TECHOM Systems
Based on ASD's Essential Eight — Updated 2024

Essential Eight Maturity Assessment

The Australian Signals Directorate's Essential Eight is the baseline cybersecurity framework recommended for every Australian organisation. Use this free self-assessment to evaluate your posture across all 8 mitigation strategies and identify your current maturity level.

What is the Essential Eight?

The Essential Eight is a set of prioritised cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) and published by the Australian Cyber Security Centre (ACSC). Originally introduced in 2017 as an evolution of the "Top 4" strategies, the Essential Eight represents the minimum baseline that all Australian organisations should implement to protect themselves against the most common cyber threats, including ransomware, data exfiltration, and business email compromise.

The framework is structured around three key objectives: preventing malware delivery and execution (Application Control, Patch Applications, Configure Microsoft Office Macro Settings, User Application Hardening), limiting the extent of cyber incidents (Restrict Administrative Privileges, Patch Operating Systems, Multi-Factor Authentication), and recovering data and system availability (Regular Backups).

Understanding the Maturity Levels

The ASD defines four maturity levels (0 through 3) for each of the eight strategies. Each level builds upon the previous, progressively hardening the organisation's security posture:

  • Maturity Level 0: Weaknesses exist that could be exploited. The strategy is either not implemented or only partially implemented with significant gaps.
  • Maturity Level 1: Partly aligned with the intent of the strategy. Provides some protection against commodity-level adversaries using publicly available tools and techniques.
  • Maturity Level 2: Mostly aligned. Provides strong protection against adversaries who are more adaptive and target weaknesses in an organisation's cybersecurity posture.
  • Maturity Level 3: Fully aligned. Provides protection against adversaries with advanced tradecraft and techniques, such as those used by nation-state actors.

Who Should Use This Assessment?

This self-assessment is designed for IT managers, CISOs, MSP directors, and business owners across Australia who need to understand their cybersecurity baseline. It is particularly relevant for organisations operating in regulated industries such as healthcare (APRA CPS 234 alignment), government (ISM compliance), financial services, and legal — where demonstrating adherence to the Essential Eight is increasingly a contractual and regulatory expectation.

Essential Eight vs. ISO 27001: How Do They Relate?

While the Essential Eight focuses on eight specific technical mitigation strategies, ISO 27001 is a comprehensive Information Security Management System (ISMS) standard covering 93 controls across organisational, people, physical, and technological domains. Many organisations start with the Essential Eight as a tactical first step and then pursue ISO 27001 certification for the broader governance, risk management, and assurance framework. Implementing the Essential Eight effectively covers approximately 30-40% of the technical Annex A controls in ISO 27001:2022.

How TECHOM Systems Can Help

As an ISO 9001, ISO 27001, and ISO 45001 certified Managed IT Services Provider, TECHOM Systems delivers end-to-end Essential Eight implementation and maturity uplift programs. Our cybersecurity engineers conduct formal assessments using the ASD's assessment guide, deploy the required technical controls (Microsoft Intune, Defender for Endpoint, Entra ID Conditional Access, LAPS, and more), and provide ongoing compliance monitoring. Whether you're targeting Maturity Level 1, 2, or 3, we build a tailored roadmap to get you there.