Essential Eight Assessment: How Australian Businesses Can Check Their Maturity Level

If you've heard of the Essential Eight but aren't sure where to start, you're not alone. It's Australia's most widely referenced cyber security framework — but for many small business owners, it can feel like an abstraction: eight controls, four maturity levels, lots of acronyms. What does it actually mean for your business, and how do you work out where you currently stand?

This guide breaks it down in plain language, explains how to assess your current maturity level, and tells you what to prioritise first.

What Is the Essential Eight?

The Essential Eight is a prioritised set of eight security controls developed by the Australian Signals Directorate (ASD) — the government body responsible for cyber security guidance in Australia. It was designed as a practical baseline to help organisations protect themselves against the most common types of cyber attacks.

The eight controls are:

1. Application control — only allow approved applications to run on your systems
2. Patch applications — keep software up to date, particularly internet-facing and office productivity applications
3. Configure Microsoft Office macro settings — restrict macros to prevent a common malware delivery method
4. User application hardening — configure browsers and other applications to block common attack techniques
5. Restrict administrative privileges — limit who has admin access and to what
6. Patch operating systems — keep OS versions current and supported
7. Multi-factor authentication (MFA) — require MFA on all accounts, especially privileged and internet-facing ones
8. Regular backups — maintain tested, off-network backups of important data and systems

The ASD updates the Essential Eight periodically to reflect the evolving threat landscape. The current version places particular emphasis on MFA and patching as the highest-impact controls for most organisations.

Understanding the Maturity Levels

Each of the eight controls is assessed at four maturity levels:

• Maturity Level Zero (ML0): The control is not implemented or is implemented in a way that doesn't provide meaningful protection. This represents significant exposure.
• Maturity Level One (ML1): The control is partially implemented and addresses the most common, opportunistic attacks — the kind carried out by automated tools scanning for easy targets.
• Maturity Level Two (ML2): The control is more systematically implemented and addresses targeted attacks by adversaries who have identified your organisation as a specific target.
• Maturity Level Three (ML3): The control is comprehensively implemented and addresses sophisticated, persistent adversaries. This level is relevant mainly for high-value targets such as government agencies and critical infrastructure.

For most Australian small businesses, achieving ML1 across all eight controls is the priority starting point. It significantly reduces your exposure to the vast majority of real-world attacks without requiring enterprise-level resources.

How to Assess Your Current Maturity Level

Step 1: Get the ASD's Assessment Guidance

The ASD publishes detailed assessment guidance for the Essential Eight at cyber.gov.au. This guidance includes specific indicators for each maturity level across all eight controls — it tells you exactly what evidence you need to demonstrate a given maturity level. Download this document before you start your assessment.

Step 2: Work Through Each Control Systematically

For each of the eight controls, ask yourself — and document your answers to — these questions:

• Do we have this control in place at all?
• Does it apply to all relevant systems and users, or only some?
• Is it monitored and enforced, or aspirational?
• When was it last reviewed or tested?

Step 3: Rate Each Control

Based on your answers, assign each control a current maturity level (ML0 through ML3). Be honest — it's far better to know your real position than to overstate your maturity and discover the gap during an incident or an insurance claim review.

Step 4: Identify and Prioritise Gaps

Once you have a complete picture, identify which controls are at ML0 or where you have the largest gaps. Prioritise based on:

• Which controls address your highest-risk scenarios
• Which are quickest to implement (MFA, for example, can often be enabled within days)
• Which are required by your insurer, clients, or regulators

Common Findings for Australian Small Businesses

Based on ACSC data and industry experience, the most common gaps found in Australian small business Essential Eight assessments include:

• MFA not enabled on email and cloud services — often the highest-risk gap
• Outdated software — particularly older versions of Windows, Adobe, and office applications that are no longer receiving security patches
• No tested backup process — backups exist in theory but haven't been restored and verified
• Admin account misuse — staff using administrative accounts for daily work, dramatically increasing the blast radius of any compromise
• No application control — any software can be installed and run, including malware delivered via phishing

Using a Tool to Run Your Assessment

The ASD's formal assessment guidance is comprehensive but can feel daunting for a business owner without an IT background. A number of assessment tools exist to help you work through the Essential Eight in a structured way. The free cyber risk assessment at flagged.com.au covers the core Essential Eight controls and gives you a prioritised report of your gaps — a practical starting point before investing in a formal third-party assessment.

What Comes After the Assessment

An assessment is only valuable if it leads to action. Once you know your maturity level, the next step is a remediation plan — a list of specific changes ranked by priority, with owners and target dates assigned. Start with the controls that are currently at ML0, and focus first on MFA and patching, which the ASD consistently identifies as the highest-impact starting points.

Review your maturity level at least annually, and after any significant change to your IT environment — a new cloud service, a new hire with admin access, or an operating system upgrade can all shift your effective maturity.

Key Takeaways

• The Essential Eight is Australia's leading cyber security framework, developed by the ASD, covering eight prioritised security controls.
• Controls are assessed at four maturity levels — most small businesses should target ML1 across all eight as a starting point.
• A self-assessment can be completed using the ASD's free guidance at cyber.gov.au, supplemented by tools like flagged.com.au.
• The most common gaps in Australian small businesses are MFA, patching, backups, and admin privilege management.
• An assessment is only useful if it results in a prioritised remediation plan with clear ownership and timelines.