Skip to content

The Essential Eight: understanding Australia’s cyber security approach.

In today's digital age, cybersecurity is paramount. The Australian Signals Directorate, recognising the need for robust cybersecurity measures, has formulated a set of mitigation strategies known as the Strategies to Mitigate Cyber Security Incidents. At the heart of these strategies lies the Essential Eight1, a set of measures designed to fortify an organisation's cyber defences.

What do these mean for you as a risk manager, especially if you aren’t someone with a cyber/IT security focus? This blog covers some of the key points:

  • What the Essential Eight isn’t
  • The significance of the Essential Eight
  • Who needs to adopt the Essential Eight?
  • The flexibility of the Essential Eight
  • Working with other cyber security frameworks
  • International comparisons

Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now

What the Essential Eight isn't

The Essential Eight is an important initiative that anyone involved in cyber risk management in Australia needs to understand, but it's crucial to understand its scope and limitations:

  • Not an all-encompassing baseline: While the Essential Eight offers a robust set of cybersecurity controls, it isn't an exhaustive baseline. It doesn't guarantee absolute information security or entirely mitigate the risk of cyber intrusions leading to the loss of highly confidential data.
  • Doesn't set out how to implement a risk-based approach: The Essential Eight is not a roadmap on how you can implement a risk-based approach to your minimum applicable controls. Instead, it offers a set of strategies that organisations can adapt based on their unique risk profiles. 
  • Limited framework integration: The Essential Eight doesn't bridge the gap with the ISM or other control frameworks. Its primary alignment is with the ACSC ISM control library[1]. This means organisations might need to integrate the Essential Eight with other frameworks manually, depending on their specific needs.

The significance of the Essential Eight

The Essential Eight isn't just another set of guidelines; it's a transformative approach to cybersecurity. It's gaining traction among Commonwealth agencies and significant suppliers as a testament to their cyber security maturity. Moreover, it serves as the foundation for the ACSC Information Security Manual, ensuring a cohesive approach to cybersecurity across various sectors1.

So, what exactly makes the Essential Eight? In short:

  • Application control
  • Patching applications
  • Configuring Microsoft Office macro settings
  • User application hardening
  • Restricting administrative privileges
  • Patching operating systems
  • Multi-factor authentication
  • Regular backups

Each of these strategies is a result of meticulous research and expertise, ensuring a holistic approach to cybersecurity. But it's not just about knowing them; it's about implementing them effectively. That's where the Essential Eight Maturity Model steps in, offering a clear roadmap for organisations to gauge their progress and reach optimal cybersecurity maturity.

In essence, the Essential Eight is Australia's commitment to fortifying cybersecurity across sectors. It's a robust, adaptable framework ready to tackle the challenges of our digital age. As we navigate this interconnected world, understanding and integrating the Essential Eight is not just advisable; it's imperative.

Who needs to adopt the Essential Eight?

The Commonwealth government has taken the lead by mandating the Essential Eight for all 98 non-corporate Commonwealth entities (NCCEs)[2]. But its relevance isn't limited to federal agencies. Organisations that collaborate with these entities, whether they are suppliers, contractors, or partners, will benefit from aligning their cybersecurity measures with the Essential Eight. This ensures seamless collaboration and data exchange, minimising vulnerabilities.

While the Essential Eight is tailored for federal entities, its principles are universally applicable. State and local governments, NGOs, and businesses can adapt and implement these strategies, ensuring a fortified defence against cyber threats. In a world where cyber-attacks are becoming increasingly sophisticated, adopting proven strategies like the Essential Eight can offer a competitive edge.

The flexibility of the Essential Eight

The Essential Eight recognises that organisations differ in their cybersecurity needs and maturity. Hence, it offers three distinct maturity levels. While government organisations are encouraged to attain at least Maturity level two, other entities can use these levels as a benchmark, progressively enhancing their cybersecurity measures.

Maturity Level Zero represents foundational cybersecurity measures. At this stage, organisations may have vulnerabilities that could compromise data confidentiality, system integrity, or availability. It's a starting point, highlighting areas that need immediate attention.

Maturity Level One is a step up, focusing on countering malicious actors using widely available tradecraft. These actors are opportunistic, seeking any potential victim. By achieving this level, organisations demonstrate a proactive stance, defending against common threats.

Maturity Level Two targets more sophisticated threats. Here, malicious actors exhibit a higher level of capability, being more selective in their targets and investing in advanced tools. Organisations at this level showcase robust cybersecurity measures, capable of thwarting more targeted and persistent attacks.

Lastly, Maturity Level Three is the pinnacle of cybersecurity maturity within the Essential Eight framework. Organisations at this level are equipped to handle adaptive malicious actors who exploit specific cybersecurity weaknesses, using customised tools to evade detection.

So, why are these levels relevant? They offer a roadmap. Organisations can assess their current cybersecurity posture, identify gaps, and work towards a desired maturity level. The tiered approach ensures that entities don't feel overwhelmed, allowing for gradual enhancements. For government organisations, Maturity Level Two serves as a recommended benchmark, ensuring a robust defence against a majority of cyber threats. However, for private entities or smaller organisations, these levels act as a guide, helping them progressively fortify their cyber defences based on their specific needs and capabilities.

Working with other cyber security frameworks

The Essential Eight doesn't exist in isolation. It integrates with the Information Security Manual (September 2023), a comprehensive control library curated by the Australian Cyber Security Centre (ACSC). It also aligns with other frameworks like the Cloud Controls Matrix (September 2023) and has indirect ties with NIST CSF and ISO27001:2022. The Information Security Manual further provides a roadmap to vital Cyber Security Principles and Guidelines, empowering organisations to shield their systems and data from cyber threats[3].

While the Essential Eight is a pioneering initiative by Australia, similar frameworks exist globally. The United Kingdom has introduced the Cyber Essentials[4], and New Zealand boasts the 'Essential 10'[5]. These frameworks, while tailored to their respective regions, underscore the universal importance of robust cybersecurity measures.

Conclusions and next steps for your organisation

The Essential Eight offers a strategic approach to cybersecurity, ensuring organisations are well-equipped to tackle modern cyber threats. Whether you're a Commonwealth agency, a business entity, or an NGO, understanding and implementing the Essential Eight can significantly enhance your cybersecurity posture. Its flexibility ensures that cybersecurity isn't a one-size-fits-all solution but a tailored strategy.

If you’d like to know more about how to align your cyber security and enterprise risk management strategies, Protecht's new webinar Speaking the same language: Bringing IT and cyber to your enterprise risk view offers a deep dive into these areas, providing strategies, insights, and best practices for organisations.

Join Protecht’s Cyber Security Lead Mike Franklin and our Research & Content Lead Michael Howell for an informative and insightful webinar that brings ISMS into an overall enterprise risk management approach. From understanding the language of IT and cyber risk to the building blocks of resilience, this webinar will provide actionable insights for executives, risk managers and cybersecurity experts alike:

Watch on demand








About the author

Mike Franklin has a long background in cyber security and risk governance. Prior to joining Protecht to lead our cyber risk team, he worked for multiple blue-chip organisations in banking, finance and tertiary education. Mike’s deep expertise helps Protecht customers to strengthen their cyber security, ISMS and third party/vendor risk management programs.