Essential Eight Maturity Model: A Practical Implementation Guide
The Australian Cyber Security Centre's Essential Eight is a prioritised list of mitigation strategies that organisations should implement to protect against cyber threats. Unlike broad frameworks like NIST CSF, the Essential Eight is prescriptive — it tells you exactly what to do and defines maturity levels for each strategy.
The 8 Strategies
Prevent Malware Delivery and Execution
- Application Control — restrict execution to an approved set of applications
- Patch Applications — patch applications within defined timeframes based on criticality
- Configure Microsoft Office Macro Settings — block macros from the internet, only allow vetted macros
Limit the Extent of Cyber Security Incidents
- User Application Hardening — disable unneeded features in web browsers, Office, PDF readers
- Restrict Administrative Privileges — limit admin access to those who need it, validate regularly
- Patch Operating Systems — patch OS within defined timeframes
Recover Data and System Availability
- Multi-Factor Authentication — MFA for all users, especially for privileged and remote access
- Regular Backups — backup critical data and test restoration
Maturity Levels
Each strategy has 4 maturity levels:
- ML0 — Not implemented or poorly implemented
- ML1 — Partly aligned with the intent of the mitigation strategy
- ML2 — Mostly aligned with the intent of the mitigation strategy
- ML3 — Fully aligned with the intent of the mitigation strategy
Assessing Your Maturity
For each strategy, evaluate your current implementation against the ACSC's published criteria. For example, Application Control at ML2 requires:
- Application control on workstations AND internet-facing servers
- Restriction of executables, libraries, scripts, installers, compiled HTML, and HTML applications
- Microsoft's recommended blocklist implemented
- Rulesets validated annually
Building Your Roadmap
- Assess current state — use Netallion's Essential Eight assessment to benchmark against ML criteria
- Identify the gaps — each strategy will have a current ML and a target ML
- Prioritise by impact — strategies that prevent initial compromise (application control, patching) typically deliver the highest ROI
- Implement incrementally — move from ML1 to ML2 across all strategies before pursuing ML3 in any single strategy
- Evidence everything — upload configurations, scan results, and policy documents as compliance evidence
Start your Essential Eight assessment at grc.netallion.app.