Matrix Solutions Official Logo

The Essential Eight Maturity Model – A Complete Guide

The Essential Eight Maturity Model – A Complete Guide

Page Contents

The Australian Cyber Security Centre (ACSC) has created prioritised strategies, the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves from cyber threats. The most successful of these is the Essential Eight Maturity Model.

The primary purpose of Essential Eight is to protect internet-connected networks that use Microsoft Windows. However, these strategies can also be applied to cloud services and enterprise mobility using other operating systems. In this case, it might be more effective to follow the ACSC’s alternative guidance for such unique environments.

This comprehensive guide provides a detailed look at each phase of the model and offers tips to help you move to the next level.

What is the Essential Eight Maturity Model?


The Essential Eight Maturity Model is a framework for assessing and improving your organisation’s cyber security posture.

The Essential Eight Maturity Model, which was first published in June 2017 and has been regularly updated since, aids the implementation of the Essential Eight. The model is based on extensive experience from the ACSC in producing cyber threat intelligence reports, responding to incidents, conducting penetration tests and assisting organisations with implementing security measures.

It focuses on eight key mitigation strategies: application whitelisting, patching applications, patching operating systems, controlling administrative privileges, restricting remote access technologies, multi-factor authentication, daily backups, and configuration management.

Who created essential 8?


Essential Eight was developed by the Australian Cyber Security Centre (ACSC), a government agency responsible for coordinating cybersecurity efforts across Australia.

No matter which mitigation strategies are implemented, there is no guarantee that they will work against all cyber threats. However, the Australian Cyber Security Centre suggests that organisations use eight specific strategies from their “Strategies to Mitigate Cyber Security Incidents” as a baseline to make it more difficult for adversaries to take over systems. 

This set of Eight Essentials provides a good foundation on which to build stronger system security.

When did Essential 8 start?


The Essential Eight Maturity Model was first published in June 2017 and has been regularly updated.

How do you implement essential 8?


To implement Essential 8 maturity model, organisations should first assess their current level of security using the maturity model’s framework. They can then prioritise and implement the mitigation strategies, continuously monitoring and improving their cybersecurity posture.

The Essential Eight consists of eight different strategies that, when put into place, will work together to provide coverage against various cyber threats. When implementing the ASD Essential 8 Maturity Model, identify a target maturity level and plan to achieve this level before moving on to higher ones. Additionally, aim for the same maturity levels across all eight strategies – this way, you can ensure comprehensive protection.

To best protect your organisation, implement the Essential Eight security controls using a risk-based approach. Aim to reduce the number and scope of any exceptions by implementing compensating security controls. If you do have exceptions, make sure to document them and get approval through an appropriate process.

Subsequently, the need for exceptions and associated compensating security controls should be monitored and reviewed regularly. Note the appropriate use of exceptions should not preclude an organisation from being assessed as meeting the requirements for a given maturity level.

Maturity Level of Essentials Eight Maturity Models


There are four maturity levels that organisations can use to guide their implementation of the Essential Eight security measure. The first level, Maturity Level Zero, is the starting point. The following Levels (One through Three) successively address and mitigate more sophisticated tradecraft used by adversaries.

Depending on an adversary’s overall capability, they may exhibit different levels of tradecraft for various operations against other targets. For example, an adversary capable of advanced tradecraft may use it against one target while using basic tradecraft against another.

As such, organisations should consider what level of tradecraft and targeting rather than which adversaries they aim to mitigate.

Maturity Level Zero


This maturity level is for adversaries who want to use publicly available methods to access and control systems. For example, an adversary might exploit a known security vulnerability in an internet-facing service that hasn’t been patched yet, or try accessing an internet-facing service using stolen, reused, brute forced or guessed credentials.

It is common for adversaries to seek any victim rather than a specific one; they will take advantage of weaknesses in many targets instead of investing heavily into gaining access to just one target. Adversaries will use social engineering techniques that trick users into weakening security system, which then launches malicious applications. For example, this can be done via Microsoft Office macros.

If the account that an adversary compromised has special privileges, they will seek to exploit it. Depending on their intent, adversaries may also destroy data (including backups).

Maturity Level One


This maturity level is for adversaries who have gotten high privileges on a network, probably from exploiting vulnerabilities or using someone else’s credentials. Adversaries at this stage use different ways to escape detection and stay access to systems, usually by using authorised administrator tools and changing system configurations.

Adversaries might also try to take more credentials, enhance privileges, and continue moving.

Maturity Level Two


This maturity level is for adversaries who want to hide their activity and maintain access to a network, possibly for extended periods. They use advanced techniques such as using legitimate administrator tools in unexpected ways and custom malware or means that make it harder to detect their presence on the network.

Adversaries at this stage may also try to steal or manipulate data or disrupt network operations.

Maturity Level Three


This maturity level is for adversaries who want to hide their presence on a network and have the capability to use sophisticated techniques, including supply chain compromises, hardware implants, and advanced custom malware that can evade detection. Adversaries at this level are highly sophisticated and may have nation-state-level resources and capabilities. They may target specific individuals or organisations for espionage or sabotage purposes.

Organisations at this maturity level should have robust monitoring, detection, and response capabilities to mitigate the highly sophisticated attacks they may face.

What are the objectives of Essential Eight?


The Australian Cyber Security Centre’s ‘Strategies to Mitigate Cyber Security Incidents’ outlines eight essential mitigation strategies that, while not guaranteed, will create a much harder target for cybercriminals. This baseline defence plan is known as the Essential Eight.

Proactively implementing the ACSC Essential Eight Maturity Model can be cheaper in terms of time, money and effort than responding to a large-scale cyber security incident.

Objectives of Essential Eight include:

  1. Prevent Cyberattacks: By patching software and operating systems, restricting administrative privileges, and using multi-factor authentication, the Essential 8 cyber security helps organisations prevent common forms of cyberattack.
  2. Detect Threats: Implementing application control and daily backups helps organisations detect potential threats in their systems and boosts vulnerability management capabilities.
  3. Cyber Security Incident Response: Using secure configurations for network devices and limiting the use of obsolete or insecure protocols help organisations respond quickly and effectively to incidents.
  4. Recover from Incidents: The Essential Eight encourages using disposable data and backups to aid in recovering from a successful attack.
  5. Data Recovery and System Availability: The Essential Eight also helps maintain system availability and recover data from successful attacks.

The Eight Essentials Maturity Models


First Model: Application Control


By only allowing programs on an approved list to run, security is enhanced because unapproved programs – including malware- cannot start. This also prevents attackers from running rogue programs which could enable them to access or steal data.

Second Model: Patch Applications


Use security fixes/patches or mitigations for programs within 48 hours. Do not use out-of-support applications that do not receive security fixes because attackers can easily exploit them.

Third Model: Configure Microsoft Office macro settings


Only permit Office macros (automated commands) where there is an enterprise demand and restrict the type of commands a macro can execute. Also, check the usage of Macros.

Macros can be used to run automated dangerous commands that could let an attacker download and install malware.

Fourth Model: User application hardening


Only install and use applications that are verified, authorised, and required for business purposes. This means removing unnecessary or unused applications to reduce the attack surface.

Fifth Model: Restrict administrative privileges


Reduce the number of users with admin privileges, as they can install or modify software, including malware. Assign admin privileges only to those who need them and monitor their use.

Sixth Model: Patch operating systems


Use security fixes/patches or mitigations for operating systems within 48 hours. Do not use operating systems that are out-of-support and do not receive security fixes because attackers can easily exploit them.

Seventh Model: Multi-factor authentication


Multi-factor authentication adds an extra layer of security by requiring more than one form of authentication, such as a password and a token or biometric identification, to access systems or data.

Eighth Model: Regular backups


Back up data regularly if it becomes corrupted or compromised, and ensure backups are stored securely. This helps with business continuity and enables faster recovery from a successful attack.

Why should I implement the Essential Eight?


Implementing the Essential Eight can help prevent, detect, and respond to common forms of cyberattack.

It can also save time, money, and effort in the long run by reducing the likelihood and impact of a successful attack. Adhering to Essential Eight can demonstrate a commitment to cybersecurity and meet compliance requirements for Australian businesses to protect businesses against cyber threats.

What do the essential eight maturity models mean for organisations?


The Essential Eight maturity models provide a framework for assessing and improving cybersecurity practices. By implementing the eight essential measures, organisations can enhance their defences against common forms of cyberattacks and demonstrate commitment to cybersecurity. The models also provide a way for organisations to regularly review and update security practices in line with evolving threats and technologies.

How to be Compliant with the Essential Eight Maturity Model?


To comply with the Essential Eight maturity models, organisations should regularly review and update their security practices to ensure they implement each of the eight essential measures.

This includes maintaining application control, patching and operating systems, hardening user applications, restricting administrative privileges, using multi-factor authentication, and regularly backing up data.

Organisations can also assess their current level of compliance using the Essential Eight Maturity Model self-assessment tool. This tool allows organisations to track progress and identify improvement areas to meet compliance requirements.

It is important to note that compliance with Essential Eight does not guarantee complete protection from cyberattacks as threats are constantly evolving. However, implementing these measures can significantly enhance an organisation’s defences against common forms of attack.

Essential Eight Maturity Model for Law Firms


Law firms may have sensitive and confidential client information, making them a cyberattack target. Implementing the Essential Eight can help protect this information and demonstrate commitment to cybersecurity compliance requirements.

This includes restricting administrative privileges to authorised individuals, regularly patching operating systems, using multi-factor authentication for access to sensitive data, and regularly backing up important information.

Law firms can also assess their current level of compliance with the Essential Eight Maturity Model self-assessment tool and track progress in enhancing their cybersecurity defences.

How can Matrix Solutions help?


Matrix Solutions offers consultation and support services for implementing the Essential Eight measures. This includes reviewing current security practices, identifying areas for improvement, and providing training and guidance on best practices.

Our experienced cybersecurity professionals can also assist with Application Control Compliance Assessments using the Essential Eight Maturity Model self-assessment tool and ongoing monitoring to ensure continued adherence to the mitigation strategy objectives.

Contact us to learn more about how we can help enhance your organisation’s cybersecurity defences.



In summary, implementing the Essential Eight measures can enhance an organisation’s defences against common forms of cyberattack and demonstrate a commitment to cybersecurity.

Matrix Solutions has your back if you need help conforming to the Essential Eight maturity models or meeting compliance requirements. We offer consultation and support services so that you can easily adhere to all regulations.

Contact us to learn more about how we can help protect your organisation from cyber threats.

Essential Eight Maturity Model FAQs


What is the latest update in the Essential Eight Maturity Model?

The latest update to the Essential Eight Maturity Model, released in October 2019, is a self-assessment tool for organisations to track their progress and identify areas for improvement in implementing the essential measures.

What are the essential 8 controls?

The Essential Eight measures are application control, patching applications and operating systems, hardening user applications, restricting administrative privileges, multi-factor authentication., backing up data, controlled use of administrative privileges, and daily back-ups.

Is Essential 8 mandatory?

While no law enforcement requires the Essential Eight, adhering to them can notably upgrade an organisation’s resilience against popular types of cyberattacks and show obedience to cybersecurity compliance requirements. Furthermore, it bears mentioning that these measures do not provide absolute protection against all digital dangers, as threats are always changing form. Nevertheless, staying on top of current security trends is essential in remaining one step ahead of new risks.

What is cybersecurity maturity?

Cybersecurity maturity refers to an organisation’s preparedness and adherence to guidelines and best practices in protecting against cyber threats.

What is application whitelisting?

Application whitelisting is a method of restricting the programs and applications that can be used on a network. Only those on an approved list, or whitelist, are allowed to run, potentially blocking malicious programs and preventing unauthorised access. It is one of the essential eight measures.

What is a system-hardening checklist?

A system-hardening checklist is a list of security measures for strengthening the defences of computer systems or networks, such as disabling unnecessary services and features, installing updates and patches, and regularly backing up data. It relates to two essential eight measures: patching and operating systems and hardening user applications.

Which is better, whitelisting or blacklisting?

Both whitelisting and blacklisting have their advantages and disadvantages. Whitelisting can provide more comprehensive protection as only authorised programs are allowed to run, but it can also be more time-intensive to manage and maintain.  Application Blacklisting, on the other hand, may not provide as thorough protection. as it only blocks known threats, but it is easier to manage and update.

Is ISO 27001 A maturity model?

ISO 27001 is an international standard for establishing, implementing, maintaining, and constantly improving an information security management system (ISMS). It does not specifically address the Essential Eight measures, but implementing them can help organisations meet the requirements for ISO 27001 certification. However, it is not considered a maturity model.

Schedule Your Free Consultation Today


Matrix Solutions

Matrix Solutions

Matrix Solutions is the trusted partner for legal and finance businesses providing expert Managed IT Services with 25 years of experience. Contact us today!

On Key

All Posts

benefits of managed security services

Benefits of Managed Security Services: Protect Your Digital Assets

Are you feeling overwhelmed by the constantly changing world of cyber threats? Are limited resources and growing compliance demands leaving your sensitive data exposed? If so, understanding the benefits of Managed Security Services (MSS) can be your lifeline, offering a powerful shield against today’s sophisticated threats. Our expert team works tirelessly to safeguard your data

Read More »
Matrix Solutions Australia What is Managed Security Services

What is Managed Security Services?

Managed Security Service (MSS) is a specialised third-party service that helps organisations safeguard their digital environments without the overhead of maintaining a full-fledged in-house cybersecurity team. If you’re wondering, “What is managed security services?” It’s a strategic solution that allows businesses to leverage expert skills and advanced technologies to protect against ever-evolving cyber threats. This

Read More »
Matrix Solutions Australia Health Care Managed IT Services
Managed IT Services

Healthcare Managed IT Services: An Ultimate Guide

The COVID-19 pandemic has significantly impacted the healthcare industry, and managed IT services have emerged as a crucial tool in aiding patient care and hospital management. The healthcare sector has been an early adopter of technology, leveraging it to improve patient outcomes and enhance the quality of care. In this regard, we provide a comprehensive

Read More »
Scroll to Top