by The Computing Australia Group | Unlocking the Essential
Eight
What to expect from an Essential Eight audit
The Australian Cyber Security Centre (ACSC) developed a set of prioritised mitigation strategies to reduce the likelihood and impact of common cyber threats. The Essential Eight is the most impactful subset-a practical baseline of controls specifically focused on Microsoft Windows–based, internet-connected networks.
While technology stacks vary, the Essential Eight gives Australian organisations-small businesses, enterprises, and government agencies-a clear, measurable path to uplift security posture. It:
- Cuts off the most common initial access and privilege escalation routes.
- Lowers breach likelihood and blast radius.
- Demonstrates cyber due diligence for boards, regulators, and insurers.
- Builds a repeatable operating rhythm for security improvement.
Bottom line: If you only do one formal security initiative this year, make it an Essential Eight assessment and uplift.
The Eight Strategies at a Glance
1) Application Control (Allow-listing) – Only approved apps/processes can execute.
2) Patch Applications – Rapidly patch browsers, PDF readers, Microsoft Office, Java, etc.
3) Configure Microsoft Office Macro Settings – Block untrusted macros; allow only signed macros where required.
4) User Application Hardening – Disable risky features (e.g., Flash-deprecated-, ads/Java in browsers where applicable), restrict web content.
5) Restrict Administrative Privileges – Grant least privilege, control and monitor admin access, and use separate admin accounts.
6) Patch Operating Systems – Apply OS patches quickly; maintain supported OS versions.
7) Multi-Factor Authentication (MFA) – Enforce MFA for remote, privileged, and high-risk access.
8) Regular Backups – Take frequent, tested backups and protect them from tampering.
These strategies are defence-in-depth: you gain real protection when they work together.
ACSC Maturity Levels (0–3): How Compliance Is Measured
The ACSC uses maturity levels to grade implementation quality and consistency:
- Level 0: Significant gaps; adversaries can readily compromise systems.
- Level 1: Basic controls in place for common threats; coverage may be incomplete.
- Level 2: Stronger, more consistent implementation; harder for adversaries to bypass.
- Level 3: Robust, enterprise-grade implementation aimed at deterring more sophisticated threats.
Many insurers and larger customers expect Level 2 as a sensible minimum target for most organisations, with Level 3 for higher-risk environments (sensitive data, critical operations, high threat profile).
What to Expect From an Essential Eight Audit
We start most security engagements with an Essential Eight audit because it’s:
- Structured and measurable – aligned to ACSC maturity levels.
- Collaborative – we work with your internal IT or external provider.
- Actionable – you leave with a clear, prioritised remediation plan.
Our approach
1) Scoping & Stakeholders
Confirm your business context, critical systems, compliance drivers, and key contacts (IT lead, business owner, finance, HR).
2) Discovery & Evidence Collection
Workshops and technical reviews. We gather configurations, logs, policies, inventories, and test access paths.
3) Gap Analysis vs. Maturity Model
For each of the eight strategies, we assess current state and determine target maturity based on risk appetite and obligations.
4) Risk-Ranked Findings
We classify issues by likelihood/impact and map them to business outcomes (e.g., downtime, data loss, reputational harm).
5) Remediation Roadmap
A 30/60/90-day plan with quick wins, dependencies, and realistic owners, plus long-term improvements (e.g., privileged access redesign).
6) Executive Report + Technical Annex
Board-ready summary for decision-makers; detailed technical tasks for implementers.
Tone & Philosophy: Non-confrontational. The goal is risk reduction, not blame. Cyber security improves fastest when everyone-from leadership to helpdesk-pulls in the same direction.
Evidence Checklist: What We’ll Ask For
- Asset inventory: Servers, workstations, core apps, SaaS, admin tools.
- Patch status: OS and key applications; WSUS/Intune/SCCM or other patching system reports.
- Application control: Policies, allow-lists, endpoint management profiles, exceptions.
- Macro policies: Group Policy/Intune settings; code-signing and trusted locations.
- Browser hardening: Baselines for Chrome/Edge; extension controls; site allow-lists/block-lists.
- Admin controls: RBAC, tiered admin model, separate admin accounts, just-in-time (JIT) access, break-glass procedure.
- MFA posture: Enrolment rates, conditional access policies, coverage for VPN/RDP/SSO/SaaS.
- Backups: Frequency, scope, storage tiers, immutability/offline copies, encryption, restore testing evidence, RPO/RTO.
- Policies & procedures: Acceptable use, joiner-mover-leaver, incident response, change control.
- Logs & monitoring: Centralised logging, alerting, SIEM/SOAR, EDR status.
- Network: Segmentation, inbound exposure, WAF/DDoS protections, DNS filtering.
From Findings to Fixes: Your Remediation Plan
A good report doesn’t just say what’s wrong-it shows how to fix it with effort vs. impact and clear ownership.
| Priority | Example Fix | Effort | Impact | Notes |
|---|---|---|---|---|
| P1 | Enforce MFA for all remote and privileged access | Low–Med | High | Roll out in phases; provide backup codes; train staff. |
| P1 | Block untrusted Office macros; enable signed macros only where needed | Low | High | Identify macro-dependent teams; sign critical macros. |
| P1 | Patch browsers & PDF readers; auto-update policy | Low | High | Leverage endpoint manager; track exceptions. |
| P2 | Implement application allow-listing for high-risk groups | Med | High | Start with IT/admin workstations; expand by wave. |
| P2 | Separate admin & standard accounts; remove standing global admin | Med | High | Introduce JIT/PIM; enforce strong auth. |
| P2 | Immutable/offline backups; quarterly restore tests | Med | High | Document runbooks; evidence restores for insurance. |
| P3 | Browser and OS hardening baselines | Med | Med | Use CIS/ACSC baselines via GPO/Intune. |
| P3 | Legacy OS upgrade plan | High | High | Business case: supportability, vulnerability exposure. |
Cyber Insurance, SOCI & Reporting: Why the “Paper Trail” Matters
- Cyber Insurance: Most insurers now include detailed security questionnaires. “Tick-and-hope” is risky-successful claims often depend on your ability to evidence reasonable security controls and maintenance. An Essential Eight audit (with artefacts, policies, and test records) improves insurability and can help reduce premiums/excess.
- SOCI Act (Australia): If you operate critical infrastructure assets, there are obligations to report certain cyber incidents to the ACSC within defined timeframes. While this isn’t legal advice, organisations benefit from having:
- A documented incident response plan,
- Clear classification criteria for “significant impact,” and
- A trained process for notification and escalation.
- Privacy & Breach Notification: If personal information is involved, be prepared to assess and, where required, notify under the Notifiable Data Breaches (NDB) scheme.
Takeaway: Your maturity level, backup tests, MFA coverage, and admin controls aren’t just “nice to haves”-they affect liability, compliance, and business continuity.
Essential Eight in Detail: Controls, Quick Wins, Common Pitfalls
1) Application Control (Allow-listing)
Goal: Only trusted software runs.
Quick wins:
- Start with IT/admin workstations; allow-list business-critical apps/process hashes and signed binaries.
- Block script interpreters (e.g., PowerShell in Constrained Language Mode for standard users).
Pitfalls:
- Too broad at first (locks staff out); poor exception handling; no change process tied to software onboarding.
2) Patch Applications
Goal: Shrink the attacker’s window of opportunity.
Quick wins:
- Auto-update browsers and common runtimes; centralised reporting for missing patches.
- Patch third-party apps (Adobe, Zip tools, etc.).
Pitfalls:
- “Set and forget” without monitoring; sprawling shadow IT.
3) Configure Microsoft Office Macro Settings
Quick wins:
- Block macros from the internet; only allow signed macros from controlled locations.
- Maintain a trusted macros register and get them code-signed.
Pitfalls:
- Exceptions creep; storing trusted documents in uncontrolled paths.
4) User Application Hardening
Quick wins:
- Enforce SmartScreen/Defender, disable legacy/unsafe plugins, restrict advertising networks and risky content.
- Disable automatic execution of content from USB/removable media.
Pitfalls:
- Not aligning hardening with business workflows; no testing group.
5) Restrict Administrative Privileges
Quick wins:
- Separate admin and user accounts; remove standing global admin.
- Introduce Privileged Identity/Access Management (PIM/PAM) with approval and time-bound elevation.
Pitfalls:
- “Everyone in IT is admin” culture; shared admin credentials; no audit trail.
6) Patch Operating Systems
Quick wins:
- Standardise OS versions; enforce patch SLAs; automatic reboots in maintenance windows.
- Vulnerability scans to validate patch coverage.
Pitfalls:
- Legacy devices that “can’t be patched” (mitigate via isolation, virtualisation, or replacement plan).
7) Multi-Factor Authentication (MFA)
Quick wins:
- Enforce MFA for remote access, privileged accounts, and critical SaaS.
- Use conditional access (impossible travel, device compliance).
Pitfalls:
- Partial coverage (e.g., admin tools exempt); no break-glass procedure; weak SMS-only MFA where stronger factors are feasible.
8) Regular Backups
Goal: Rapid, reliable recovery with minimal data loss.
Quick wins:
- Immutable or offline copies; encryption; scope includes endpoints and SaaS where relevant.
- Quarterly restore testing with documented evidence.
Pitfalls:
- Backups write-accessible to the network; never testing restores; unclear RPO/RTO expectations.
People, Process, and Culture: Making Security “Stick”
- Leadership: Set the target maturity, allocate budget, and sponsor change.
- Training: Short, high-frequency awareness beats long, annual fatigue. Add phishing simulations with coaching, not shaming.
- Joiner–Mover–Leaver (JML): Automate identity lifecycle to avoid orphaned access.
- Change & Exception Management: Process for temporary overrides, with expiry and review.
- Metrics: Track MFA coverage, patch latency, admin account usage, and restore test success.
Cloud, Macs & Mobile: Beyond Windows Networks
While the Essential Eight focuses on Windows environments, the principles apply broadly:
- Cloud/SaaS: Enforce MFA, conditional access, device compliance; back up critical SaaS data; log to a central SIEM.
- macOS/Linux: Use equivalent hardening baselines, software allow-listing, and patch automation.
- Mobile/IoT: MDM/EMM for policy enforcement; limit risky apps; segment IoT from business networks.
- Hybrid: Align on a single identity plane, consistent MFA, and central logging across on-prem and cloud.
Timeframes, Budgeting & ROI
- Assessment: 2–4 weeks for most SMEs; faster if evidence is ready.
- Uplift to Level 1–2: Often 1–3 months for core controls (MFA, patching, basic hardening, backup testing).
- Level 3 & complex refactors: 3–9+ months, depending on legacy systems and privileged access redesign.
ROI drivers: Reduced incident likelihood/impact, faster recovery, improved insurability, less downtime, stronger customer trust, and better procurement outcomes with security-sensitive clients.
Sample Roadmap (90 Days)
Days 0–15
- Discovery, evidence collection, baseline reporting.
- Enable MFA for admins and remote access; block internet-origin macros.
- Quick patching uplift for browsers and high-risk apps.
Days 16–45
- Application allow-listing pilot on IT/admin machines.
- OS and browser hardening baselines via GPO/Intune.
- Backup redesign: immutable/offline copies; first restore test.
Days 46–75
- Roll allow-listing to finance and other high-risk teams.
- Implement PIM/JIT for privileged roles; remove standing global admin.
- Establish vulnerability scanning and patch SLAs.
Days 76–90
- Expand MFA to full workforce (SaaS, VPN, legacy remote tools).
- Incident response tabletop; refine runbooks.
- Executive report & roadmap for next quarter (towards Level 2–3).
If you do nothing else this year in terms of IT, we recommend that you do an Essential Eight audit.
To book an Essential Eight audit please contact Chris on 0438 855 884 Or email sales@computingaustralia.group
FAQ
Is the Essential Eight mandatory?
Not universally; however, many sectors and contracts expect alignment, and insurers frequently assess against it.
Do we need Level 3?
Target maturity depends on your risk profile. Many organisations aim for Level 2 first, then uplift higher-risk areas to Level 3.
We rely on macros - can we still comply?
Yes. Use signed macros from controlled locations and maintain a trusted register.
What about legacy systems?
Mitigate (isolate, restrict, monitor) while you plan upgrade or replacement. Compensating controls may be necessary to achieve target maturity.
How often should we test backups?
Quarterly at minimum, with documented restore evidence. Increase frequency for critical systems.
