The ACSC has created a set of guidelines called the Strategies to Mitigate Cyber Security Incidents, which provide a way for organizations to protect themselves from cyber threats. Among these guidelines, the Essential Eight is considered to be the most effective in safeguarding Microsoft Windows-based internet-connected networks. However, the Essential Eight may not be the best strategy for other operating systems or environments, such as cloud services or enterprise mobility, and organizations should seek alternative guidance from the ACSC to address unique cyber threats. To assist in implementing the Essential Eight, the ACSC has also created the Essential Eight Maturity Model, which is regularly updated and draws on the ACSC's experience in cyber threat intelligence, incident response, penetration testing, and implementation assistance.

Looking to assess a customer? Check out our ACSC Essential 8 assessment tips.


When implementing the Essential Eight, organizations should first identify a target maturity level that is appropriate for their environment and plan for it accordingly. The implementation should progress through each maturity level until the target is reached.

Since the Essential Eight strategies are designed to complement one another and provide coverage for various cyber threats, organizations should aim to achieve the same maturity level across all eight mitigation strategies before advancing to higher levels.

Organizations should use a risk-based approach when implementing the Essential Eight. They should aim to minimize exceptions and their scope by implementing compensating security controls and limiting the number of affected systems or users. Any exceptions should be documented and approved through a proper process. The need for exceptions and their associated compensating security controls should be monitored and reviewed regularly. It's worth noting that the appropriate use of exceptions should not prevent organizations from meeting the requirements for a given maturity level.

The Essential Eight provides a minimum set of preventative measures. Organizations may need to implement additional measures beyond those outlined in the maturity model based on their environment. Additionally, while the Essential Eight can mitigate most cyber threats, it won't address all of them. Therefore, organizations should consider other mitigation strategies and security controls, such as those found in the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual.

Finally, organizations aren't required to have their Essential Eight implementation certified by an independent party. However, it may be necessary to have an independent party assess the implementation if mandated by a government directive or policy, a regulatory authority, or contractual arrangements.

Maturity Levels

The Essential Eight implementation is aided by the definition of four maturity levels (Maturity Level Zero to Maturity Level Three), except for Maturity Level Zero which does not pertain to adversary tradecraft. Maturity levels are based on the increasing levels of adversary tradecraft and targeting, rather than on different adversaries themselves. Organisations should consider their attractiveness to adversaries and the potential consequences of a security incident to determine their target maturity level.

It is important to note that Maturity Level Three alone cannot thwart adversaries who are willing to invest sufficient time, money, and effort to infiltrate a target. Therefore, organisations should also consider implementing other mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual.

Maturity Level Zero

Maturity Level Zero indicates that an organization has vulnerabilities in its overall cybersecurity stance, which if exploited, can result in compromising the confidentiality of their data, or the integrity and availability of their systems and data. These weaknesses are further detailed in Maturity Level One.

Maturity Level One

This maturity level pertains to attackers who are satisfied with utilizing standard methods that are readily available to infiltrate and potentially manipulate systems. These attackers may use an exploit that is publicly accessible for a security vulnerability in a service that is exposed to the internet and has not been patched, or gain access to an internet-facing service by utilizing stolen, reused, or guessed credentials.

In general, these adversaries are not targeting specific victims and will aim to exploit common weaknesses found in many targets, rather than investing significant resources to gain access to a specific target. They may resort to common social engineering techniques to deceive users into weakening the security of a system, and can launch malicious applications, such as through Microsoft Office macros. If an attacker gains access to an account with special privileges, they will try to take advantage of it. Depending on their motives, attackers may also erase data, including backups.

Maturity Level Two

This level of maturity focuses on adversaries who have slightly more advanced capabilities than those in the previous level. These adversaries are willing to spend more time and effort in targeting their victims and improving their methods to achieve their goals. They employ common techniques to evade security measures and avoid detection, such as phishing to obtain credentials, and use technical and social engineering techniques to bypass weak multi-factor authentication.

Adversaries are likely to be more selective in their targets and invest more time in making their attacks effective. They still employ common social engineering tactics, like tricking users to launch malicious applications via Microsoft Office macros. If the compromised account has special privileges, adversaries will seek to exploit it, or they will attempt to find an account with such privileges. If their goal is to destroy data, they will target all accessible data, including backups.

Maturity Level Three

This level of maturity focuses on adversaries who are highly adaptable and less reliant on publicly available tools and techniques. They are able to take advantage of weaknesses in a target's cybersecurity posture, such as outdated software or inadequate logging and monitoring, not only to extend their access but also to avoid detection and strengthen their presence. Adversaries quickly take advantage of publicly available exploits and other techniques to improve their chances of success.

Typically, these adversaries are more selective in their targets and invest significant effort into overcoming the specific policy and technical security controls implemented by their targets. They may use social engineering to trick users into unknowingly assisting in bypassing security controls, and may even steal authentication token values to impersonate a user and bypass stronger multi-factor authentication. Once they gain access to a system, they will seek privileged credentials or password hashes, pivot to other parts of the network, and cover their tracks. In some cases, they may also destroy all data, including backups, depending on their objectives.

Essential 8 Graphic

Stages of an Essential 8 Assessment

  1. Assessment planning and preparation
  2. Determination of assessment scope and approach
  3. Assessment of controls
  4. Development of the security assessment report
Where do the controls come from?

The Australia Cyber Security Centre Information Security Manual (ACSC ISM) is a compendium of 741 distinct controls that can be used to manage cybersecurity risk.

How many Essential 8 controls are there?

Gap analysis against ACSC Essential 8 requires assessment of between 31 and 99 controls to meet the various maturity baselines.

Assessing Your Customers

FortMesa for Service Providers automates all four stages of Essential 8 assessment.

Our partners get access to all three Essential 8 maturity levels as well as the complete ACSC ISM including controls required for OFFICIAL government or TOP SECRET security baselines.

Get Essential 8 Demo

Explore cyber best practices

Read more about the tools and concepts needed to deliver cybersecurity that will protect your company and your customers

Schedule Now

Demo & Test Drive

Use our tools to guide your customers to reduce the most risk with the fewest actions

Get Essential 8 Demo
The FortMesa Vulnerability Sensor uses the world's largest library of 160,000+ security checks, available for Windows, Mac & Linux.

Cybersecurity made simple, for humans.