Essential Eight: Remediation & Implementation

Finding the gaps is the easy part. Closing them — without breaking things, disrupting your team, or blowing the budget — is where most businesses get stuck. That’s exactly what we do.

Start Your Remediation

Get a Gap Assessment First

ASD Essential Eight Framework

All Work Performed In-House

Over 30 Years Experience

Trusted by Australian Organisations

Strategies. We implement all of them.

Risk-first

Remediation sequenced by impact, not alphabetical order

In-house

All technical work done by AusCi — no subcontractors

ML1 → ML3

We take you to whatever level your business needs

What Is Essential Eight Remediation?

Remediation is the technical implementation work that closes the gaps identified in your Essential Eight Gap Assessment or your Essential 8 Maturity Level Assessment. It’s the difference between knowing you have weak application control and actually having strong application control.

Remediation isn’t a single task — it’s a structured program of work across your environment. Depending on your starting point and target maturity level, it might include:

– Deploying and configuring application allow listing
– Implementing phishing-resistant MFA across all systems
– Hardening Microsoft Office macro settings via Group Policy
– Patching operating systems and third-party applications to compliance
– Restricting and auditing administrative privileges
– Configuring immutable, offline backup systems
– User application hardening — disabling legacy plugins, scripts, and features

We scope, sequence, and implement all of it. Your team keeps running your business.

Why Remediation Order Matters

Not all gaps are equal. A business with no MFA on remote access and outdated OS patches faces a completely different risk profile than one that’s fully patched but has loose admin privileges. Fixing things in the wrong order wastes money and leaves your highest-risk gaps open longest.

Our remediation programs are always sequenced by risk — highest impact, lowest effort first — so you get the most meaningful protection at each stage, not just a to-do list worked through alphabetically.

Application Control

Deploy and maintain application allowlisting across workstations and servers. Block unapproved executables, libraries, scripts, and drivers — not just .exe files.

Patch Management

Implement automated patching workflows. Critical vulnerabilities addressed within 48 hours. Full patch compliance reporting for your records.

Microsoft Office Macro Hardening

Configure Group Policy to block macros from internet sources. Enable only digitally signed macros from trusted publishers for users with genuine business need.

User Application Hardening

Disable Flash, Java, legacy browser plugins, and automatic script execution. Harden web browsers and Office applications against exploitation.

Privileged Access Management

Audit and restrict administrative privileges. Implement separate admin accounts, remove standing admin rights, and deploy Privileged Access Workstations (ML3).

Multi-Factor Authentication

Roll out MFA across remote access, internet-facing services, and privileged accounts. Implement phishing-resistant FIDO2/passkeys where ML3 is required.

Operating System Patching

Establish patch compliance across all OS environments. Isolate or replace end-of-life systems. Automate OS patching with compliance monitoring.

Backup & Recovery

Design and implement backup systems that meet ACSC criteria — immutable storage, offline copies, minimum 3-month retention, and regular restoration testing.

Free to start

Close the Gaps. Verify the Level.

Whether you’re starting from a fresh gap assessment or picking up from one done elsewhere, we can scope a remediation program for your environment. All work done in-house. No surprises.

Start Your Remediation → Get a Gap Assessment First →

How a Remediation Engagement Works

Step 1 — Remediation Scoping

We review your gap assessment findings (ours or another firm’s) and build a scoped remediation plan. Scope includes: which systems, which users, which maturity level targets, timeline, and dependencies. Fixed-scope engagements mean no surprise invoices.

Risk-Prioritised Sequencing

We sequence work by risk impact. Your highest-exposure gaps — typically MFA, privileged access, and OS patching — are addressed first. Lower-risk items follow once your attack surface is materially reduced.

Technical Implementation

Our engineers implement controls directly in your environment. We work in windows that minimise business disruption — after hours where needed, staged rollouts for business-critical systems. All changes documented.

Step 4 — Validation Testing

Each implemented control is tested to verify it works as designed. Application control that looks configured but doesn’t block unapproved software isn’t remediation — it’s theatre. We test everything we implement.

Step 5 — Handover & Documentation

You receive full documentation of implemented controls, configuration records, and operational runbooks so your team can maintain them. Nothing is left as a black box.

Step 6 — Optional: Maturity Verification

Once remediation is complete, we can proceed directly to a formal maturity assessment to verify your new level — closing the loop from gap to verified compliance.

What You Receive

Our commitment to quality workmanship and our friendly customer service sets us apart from the competition.

Scoped remediation plan with timeline and milestones
Risk-prioritised implementation sequence
All technical implementation work (in-house, no subcontractors)
Validation testing for each implemented control

Full configuration documentation and change records
Operational runbooks for ongoing maintenance
Handover session with your IT team
Optional: maturity assessment to formally verify the outcome

We Work With Your Environment

Microsoft Environments

Most of our SMB clients run Microsoft 365, Entra ID, and Windows endpoints. The Essential Eight was designed with this stack in mind — we know it well.

Cloud & Hybrid

Whether you’re fully cloud, hybrid, or still on-premise, we scope remediation to your actual environment. Controls implemented where your data actually lives.

No Internal IT? No Problem.

Many of our clients have no dedicated IT staff. We manage the implementation end-to-end, and hand over with enough documentation that it’s maintainable going forward.

Frequently Asked Questions

Do we need a gap assessment before starting remediation?

Strongly recommended — remediating without a baseline is how you fix the wrong things first. If you don’t have a recent gap assessment, we’ll do one as part of the engagement scope. If you have one from another firm, we’ll work from that.

How long does Essential Eight remediation take?

It depends heavily on your starting point and target maturity level. A business starting at ML0 targeting ML2 is a materially bigger program than one at ML1 closing a few gaps to reach ML2. We’ll give you a realistic timeline during scoping — not an optimistic one.

Will remediation break anything?

Handled carelessly, some controls — particularly application control and macro hardening — can disrupt business if rolled out without testing. We stage all implementations, test before broad rollout, and work in change windows that protect your operations.

Do you do all the work, or do we need our own IT team?

We do all the technical work. If you have internal IT, we collaborate with them. If you don’t, we handle it end-to-end and hand over documentation so you can maintain it.

What happens after remediation is complete?

You can proceed to a formal maturity assessment to verify your new level, and/or engage our ongoing monitoring service to maintain compliance as your environment changes. We also offer a vCISO service if you need ongoing security leadership without hiring a full-time CISO.