The ASD Essential Eight Maturity Model is the framework that exists behind Australia’s Essential Eight cyber security strategies. Developed and maintained by the Australian Signals Directorate (ASD), the Essential 8 refers to a set of eight mitigation cyber security strategies. While the Essential Eight defines what security controls should be implemented to mitigate security threats, the maturity model explains how well those security controls must be implemented to be effective.
The Essential 8 consists of eight mitigation strategies that are the foundation of your organisations cyber defence. The maturity model provides a measurable, risk‑based, step by step pathway for your organisation to progressively strengthen your cyber security posture.
The maturity model provides a risk based approach for organizations to strengthen their cyber security posture in an attempt to limit any cyber security incidents. The idea is that rather than treating cyber security as a one‑off compliance exercise, this maturity model recognises that effectiveness matters more than mere existence of controls, especially as new vulnerabilities take advantage of our ever expanding need for online services.
The Essential Eight Maturity Model, framework, was developed by the Australian Cyber Security Centre to guide organisations in improving their cybersecurity posture and the model consists of eight mitigation strategies designed to help organizations assess their current level of maturity in implementing these strategies.
If you are unaware of the Essential 8 Cyber Security Mitigation strategies, check out our information sheet – Essential Eight – ASD Essential 8 Cyber Security Explained
An Introduction to Cyber Security
In today’s digital landscape full of online services and internet facing systems, cyber security is more critical than ever. Organisations face a constant barrage of increasingly sophisticated cyber threats and remote code execution systems. Maintaining a strong cyber security posture is critical for every Australian business to protect sensitive data, business operations, user accounts and reputation from cyber security incidents. The Australian Cyber Security Centre (ACSC) has developed the Essential Eight Maturity Model to provide organisations with a clear framework for managing digital security risks. This maturity model offers a practical, up-to-date guidance framework, that evolves alongside new threats, so organisations can stay ahead of cyber adversaries. By following the ACSC’s Essential Eight Maturity Model, Australian businesses can ensure their security measures are not only effective, but aligned with the latest standards, making cyber security an ongoing priority rather than a one-time effort.
Understanding the Essential Eight
The Essential Eight is a set of eight core mitigation strategies designed to protect organisations against a wide range of cyber threats. Implementing these strategies is essential to building a resilient cyber security posture and maintain business criticality. Briefly, Essential Eight includes:
- Application Control: Prevents unauthorised applications from running on systems, reducing the risk of malware and unauthorised software execution.
- Patching Applications: Ensures that software vulnerabilities are addressed promptly, by patching thereby protecting against exploitation.
- Patching Operating Systems: Keep operating systems up to date to close security gaps that attackers might exploit.
- Restricting Administrative Privilege Access: Limits access to critical systems and data, both by privileged users accounts and time restrictions. Reducing the risk of privilege abuse.
- Multi-Factor Authentication: Adds an extra layer of security by requiring multiple forms of verification for user accounts and privileged access.
- Regular Backups: Ensures data can be restored in the event of a cyber incident such as ransomware, quickly and easily.
- User Application Hardening: Configures user applications to reduce their attack surface, such as disabling unnecessary features in web browsers
- Configuring Microsoft Office Macro Settings: Controls macro execution events to prevent malicious code from running.
By prioritising these mitigation strategies your organisation can protect your operating systems and data from critical cyber threats and steadily improve their cyber security maturity.
What the Essential 8 Maturity Model Looks Like
The maturity model defines four maturity levels, applied consistently across all eight mitigation strategies. The Essential Eight Maturity Model defines different levels of cybersecurity maturity, allowing organizations to assess and improve their security posture:
- Maturity Level 0 – Not implemented or ineffective
Maturity Level Zero indicates it does not exist or has significant gaps in cyber security defences and requires immediate action to implement the basic measures. - Maturity Level 1 – Baseline protection against opportunistic attacks
Maturity Level One represents basic cyber security practices. This level shows that cyber security is important but needs further security development. - Maturity Level 2 – Strong protection against more targeted attacks & cyber threats
Maturity Level Two represents an excellent level of cyber security across all strategies across the entire organisation. Future planning, tighter policies and procedures and scheduled reviews is all that is required from this step. - Maturity Level 3 – High resilience against advanced and persistent adversaries
Maturity Level Three represents the highest level of cyber security maturity, where organizations typically exceed the baseline framework set by the essential 8 and are protected against both current and future threats.
Each maturity level represents an increasing level of adversary capability, from basic cybercrime through to sophisticated, targeted threat actors. Each maturity level builds on the previous one, moving from reactive to proactive to advanced cyber security.
ASD guidance is explicit:
Organisations should aim to achieve the same maturity level across all eight controls before progressing to the next level to avoid weak links in their defensive posture.
There is no point having half of the essential 8 controls at level 3 if the other half are at 0. Just as having the entire company on level 4 and work from home staff (WFH) on level 0.
The goal of the Essential Eight Maturity Model is to strive for Maturity Level Three whereby cyber security in your environment becomes part of the business culture and mindset.
Maturity Level 0 – Not Implemented
Maturity Level 0 represents organisations where one or more of the Essential Eight controls are not met, missing, inconsistent or ineffective.
At this level:
- Security controls may exist in name only
- Patching is irregular, non existent or ad‑hoc
- Administrative access / administrative infrastructure / privileged access is uncontrolled
- Logging and monitoring are minimal or absent
Organisations at Maturity Level 0 are highly vulnerable to common cyber attacks these include: ransomware, credential theft and exploitation of known vulnerabilities.
This level is not a target state of cybersecurity maturity – it is a diagnostic starting point that highlights material cyber risk.
Maturity Level 1 – Baseline Cyber Security
Maturity Level 1 is considered the minimum acceptable baseline of cybersecurity maturity for Australian organisations.
At this level, digital security controls are implemented in a foundational, but limited way. These controls are perhaps sufficient to defend against opportunistic attackers using publicly available tools and techniques on non internet facing servers or workstations.
Key characteristics include:
- Core security patches are applied, but not rapidly or scheduled
- Multi‑factor authentication is enabled in limited scenarios or on some applications
- Application control and macro restrictions exist but may be narrow in scope or not for privileged users
- Backups exist, but not all data is being backed up or they are never regularly tested
Maturity Level 1 significantly reduces exposure to commodity cybercrime, but it does not adequately defend against targeted or persistent attacks or internet facing operating systems.
ASD recommends this level as a security starting point, not an end goal.
Maturity Level 2 – Managed and Consistent Protection
Maturity Level 2 represents a steep change in security effectiveness.
At this level, Essential Eight controls are:
- Applied and documented consistently across the organisation
- Enforced within defined timeframes
- Supported by monitoring, penetration testing, logging and governance processes
Organisations at Maturity Level 2 are better protected against various cyber threats and adversaries willing to invest time and effort. These include business tailored phishing, privileged access abuse and exploitation of delayed patching of operating systems or applications.
Common improvements at this level include:
- Faster patching for high‑risk vulnerabilities
- Broader application of MFA
- Tighter control and monitoring of administrative privileges
- Regular testing of backups and recovery procedures
This level is increasingly expected for organisations handling sensitive data, regulated information, or critical business services.
Maturity Level 3 – Advanced Cyber Resilience
Maturity Level 3 is the highest maturity level in the Essential Eight model.
It is designed to mitigate advanced, adaptive adversaries, including highly capable criminal groups and nation‑state actors.
At this level:
- Controls are rigorously enforced with minimal exceptions especially in internet facing operating systems and web browsers
- Patch timeframes are extremely short for critical vulnerabilities
- Software libraries are analysed regularly both for user application hardening and fit or purpose requirements
- Privileged access and user accounts are tightly governed and monitored
- Phishing resistant MFA is installed on every application and user account
- Logging and monitoring are comprehensive, mandatory and actively reviewed
Maturity Level 3 is typically appropriate for:
- Government agencies
- Critical infrastructure providers
- Defence aligned organisations
- Entities with high confidentiality, environments with many customers or availability requirements
This maturity level, requires significant operational discipline and focus on your businesses behalf, not just technology investment.
Authentication and Authorization
Effective authentication and authorization are essential for safeguarding operating systems and sensitive data from various cyber threats. Multi-factor authentication (MFA) is a cornerstone of the Essential Eight, requiring all users to provide multiple forms of verification – such as a password and a mobile device or biometric factor— to identify themselves, before gaining access. This security system significantly reduces the risk of unauthorised access, even if a users credentials are compromised. In addition to MFA, restricting administrative privileges both in access and time is essential across the entire organisation. As is deploying secure, isolated secure admin workstations for protecting privileged access. By tightly controlling who can access critical systems, online services and data, organisations can mitigate the risk of privilege escalation and other attacks targeting administrative accounts. Implementation of authentication and authorization strategies company wide is the key to maintaining a secure environment and defending against cyber threats and preventing cyber security incidents.
Incident Response and Recovery
A strong incident response strategies and recovery capability’s are essential for minimising any impact of cyber security incidents. The Essential Eight Maturity Model provides clear guidance on how organisations prepare for, respond to and recover from cyber security incidents. These strategies include maintaining regular backups, promptly patching operating systems, patch applications and restricting administrative privileges to limit the spread of attacks. Developing a comprehensive incident response plan is essential for organisations to act quickly and effectively when cyber security incidents occur. These business protection plans and strategies, mitigate downtime and data loss. The Australian Cyber Security Centre along side The Australian Cyber Security Institution offers resources and support to assist organisations in building and refining their incident response capabilities. By focusing on incident response and recovery, organisations can strengthen their cyber security posture and advance their maturity level, ensuring they are prepared to handle both current and emerging threats.
Why the Essential 8 Maturity Model Matters
The Essential Eight maturity model recognises a critical truth:
A security control that exists but has poor implementation, offers limited to zero protection from Cyberthreats.
Organisations should identify common weaknesses and gaps in their security controls to improve their maturity.
For example:
- MFA applied to a handful of accounts does not meaningfully reduce credential risk of cyber threats
- Backups that are never tested may contain no data and are prone to fail during a ransomware event or other cyber security incidents
- Patching of operating systems and applications, delayed by weeks is a sufficient window for attackers to exploit vulnerabilities
To assess their current maturity level, organizations should measure their cyber security against each of the Essential 8 strategies. Then a risk assessment should be conducted to understand the impact of identified vulnerabilities and gaps in their cybersecurity maturity. Patching applications and operating systems is essential to address already identified vulnerabilities and ensure security controls are effective. Identifying these quick wins can help organisations move towards compliance with a higher Essential 8 maturity model with minimal effort.
By measuring how well controls are implemented, the maturity model helps organisations move beyond checkbox compliance and towards genuine cyber resilience.
Essential 8 Maturity Model – A Risk Based Journey, Not a Checklist
Australian Signals Directorate guidance makes it clear that organisations should:
- Select a target maturity level and prioritise based on risk and business needs
- Progress incrementally, methodically and proactively.
- Document exceptions and compensating controls
- Review and reassess maturity regularly on a scheduled basis
Developing a long term action plan is essential to the implementation of the Essential 8 strategies. Regularly reassessing your maturity level progress is essential after implementing the Essential 8 strategies. Organisations must continually assess and improve their cybersecurity maturity levels to adapt to the evolving cyber threats. Achieving high maturity levels in the Essential 8 framework improves an organization’s security posture, enhances regulatory compliance, reduces cyber security incidents, mitigates costly breach repair measures and fosters better business resilience against evolving cyber threats or cyber security incidents.
The maturity model is intended to be practical, achievable and defensible – not theoretical or vendor driven.
Australian Cyber Security Institution (AusCI) assists organisations understand, assess and uplift their Essential Eight maturity in a structured, budget conscience and defensible way.
We support organisations by:
- Performing Essential Eight maturity assessments and audits
- Identifying gaps and priority risks
- Developing realistic mitigation and defensible solutions
- Assisting with technical and governance implementation
- Supporting ongoing review, improvement and documentation
Whether you are moving from Level 0 to Level 1, or working toward higher maturity targets, AusCI provides practical guidance aligned with ASD expectations.
