Frameworks
5 min

Essential Eight Maturity Model: A Practical Implementation Guide

Australia's Essential Eight defines 8 mitigation strategies across 4 maturity levels. Here is how to assess your current maturity and build a roadmap to ML3.

Netallion Team·April 28, 2026

Essential Eight Maturity Model: A Practical Implementation Guide

The Australian Cyber Security Centre's Essential Eight is a prioritised list of mitigation strategies that organisations should implement to protect against cyber threats. Unlike broad frameworks like NIST CSF, the Essential Eight is prescriptive — it tells you exactly what to do and defines maturity levels for each strategy.

The 8 Strategies

Prevent Malware Delivery and Execution

  1. Application Control — restrict execution to an approved set of applications
  2. Patch Applications — patch applications within defined timeframes based on criticality
  3. Configure Microsoft Office Macro Settings — block macros from the internet, only allow vetted macros

Limit the Extent of Cyber Security Incidents

  1. User Application Hardening — disable unneeded features in web browsers, Office, PDF readers
  2. Restrict Administrative Privileges — limit admin access to those who need it, validate regularly
  3. Patch Operating Systems — patch OS within defined timeframes

Recover Data and System Availability

  1. Multi-Factor Authentication — MFA for all users, especially for privileged and remote access
  2. Regular Backups — backup critical data and test restoration

Maturity Levels

Each strategy has 4 maturity levels:

  • ML0 — Not implemented or poorly implemented
  • ML1 — Partly aligned with the intent of the mitigation strategy
  • ML2 — Mostly aligned with the intent of the mitigation strategy
  • ML3 — Fully aligned with the intent of the mitigation strategy
Most organisations should target ML2 as a minimum, with critical infrastructure aiming for ML3.

Assessing Your Maturity

For each strategy, evaluate your current implementation against the ACSC's published criteria. For example, Application Control at ML2 requires:

  • Application control on workstations AND internet-facing servers
  • Restriction of executables, libraries, scripts, installers, compiled HTML, and HTML applications
  • Microsoft's recommended blocklist implemented
  • Rulesets validated annually

Building Your Roadmap

  1. Assess current state — use Netallion's Essential Eight assessment to benchmark against ML criteria
  2. Identify the gaps — each strategy will have a current ML and a target ML
  3. Prioritise by impact — strategies that prevent initial compromise (application control, patching) typically deliver the highest ROI
  4. Implement incrementally — move from ML1 to ML2 across all strategies before pursuing ML3 in any single strategy
  5. Evidence everything — upload configurations, scan results, and policy documents as compliance evidence
Netallion provides 18 Essential Eight controls mapped to ML2-ML3 criteria across all 8 strategies.

Start your Essential Eight assessment at grc.netallion.app.

Essential Eight
ACSC
Australia
Cybersecurity
Maturity Model

Ready to build your compliance evidence pack?

Start with a free starter kit or create your first assurance pack.