian market, and organisations that understand it deeply rather than treating it as a paperwork exercise will be meaningfully more resilient.

