Who should read this cybersecurity article?

This article is written for compliance professionals, CISOs, GRC managers, audit teams, and risk officers working in cybersecurity. It provides actionable insights relevant to organizations managing compliance programs.

How can I apply these cybersecurity insights?

Use our AI-powered compliance platform to map your requirements across 692 frameworks with 819,000+ control mappings. Start with a free account to explore relevant frameworks, run gap analyses, and build remediation plans.

Essential Eight Maturity: Where Most Australian Organisations Stand

The ASD Essential Eight provides eight mitigation strategies, but most organisations hover between Maturity Level 1 and 2. We look at the most common gaps and the practical steps to move up.

Eight Strategies, Three Maturity Levels

The Australian Signals Directorate's Essential Eight mitigation strategies are designed to address the most common attack vectors. Each strategy has three maturity levels, from basic (Level 1) to advanced (Level 3). Australian government entities are expected to achieve at least Maturity Level 2, and increasingly, private sector organisations are adopting the framework.

The Eight Strategies

Application control: Only approved applications can execute
Patch applications: Patch known vulnerabilities in applications within defined timeframes
Configure Microsoft Office macros: Block or restrict macro execution
User application hardening: Disable unnecessary features in browsers and Office
Restrict administrative privileges: Limit admin access based on duties
Patch operating systems: Keep operating systems patched and current
Multi-factor authentication: Require MFA for all remote access and privileged access
Regular backups: Perform and test regular backups of important data

Where Most Organisations Fall Short

Based on ASD's own reporting and our experience across hundreds of assessments, the most common gaps are:

Application control (biggest gap): Most organisations have basic application whitelisting for servers but not for workstations. Maturity Level 2 requires application control on all workstations, not just servers.

Patching cadence: Maturity Level 2 requires patching internet-facing vulnerabilities within 2 weeks. Many organisations still operate on monthly patching cycles, leaving a 2-4 week window of exposure.

Privileged access management: Many organisations have reduced the number of admin accounts but haven't implemented just-in-time access, separate admin workstations, or prevented admin accounts from accessing email and the internet.

MFA coverage: Maturity Level 2 requires MFA for all users accessing internet-facing services, not just VPN and privileged access. Many organisations still have gaps in MFA coverage for SaaS applications.

Moving from Level 1 to Level 2

The jump from Level 1 to Level 2 is where most value is delivered. Focus on: extending application control to all workstations, tightening patching timeframes to 2 weeks for internet-facing and 1 month for internal systems, implementing MFA across all internet-facing services, and restricting admin accounts from email and web browsing.

Essential Eight Maturity: Where Most Australian Organisations Stand

Eight Strategies, Three Maturity Levels

The Eight Strategies

Where Most Organisations Fall Short

Moving from Level 1 to Level 2

Frequently Asked Questions

Explore this topic on our compliance platform

More on Cybersecurity

NIST CSF 2.0: The Govern Function and Why It Matters

Put compliance intelligence to work