Essential Eight Maturity: Where Most Australian Organisations Stand
The ASD Essential Eight provides eight mitigation strategies, but most organisations hover between Maturity Level 1 and 2. We look at the most common gaps and the practical steps to move up.
Eight Strategies, Three Maturity Levels
The Australian Signals Directorate's Essential Eight mitigation strategies are designed to address the most common attack vectors. Each strategy has three maturity levels, from basic (Level 1) to advanced (Level 3). Australian government entities are expected to achieve at least Maturity Level 2, and increasingly, private sector organisations are adopting the framework.
The Eight Strategies
- Application control: Only approved applications can execute
- Patch applications: Patch known vulnerabilities in applications within defined timeframes
- Configure Microsoft Office macros: Block or restrict macro execution
- User application hardening: Disable unnecessary features in browsers and Office
- Restrict administrative privileges: Limit admin access based on duties
- Patch operating systems: Keep operating systems patched and current
- Multi-factor authentication: Require MFA for all remote access and privileged access
- Regular backups: Perform and test regular backups of important data
Where Most Organisations Fall Short
Based on ASD's own reporting and our experience across hundreds of assessments, the most common gaps are:
Application control (biggest gap): Most organisations have basic application whitelisting for servers but not for workstations. Maturity Level 2 requires application control on all workstations, not just servers.
Patching cadence: Maturity Level 2 requires patching internet-facing vulnerabilities within 2 weeks. Many organisations still operate on monthly patching cycles, leaving a 2-4 week window of exposure.
Privileged access management: Many organisations have reduced the number of admin accounts but haven't implemented just-in-time access, separate admin workstations, or prevented admin accounts from accessing email and the internet.
MFA coverage: Maturity Level 2 requires MFA for all users accessing internet-facing services, not just VPN and privileged access. Many organisations still have gaps in MFA coverage for SaaS applications.
Moving from Level 1 to Level 2
The jump from Level 1 to Level 2 is where most value is delivered. Focus on: extending application control to all workstations, tightening patching timeframes to 2 weeks for internet-facing and 1 month for internal systems, implementing MFA across all internet-facing services, and restricting admin accounts from email and web browsing.
Frequently Asked Questions
Explore this topic on our compliance platform
Our platform covers 692 compliance frameworks with 819,000+ cross-framework control mappings. Start free, no credit card required.
Try the Platform Free →