Skip to content

The Essential Eight: a cyber security model you can follow.

In today's digital age, cybersecurity is paramount. Recognizing the need for robust cybersecurity measures, Australia's government has formulated a set of mitigation strategies known as the Strategies to Mitigate Cyber Security Incidents. At the heart of these strategies lies the Essential Eight1, a set of measures designed to fortify an organization’s cyber defenses.

What do these mean for you as a risk manager in the United States, especially if you aren’t someone with a cyber/IT security focus? This blog covers some of the key reasons why the Essential Eight are worth thinking about:

  • What the Essential Eight isn’t
  • The significance of the Essential Eight
  • Who needs to adopt the Essential Eight?
  • The flexibility of the Essential Eight
  • Working with other cyber security frameworks
  • International comparisons

Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now

What the Essential Eight isn't

The Essential Eight is an important initiative, but it's crucial to understand its scope and limitations:

  • Not an all-encompassing baseline: While the Essential Eight offers a robust set of cybersecurity controls, it isn't an exhaustive baseline. It doesn't guarantee absolute information security or entirely mitigate the risk of cyber intrusions leading to the loss of highly confidential data.
  • Doesn't set out how to implement a risk-based approach: The Essential Eight is not a roadmap on how you can implement a risk-based approach to your minimum applicable controls. Instead, it offers a set of strategies that organizations can adapt based on their unique risk profiles. 
  • Limited framework integration: The Essential Eight doesn't bridge the gap with the ISM or other control frameworks. Its primary alignment is with the ACSC ISM control library[1]. This means organizations might need to integrate the Essential Eight with other frameworks manually, depending on their specific needs.

The significance of the Essential Eight

In Australia, the Essential Eight approach has gained traction among federal government agencies and significant suppliers as a testament to their cyber security maturity. Moreover, it serves as the foundation for the ACSC Information Security Manual, ensuring a cohesive approach to cybersecurity across various sectors1.

So, what exactly makes the Essential Eight? In short:

  • Application control
  • Patching applications
  • Configuring Microsoft Office macro settings
  • User application hardening
  • Restricting administrative privileges
  • Patching operating systems
  • Multi-factor authentication
  • Regular backups

Each of these strategies is a result of meticulous research and expertise, ensuring a holistic approach to cybersecurity. But it's not just about knowing them; it's about implementing them effectively. That's where the Essential Eight Maturity Model steps in, offering a clear roadmap for organizations to gauge their progress and reach optimal cybersecurity maturity.

In essence, the Essential Eight is a robust, adaptable framework ready to tackle the challenges of the digital age. As we navigate this interconnected world, understanding and integrating the Essential Eight is not just advisable; it's imperative.

Who needs to adopt the Essential Eight?

The Australian federal government has taken the lead by mandating the Essential Eight for all 98 non-corporate federal entities (NCCEs)[2], which means that organizations that collaborate with these entities, whether they are suppliers, contractors, or partners, will benefit from aligning their cybersecurity measures with the Essential Eight. This ensures seamless collaboration and data exchange, minimizing vulnerabilities.

But even if you have no intention of doing business with the Australian government, the Essential Eight's principles are universally applicable. Governments, NGOs, and businesses worldwide can adapt and implement these strategies, ensuring a fortified defense against cyber threats. In a world where cyber-attacks are becoming increasingly sophisticated, adopting proven strategies like the Essential Eight can offer a competitive edge.

The flexibility of the Essential Eight

The Essential Eight recognizes that organizations differ in their cybersecurity needs and maturity. Hence, it offers three distinct maturity levels. While government organizations are encouraged to attain at least Maturity level two, other entities can use these levels as a benchmark, progressively enhancing their cybersecurity measures.

Maturity Level Zero represents foundational cybersecurity measures. At this stage, organizations may have vulnerabilities that could compromise data confidentiality, system integrity, or availability. It's a starting point, highlighting areas that need immediate attention.

Maturity Level One is a step up, focusing on countering malicious actors using widely available tradecraft. These actors are opportunistic, seeking any potential victim. By achieving this level, organizations demonstrate a proactive stance, defending against common threats.

Maturity Level Two targets more sophisticated threats. Here, malicious actors exhibit a higher level of capability, being more selective in their targets and investing in advanced tools. Organizations at this level showcase robust cybersecurity measures, capable of thwarting more targeted and persistent attacks.

Lastly, Maturity Level Three is the pinnacle of cybersecurity maturity within the Essential Eight framework. Organizations at this level are equipped to handle adaptive malicious actors who exploit specific cybersecurity weaknesses, using customized tools to evade detection.

So, why are these levels relevant? They offer a roadmap. Organizations can assess their current cybersecurity posture, identify gaps, and work towards a desired maturity level. The tiered approach ensures that entities don't feel overwhelmed, allowing for gradual enhancements.

For Australian government organizations, Maturity Level Two serves as a recommended benchmark, ensuring a robust defense against a majority of cyber threats. For anyone else, these levels act as a guide, helping them progressively fortify their cyber defenses based on their specific needs and capabilities.

Working with other cyber security frameworks

The Essential Eight doesn't exist in isolation. It integrates with the Information Security Manual (September 2023), a comprehensive control library curated by the Australian Cyber Security Center (ACSC). It also aligns with other frameworks like the Cloud Controls Matrix (September 2023) and has indirect ties with NIST CSF and ISO27001:2022. The Information Security Manual further provides a roadmap to vital Cyber Security Principles and Guidelines, empowering organizations to shield their systems and data from cyber threats[3].

While the Essential Eight is a pioneering initiative by Australia, similar frameworks exist globally. The United Kingdom has introduced the Cyber Essentials[4], and New Zealand boasts the 'Essential 10'[5]. These frameworks, while tailored to their respective regions, underscore the universal importance of robust cybersecurity measures. As yet, there is nothing comparable issued by the United States.

Conclusions and next steps for your organization

The Essential Eight offers a strategic approach to cybersecurity, ensuring organizations are well-equipped to tackle modern cyber threats. Following the principles laid out in the Essential Eight can significantly enhance your cybersecurity posture. Its flexibility ensures that cybersecurity isn't a one-size-fits-all solution but a tailored strategy.

If you’d like to know more about how to align your cyber security and enterprise risk management strategies, Protecht's new webinar Speaking the same language: Bringing IT and cyber to your enterprise risk view offers a deep dive into these areas, providing strategies, insights, and best practices for organizations.

Join Protecht’s Cyber Security Lead Mike Franklin and our Research & Content Lead Michael Howell for an informative and insightful webinar that brings ISMS into an overall enterprise risk management approach. From understanding the language of IT and cyber risk to the building blocks of resilience, this webinar will provide actionable insights for executives, risk managers and cybersecurity experts alike:

Watch on demand








About the author

Mike Franklin has a long background in cyber security and risk governance. Prior to joining Protecht to lead our cyber risk team, he worked for multiple blue-chip organisations in banking, finance and tertiary education. Mike’s deep expertise helps Protecht customers to strengthen their cyber security, ISMS and third party/vendor risk management programs.