Independent Essential Eight Maturity Assessment

Claiming a maturity level and having one verified are two very different things. AusCi’s formal assessment gives you an evidence-based, independently verified maturity rating — the kind that holds up to scrutiny from clients, insurers, and auditors.

Book a Maturity Assessment

Start with a Free Self-Audit

ASD Essential Eight Framework

All Work Performed In-House

Over 30 Years Experience

Trusted by Australian Organisations

ML1–ML3

Full maturity spectrum assessed

Strategies independently verified

0/10

Entities in ACSC audits reaching ML1 across all controls (their finding, not ours)

Evidence-based

Every rating referenced to documented proof — not self-reported answers

What Is a Maturity Level Assessment?

A Maturity Level Assessment is a formal, independent verification of your Essential Eight posture. Unlike an Essential 8 gap assessment — which identifies what’s missing — a maturity assessment certifies what you have, at a specific level.

The ACSC defines four maturity levels (ML0–ML3). Most businesses targeting government contracts, cyber insurance, or board-level assurance need to demonstrate a verified ML1, ML2, or ML3 — not a self-assessed one.

Our assessment follows the ACSC’s official assessment guidance. Every control is tested against documented evidence, not questionnaire responses. The result is a formal rating you can put in front of a client, an insurer, or your own board with confidence.

The Problem With Self-Assessed Maturity Levels

The ACSC’s own audits found that none of ten government entities assessed reached Maturity Level One across all eight controls — despite most believing they were at a higher level. In the private sector, the gap is typically wider.

Self-assessment feels accurate because you’re assessing yourself. Independent assessment is accurate because the evidence either exists or it doesn’t.

If your maturity level matters to your business — for contracts, insurance, due diligence, or simply for knowing the truth — it needs to be independently verified.

What Each Maturity Level Means for Your Business

Maturity Level 1

Defends against opportunistic, automated attacks — the “spray and pray” threats that target any unprotected system. The floor, not the ceiling. Achievable for most businesses within a structured program.

Maturity Level 2 — The Private Sector Benchmark

Defends against organised cybercrime and targeted phishing campaigns. The ACSC’s recommended target for most private sector organisations. Requires consistent, documented, and tested controls across all eight strategies.

Maturity Level 3

Defends against advanced persistent threats and nation-state actors. Required for critical infrastructure, high-value government suppliers, and organisations handling sensitive classified data. Includes phishing-resistant MFA, PAWs, and fully automated patching.

Free to start

Ready to Know Where You Actually Stand?

Start with the free Essential Eight Self-Audit to get a directional view, or book directly with our team for a formal independent assessment. Either way, you’ll know the truth — and that’s the only useful starting point.

Free Self-Audit → Book a Maturity Assessment →

Our Essential 8 Assessment Process

Step 1 — Pre-Assessment Scoping

We define the scope: which systems, users, and environments are in scope, and which maturity level you’re targeting. We’ll also advise on whether your target level is realistic given your current environment — no point verifying ML3 if ML2 is the right goal.

Step 2 — Evidence Collection

Our assessors collect technical evidence across all eight strategies: configuration exports, log samples, policy documentation, group policy settings, MFA enrollment records, backup test logs, and more. Evidence requirements are defined by the ACSC assessment methodology — we follow it precisely.

Step 3 — Independent Verification Testing

We don’t just review documentation. We test controls in practice — verifying that application control actually blocks unapproved executables, that MFA can’t be bypassed, that backups are actually restorable. Controls that look good on paper often fail in practice.

Step 4 — Maturity Scoring

Each of the eight strategies is scored against the ACSC’s criteria at the target maturity level. Scoring is binary per control requirement — a control either meets the criteria with sufficient evidence, or it doesn’t. No partial credit for good intentions.

Step 5 — Formal Assessment Report

You receive a detailed assessment report: per-strategy ratings, evidence references, failed control findings, and a gap register for any items that didn’t meet the target level. Includes an executive summary and a technical findings section.

Step 6 — Debrief & Next Steps

We walk you through the findings with your team. If gaps remain, we’ll advise on the fastest path to close them — either through our remediation service or your own internal team.

What You Receive

Our commitment to quality and our freindly customer service sets us apart from the competition.

Formal maturity assessment report (ACSC methodology)
Per-strategy maturity ratings (ML0–ML3)
Evidence register (documents each finding)
Failed control register with remediation guidance

Executive summary (board/leadership ready)
Technical findings (IT team ready)
Consultant debrief session
Optional: letter of attestation for client/insurer use

Which Maturity Level Should You Target?

Maturity Level 1

Maturity Level 2 (Most Common)

Maturity Level 3

Right for: Smaller businesses with limited IT resources, organisations taking their first formal step toward compliance, or those needing a baseline before working toward ML2.

Not right for: Government contractors, businesses handling sensitive data, or anyone whose clients or insurers require ML2 or above.

Right for: Most Australian SMBs — particularly those dealing with government, financial services, healthcare, or legal clients. Cyber insurers increasingly expect this level.

Not right for: Organisations in critical infrastructure or high-security government supply chains — those should target ML3.

Right for: Critical infrastructure operators, high-value defence and government suppliers, organisations handling classified or sensitive personal data at scale.

Note: ML3 requires significant investment in privileged access workstations, phishing-resistant MFA, and fully automated patching. We’ll advise honestly on feasibility during scoping.

Frequently Asked Questions

What’s the difference between a Gap Assessment and a Maturity Assessment?

A Gap Assessment identifies what’s missing — it’s a diagnostic tool and planning exercise. A Maturity Assessment formally verifies what you have against the ACSC criteria — it produces a rated, defensible record. Most organisations do a gap assessment first, remediate, then proceed to a maturity assessment for formal verification.

Can we go straight to a maturity assessment without a gap assessment first?

Yes — particularly if you already have a reasonable security program in place. During scoping we’ll get a quick read on your likely readiness and advise accordingly. No point doing a formal assessment before you’re in a reasonable position to pass.

How long does the Essential 8 assessment take?

For most SMBs, the evidence collection and testing phase takes 3–7 days. Report delivery typically follows within two weeks of completing evidence collection.

Do you provide a formal letter of attestation?

Yes. If you need something you can hand to a client, insurer, or government body, we can provide a letter of attestation alongside the full report.

What happens if we don’t reach the target level?

We document exactly which controls fell short and why. You’ll have a clear picture of what’s needed to reach the target. We can carry that directly into a remediation engagement or leave it with your internal team — your call.