• Montane PS Staff

The Essential Eight Maturity Model

What is it?


The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies to help organisations protect themselves against various cyber threats; the most effective of these mitigation strategies are the Essential Eight.


The Essential Eight are designed to protect Microsoft Windows-based internet-connected networks.

While the Essential Eight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarily designed for such purposes and alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments. In such cases, organisations should consider alternative guidance provided by the ACSC.


The Essential 8 Maturity Model was first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.


Implementing the Essential 8


When implementing the Essential Eight, organisations should first identify a target maturity level that is suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved.

As the mitigation strategies that constitute the Essential Eight have been designed to complement each other, and to provide coverage of various cyber threats, organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels.


Organisations should implement the Essential Eight using a risk-based approach.

In doing so, organisations should seek to minimise any exceptions and their scope, for example, by implementing compensating security controls and ensuring the number of systems or users impacted are minimised. In addition, any exceptions should be documented and approved through an appropriate process.


Maturity Levels


To assist organisations with their implementation of the Essential Eight, four maturity levels have been defined (Maturity Level Zero through to Maturity Level Three). With the exception of Maturity Level Zero, the maturity levels are based on mitigating increasing levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures) and targeting, which are discussed in more detail below. Depending on an adversary’s overall capability, they may exhibit different levels of tradecraft for different operations against different targets. For example, an adversary capable of advanced tradecraft may use it against one target while using basic tradecraft against another.


Organisations should consider what level of tradecraft and targeting, rather than which adversaries, they are aiming to mitigate.

Organisations need to consider that the likelihood of being targeted is influenced by their desirability to adversaries, and the consequences of a cyber security incident will depend on their requirement for the confidentiality of their data, as well as their requirement for the availability and integrity of their systems and data. This, in combination with the descriptions for each maturity level, can be used to help determine a target maturity level to implement.


Essential 8 Mitigation Strategies


Common strategies across the four previously outlined maturity levels are:


1. Application control.


2. Patch applications.


3. Configure Microsoft Office macro settings.


4. User application hardening.


5. Restrict administrative privileges.


6. Patch operating systems.


7. Multi-factor authentication.


8. Regular backups.


To, learn more about the Essential 8 Maturity Model, visit the ACSC website


.....................................................................................................................................................


We offer a full range of cyber and information security and associated risk management solutions, including review and compliance against the Essential 8 Maturity Model as it pertains to your businesses' operating environment.


Contact Us to learn more, or visit our website


........................................................................................................................................................




5 views0 comments

Recent Posts

See All