The Essential Eight Maturity Levels Explained for Small Business

The Australian Cyber Security Centre's Essential Eight is the most widely referenced cyber security framework in Australia. It defines eight core controls that, when implemented, significantly reduce the risk of cyber attack. But the framework also includes a maturity model — four levels that describe how well those controls are implemented. That's where a lot of small businesses get confused.

This article explains what each maturity level actually means, what it looks like in practice, and which level your business should be working towards.

What Are the Four Maturity Levels?

The ACSC defines maturity levels 0 through 3:

• Maturity Level 0 (ML0) — The control hasn't been implemented, or has only been partially implemented in an ad hoc way. There are significant gaps.
• Maturity Level 1 (ML1) — Basic implementation. The controls are in place and address the most common, opportunistic attacks — the kind that exploit easy targets rather than using sophisticated techniques.
• Maturity Level 2 (ML2) — Intermediate implementation. Controls are more rigorous, more consistently applied, and defend against more targeted adversaries who are willing to invest time and effort.
• Maturity Level 3 (ML3) — Strong implementation. Controls are comprehensive, actively monitored, and tested. Designed to defend against highly capable, persistent adversaries.

What Does Each Level Look Like in Practice?

To make this concrete, here's how the maturity levels apply to a few of the eight controls:

Multi-Factor Authentication

• ML0 — MFA is not in place, or only used on some accounts
• ML1 — MFA is required for internet-facing services (email, cloud apps, remote access)
• ML2 — MFA is required for all users on all systems, including internal systems; phishing-resistant MFA methods are used where possible
• ML3 — Only phishing-resistant MFA (hardware keys or passkeys) is used; MFA is enforced without exceptions

Application Patching

• ML0 — Patches are applied irregularly or only when problems arise
• ML1 — Critical patches are applied within 30 days; internet-facing applications are patched within two weeks
• ML2 — Critical patches applied within two weeks; an asset register tracks what software is in use
• ML3 — Critical patches applied within 48 hours; automated patch management with reporting

Regular Backups

• ML0 — Backups are inconsistent or untested
• ML1 — Backups of important data are performed at least weekly; backups are tested periodically
• ML2 — Backups cover all systems; restoration is tested at least annually; backups are stored offline or in an isolated environment
• ML3 — Backups are comprehensive, tested regularly, and stored in a way that prevents ransomware from reaching them

Why Most Small Businesses Should Target ML1

ML1 is specifically designed to address the most common and most successful attack methods used against Australian organisations. The vast majority of breaches exploit one of a small number of weaknesses: weak or stolen passwords, unpatched software, overly permissive access, or a complete lack of backups.

ML1 closes those gaps. If you consistently implement all eight controls at ML1, you are significantly better protected than most small businesses. You've addressed the low-hanging fruit that automated attack tools and opportunistic criminals rely on.

Many small businesses assess themselves as being at ML1 when they're actually at ML0 for several controls. Honest self-assessment matters. Sporadic or partial implementation doesn't count — ML1 requires that controls are consistently applied, not just sometimes.

When Does ML2 Make Sense?

ML2 requires more investment — in tooling, processes, and ongoing effort. It's appropriate when:

• You operate in a regulated industry such as healthcare, financial services, or aged care
• You hold sensitive personal data at scale — patient records, financial records, or similar
• Your cyber insurance provider requires it (some policies now specify Essential Eight alignment)
• You supply services to government agencies or defence contractors
• You've been targeted before and need stronger defences

For most small businesses outside these categories, ML1 is the right goal. Trying to jump straight to ML2 before ML1 is stable often means neither is implemented well.

Common Mistakes When Self-Assessing Maturity

Self-assessment is useful, but it's easy to overestimate where you are. Common mistakes include:

• Treating partial implementation as complete — if MFA is on for some accounts but not all, that's not ML1 for that control
• Confusing a policy with implementation — having a written policy requiring backups is not the same as having tested backups in place
• Assessing based on intention rather than evidence — "we plan to patch regularly" is ML0, not ML1
• Forgetting about legacy systems or software — an old accounting application that hasn't been updated in two years drops your patching maturity regardless of what else is in place
• Only considering some of the eight controls — all eight controls matter; strong performance on four of them while ignoring the other four doesn't represent overall maturity

How to Find Your Starting Point

The first step is an honest gap assessment — working through each of the eight controls and each of the ML1 requirements to identify what's in place and what's missing. The ACSC publishes free self-assessment tools and guides at cyber.gov.au that walk through this process.

If you'd prefer a guided assessment, Flagged offers a plain-English review of your current posture against the Essential Eight, with clear prioritisation of what to address first. Most small businesses don't need to tackle everything at once — they need to know which gaps create the most risk and address those first.

The Essential Eight isn't about perfection. It's about systematic, consistent improvement. ML1, properly implemented across all eight controls, is a genuinely strong security baseline — and a realistic goal for any Australian small business willing to make it a priority.