Call IT Assessment

ACSC Essential 8 Compliance Guide for Small Business in Australia

Last updated: March 2026 | Reading time: 12 minutes

Key Takeaways

  • What: The Essential 8 is a set of 8 cybersecurity strategies from the Australian Cyber Security Centre (ACSC) that can prevent up to 85% of cyber attacks
  • Who: Mandatory for Australian Government agencies; strongly recommended for all Australian businesses
  • Cost: $5,000–$15,000 for Maturity Level 1 implementation for a small business (10–30 staff)
  • Timeline: 4–8 weeks to reach Maturity Level 1 with MSP support
  • Why now: 76,000+ cybercrime reports in Australia annually; average cost per incident for SMBs is $46,000

What Is the ACSC Essential 8?

The Essential 8 is a prioritised set of cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). Originally published as the "Top 4" in 2011 and expanded to 8 strategies in 2017, the Essential 8 provides a baseline cybersecurity framework designed to protect organisations against the most common cyber threats.

The ACSC estimates that implementing all eight strategies can prevent up to 85% of targeted cyber attacks. The framework is technology-agnostic and applicable to organisations of any size, though implementation complexity varies with maturity level.

The 8 Strategies at a Glance

The Essential 8 is divided into three objectives: preventing attacks, limiting impact, and ensuring data availability.

Preventing Malware Delivery and Execution

  • 1. Application Control — Only allow approved applications to run
  • 2. Patch Applications — Keep third-party software up to date
  • 3. Configure Microsoft Office Macro Settings — Block or restrict macros
  • 4. User Application Hardening — Disable unnecessary features in browsers and apps

Limiting the Extent of Incidents

  • 5. Restrict Administrative Privileges — Limit admin access to only those who need it
  • 6. Patch Operating Systems — Keep Windows, macOS, and Linux patched
  • 7. Multi-Factor Authentication (MFA) — Require a second factor for all remote access and privileged accounts

Recovering Data and System Availability

  • 8. Regular Backups — Maintain tested, offline backups of critical data

The 8 Strategies Explained

1 Application Control

Application control prevents unapproved software — including malware, ransomware, and scripts — from executing on your systems. This is the single most effective mitigation strategy against malware.

How to implement: Use Windows AppLocker or Windows Defender Application Control (WDAC) to create allowlists of approved applications. At Maturity Level 1, application control is applied to workstations. At Level 2, it extends to servers.

Common tools: Windows AppLocker (built-in), WDAC, Airlock Digital, Ivanti Application Control

2 Patch Applications

Unpatched third-party applications (web browsers, PDF readers, Java, Microsoft Office) are among the top attack vectors. Patching within 48 hours for critical vulnerabilities is essential at Maturity Level 1, and within 2 weeks for non-critical vulnerabilities.

How to implement: Use automated patch management tools like Microsoft Intune, NinjaOne, or Datto RMM. Maintain an asset inventory of all installed software. Remove unsupported applications (end-of-life software).

Key requirement: Vulnerability scanners should be used at least fortnightly to detect missing patches.

3 Configure Microsoft Office Macro Settings

Macros in Microsoft Office documents are a common delivery method for malware, particularly ransomware. At Maturity Level 1, macros from the internet are blocked, and only macros in trusted locations or digitally signed by a trusted publisher are allowed to execute.

How to implement: Configure via Group Policy or Microsoft Intune. Set "Block macros from the internet" policy. At Level 2, additionally log macro execution events and use antivirus to scan macro-enabled documents.

4 User Application Hardening

User application hardening reduces the attack surface of commonly exploited applications. This means disabling Flash (now EOL), blocking Java from the internet, blocking ads in web browsers, and disabling unneeded features in Office, PDF readers, and browsers.

How to implement: Disable or remove Flash Player (should be gone already). Block Java applets from the internet. Configure browsers to block ads and disable unnecessary plug-ins. Disable OLE features in Office if not needed.

5 Restrict Administrative Privileges

Over-provisioned admin accounts are a high-value target for attackers. 80% of breaches involve privileged credentials. At Maturity Level 1, privileged access is limited to only users who need it, admin accounts are not used for email or web browsing, and privileged accounts are regularly reviewed.

How to implement: Audit all accounts with admin privileges. Remove unnecessary admin access. Create separate admin accounts for IT staff (not used for daily work). Implement just-in-time (JIT) access where possible. Review privileged access quarterly.

6 Patch Operating Systems

Operating system patches fix known vulnerabilities that attackers actively exploit. At Maturity Level 1, critical OS patches must be applied within 2 weeks. Unsupported operating systems (e.g., Windows 7, Windows Server 2012) must not be connected to the network.

How to implement: Enable automatic Windows Update or manage via WSUS/Intune. Establish a patching schedule (test, then deploy within 2 weeks). Maintain an inventory of all OS versions. Plan migrations for end-of-life systems.

7 Multi-Factor Authentication (MFA)

MFA blocks 99.9% of automated attacks on accounts, according to Microsoft. At Maturity Level 1, MFA is required for all users accessing internet-facing services (Microsoft 365, VPN, remote desktop) and for all privileged accounts. At Level 2, phishing-resistant MFA (hardware keys, passkeys) is required.

How to implement: Enable MFA on Microsoft 365, Google Workspace, VPN, and all cloud services. Use authenticator apps (Microsoft Authenticator, Authy) at minimum. Deploy hardware security keys (YubiKey) for admin accounts. Disable SMS-based MFA where possible (vulnerable to SIM-swapping).

8 Regular Backups

Backups are your last line of defence against ransomware and data loss. At Maturity Level 1, backups of important data, software, and configuration settings are performed and retained. Backups are tested for restoration at least annually. At least one backup is stored offline or immutable.

How to implement: Follow the 3-2-1 backup rule: 3 copies of data, on 2 different media types, with 1 offsite/offline. Use backup solutions like Datto, Veeam, or Acronis. Test restores quarterly. Ensure backups are encrypted and access-controlled.

Essential 8 Maturity Levels Explained

The Essential 8 Maturity Model defines four levels (0–3) that represent increasing degrees of implementation rigour. Each level builds on the previous one. Most small businesses should target Maturity Level 1 as a starting point.

Maturity Level Description Who Should Aim For This Typical Cost (10–30 staff)
Level 0 Not aligned. Significant weaknesses exist that could be exploited by common threats. No one — this indicates gaps N/A
Level 1 Partly aligned. Basic controls in place to mitigate commodity threats (bulk phishing, opportunistic attacks). All Australian small businesses $5,000–$15,000
Level 2 Mostly aligned. Stronger controls to mitigate more skilled attackers targeting the organisation. Businesses handling sensitive data, government contractors, healthcare, finance $15,000–$40,000
Level 3 Fully aligned. Comprehensive controls to mitigate advanced persistent threats (APTs) and nation-state actors. Government agencies, critical infrastructure, defence contractors $40,000–$100,000+

Key Differences Between Levels

  • Level 1 → Level 2: Patching timelines tighten (48 hours for critical patches), phishing-resistant MFA required, application control extends to servers, centralised logging required
  • Level 2 → Level 3: Real-time application control, all internet-facing services use phishing-resistant MFA, SOC monitoring required, continuous vulnerability scanning

Who Needs to Comply with the Essential 8?

Mandatory Compliance

The Essential 8 is mandatory for all non-corporate Commonwealth entities under the Australian Government's Protective Security Policy Framework (PSPF). This includes federal government departments and agencies, which must achieve at least Maturity Level 2 for all eight strategies.

Strongly Recommended

While not legally mandatory for private businesses, the Essential 8 is increasingly expected in these scenarios:

  • Government contractors: Many Commonwealth, state, and local government tenders now require Essential 8 compliance as part of the evaluation criteria
  • Cyber insurance: Australian cyber insurers increasingly use Essential 8 maturity as part of underwriting. Businesses at Maturity Level 1+ often receive lower premiums
  • Regulated industries: Healthcare (RACGP guidelines), financial services (APRA CPS 234), and critical infrastructure (SOCI Act) reference or align with Essential 8 controls
  • Supply chain requirements: Large enterprises are increasingly requiring their suppliers and partners to demonstrate Essential 8 compliance
  • Due diligence: The Privacy Act 1988 requires organisations to take "reasonable steps" to protect personal information — Essential 8 is a recognised benchmark for what constitutes reasonable

How to Implement the Essential 8: Step-by-Step

Phase 1: Assessment (Week 1–2)

  1. Conduct a gap assessment against the Essential 8 Maturity Model
  2. Inventory all hardware, software, and user accounts
  3. Identify your target maturity level (Level 1 for most SMBs)
  4. Prioritise gaps based on risk and ease of implementation

Phase 2: Quick Wins (Week 2–4)

  1. Enable MFA everywhere — Microsoft 365, VPN, cloud apps (Strategy 7)
  2. Review admin privileges — Remove unnecessary admin access (Strategy 5)
  3. Block macros from internet — One Group Policy change (Strategy 3)
  4. Verify backups — Ensure 3-2-1 backups are in place and test a restore (Strategy 8)

Phase 3: Technical Controls (Week 4–8)

  1. Deploy patch management — Automate OS and application patching (Strategies 2 & 6)
  2. Configure application control — Start with audit mode, then enforce (Strategy 1)
  3. Harden user applications — Disable Flash, block ads, restrict browser plugins (Strategy 4)
  4. Document all configurations — Essential for ongoing compliance

Phase 4: Ongoing Compliance

  • Monthly patching cycles with 48-hour turnaround for critical patches
  • Quarterly access reviews for privileged accounts
  • Annual backup restoration testing
  • Annual Essential 8 maturity assessment
  • Continuous vulnerability scanning (at least fortnightly)

Common Mistakes Businesses Make with the Essential 8

  1. Starting with application control: It's Strategy 1 but the hardest to implement. Start with MFA, backups, and patching for quick wins
  2. Treating it as a one-time project: Essential 8 requires ongoing management. Patches, access reviews, and backup testing are continuous activities
  3. Ignoring shadow IT: Employees using unapproved apps and cloud services undermine application control and patching efforts
  4. Using SMS for MFA: SMS-based MFA is vulnerable to SIM-swapping attacks. Authenticator apps or hardware keys are required at Maturity Level 2+
  5. Not testing backups: Backups that haven't been tested may fail when you need them most. The ACSC requires annual restore testing at Level 1
  6. Skipping the assessment: Without a proper gap assessment, you don't know where you stand or what to prioritise
  7. Neglecting documentation: Compliance requires evidence. Maintain records of configurations, patching schedules, access reviews, and backup tests

How Much Does Essential 8 Compliance Cost?

Component Level 1 Cost Level 2 Cost
Gap Assessment $2,000–$5,000 $5,000–$10,000
MFA Deployment $500–$2,000 (software) $2,000–$5,000 (hardware keys)
Patch Management Tools $2–$5/device/month $5–$10/device/month
Application Control $0 (built-in AppLocker) $3–$8/device/month (WDAC/third-party)
Backup Solution $5–$15/user/month $10–$25/user/month (immutable)
Ongoing MSP Management $20–$50/user/month $40–$80/user/month
Total (20-user business, Year 1) $12,000–$25,000 $30,000–$60,000

Many managed IT providers include Essential 8 Maturity Level 1 controls as part of their standard service plans. If you're already paying for managed IT, achieving Level 1 compliance may require minimal additional investment.

How a Managed IT Provider Helps with Essential 8

A managed service provider (MSP) is the most practical path to Essential 8 compliance for small businesses. Here's what an MSP typically handles:

  • Assessment: Conduct gap analysis against the maturity model and provide a remediation roadmap
  • Patch management: Automate OS and application patching with compliance reporting
  • MFA deployment: Roll out MFA across all services with user training
  • Application control: Configure and manage AppLocker/WDAC policies
  • Privileged access management: Regular audits and just-in-time access provisioning
  • Backup management: Implement 3-2-1 backups with regular restore testing
  • Ongoing monitoring: Continuous compliance monitoring with quarterly reporting
  • Evidence collection: Maintain documentation required for audits and insurance applications

Frequently Asked Questions

What happens if my business doesn't comply with the Essential 8?

For private businesses, there is no direct legal penalty for not implementing the Essential 8. However, you may face higher cyber insurance premiums (or denial of coverage), inability to bid on government contracts, increased liability if a breach occurs (courts may consider lack of Essential 8 as failing to take "reasonable steps" under the Privacy Act), and reputational damage. The OAIC has indicated that known cybersecurity frameworks like Essential 8 set the benchmark for what constitutes adequate data protection.

Is the Essential 8 the same as ISO 27001?

No. ISO 27001 is a comprehensive information security management system (ISMS) covering governance, risk management, and over 100 controls. The Essential 8 is a focused, practical set of 8 technical mitigation strategies. They are complementary — many organisations use Essential 8 as a technical foundation within a broader ISO 27001 framework. Essential 8 is faster and cheaper to implement, making it ideal for small businesses as a starting point.

Does the Essential 8 apply to Mac and Linux environments?

Yes. While many examples reference Windows tools (AppLocker, Group Policy), the Essential 8 principles are platform-agnostic. macOS has built-in application control (Gatekeeper), and Linux systems can use tools like AppArmor or SELinux. Patching, MFA, backup, and privilege management apply equally to all platforms. The ACSC provides platform-specific guidance for macOS and Linux implementations.

How often should we reassess our Essential 8 maturity?

The ACSC recommends annual reassessment at minimum. However, you should also reassess after any significant changes to your IT environment (new systems, cloud migrations, mergers), after a security incident, or when targeting a higher maturity level. Many MSPs include quarterly Essential 8 compliance checks as part of their managed services.

What's the difference between Essential 8 and the NIST Cybersecurity Framework?

The NIST CSF is a US-developed framework covering five functions: Identify, Protect, Detect, Respond, and Recover. It's broader and more governance-focused. The Essential 8 is Australian-developed, more prescriptive, and focused on eight specific technical controls. For Australian businesses, Essential 8 is the recommended starting point as it's tailored to the Australian threat landscape and referenced by Australian regulators and insurers.

Get Your Essential 8 Assessment

Find out where your business stands against the Essential 8 framework. Our team will assess your current maturity level and provide a clear roadmap to compliance.

Book an Assessment

About AyeTech

AyeTech is an Australian managed IT services provider specialising in cybersecurity and Essential 8 compliance for small to medium businesses. We help businesses implement and maintain Essential 8 controls as part of our managed IT service plans.

Contact Information: