TL;DR: To pass Essential 8 Maturity Level One (ML1), an Australian SMB must satisfy every one of the eight mitigation strategies, not just most of them. The hardest parts for SMBs are usually the patch timeframes (two weeks for applications and operating systems, 48 hours for internet-facing exploits), MFA coverage, and proving backups actually restore. This is a control-by-control checklist of what "compliant" really means at ML1, based on the current ACSC Essential Eight Maturity Model.
What Maturity Level One actually means
ML1 is the lowest of the three Essential Eight maturity levels, but it is not a soft target. According to the ACSC (cyber.gov.au), ML1 is designed to mitigate threats from adversaries using commodity, widely available tools and techniques. To claim ML1, you must meet every requirement in all eight strategies. A single missed control means you are not at ML1, you are below it.
The Essential Eight is assessed as a whole. The ACSC recommends implementing all eight strategies together because they reinforce each other. Doing five of eight well does not earn you a partial pass. For an overview of how the framework fits together, see our Essential 8 compliance guide.
The eight strategies fall into three groups: preventing malware delivery and execution, limiting the extent of incidents, and recovering data. Below is each one at ML1, what counts as compliant, and the common SMB failure.
Patch applications
ML1 requires you to patch security vulnerabilities in applications quickly, with the speed depending on exposure. Per the ACSC, patches, updates or vendor mitigations for security vulnerabilities in internet-facing services must be applied within two weeks of release, or within 48 hours if an exploit exists. For other applications, including office productivity suites, web browsers, email clients, PDF software and security products, the timeframe is one month.
ML1 also requires a vulnerability scanner with an up-to-date vulnerability database, run at least daily to identify missing patches in internet-facing services, and at least fortnightly for other applications. Applications that are no longer supported by the vendor must be removed.
Common SMB failure: assuming Windows Update covers everything. It does not. Third-party apps such as Adobe Reader, Chrome extensions and line-of-business tools need their own patching cadence, and most SMBs have no scanner running at all.
Patch operating systems
ML1 requires operating systems to be patched on the same risk-based timeline as applications. The ACSC requires patches for internet-facing services to be applied within two weeks, or 48 hours where an exploit exists. Operating systems of workstations, servers and network devices must be patched within one month of release.
A vulnerability scanner must run at least daily for internet-facing operating systems and at least fortnightly for workstations, servers and network devices. Operating systems that are no longer vendor-supported must be replaced.
Common SMB failure: an unsupported Windows Server quietly running in a cupboard, or network devices such as firewalls and routers that nobody has firmware-patched since install. Both fail ML1 outright.
Multi-factor authentication
ML1 requires MFA for the accounts and services most exposed to attackers. The ACSC requires MFA for users authenticating to their organisation's internet-facing services, MFA for users authenticating to third-party internet-facing services that process, store or communicate the organisation's sensitive data, and MFA (where available) for users of third-party services that process non-sensitive data.
At ML1 a range of MFA methods is acceptable, so the priority is simply having MFA switched on for the in-scope accounts. SMS codes can technically satisfy ML1 but are discouraged because they are not phishing-resistant, and phishing-resistant MFA (such as passkeys or Windows Hello for Business) becomes mandatory at ML2 and above. For most Australian SMBs on Microsoft 365, ML1 means enabling MFA across every staff and admin account in Entra ID and not exempting people for convenience.
Common SMB failure: MFA enabled for some staff but not all, or admins exempted "for convenience." Both fail ML1. You can test your current state quickly with our Essential 8 maturity self-assessment.
Restrict administrative privileges
ML1 requires you to control who holds admin rights and to separate admin activity from everyday use. The ACSC requires that requests for privileged access to systems and applications are validated when first requested. Privileged accounts (except those explicitly authorised) must be prevented from accessing the internet, email and web services. Privileged users must use separate privileged and unprivileged operating environments, and unprivileged accounts must not be able to log on to privileged environments.
Common SMB failure: every staff member is a local administrator on their laptop, or the owner uses one Microsoft 365 account that is both a Global Administrator and their daily email account. Both break ML1.
Application control
ML1 requires application control in the most commonly abused locations on workstations. The ACSC requires application control to be implemented on workstations, applied to user profiles and temporary folders used by the operating system, web browsers and email clients. This stops executables, software libraries, scripts, installers and other code from running where malware typically lands.
Common SMB failure: treating antivirus as application control. They are different controls. ML1 application control is an allow-listing concept restricting execution in user-writable folders, which on Windows is typically delivered through Windows Defender Application Control or AppLocker.
Restrict Microsoft Office macros
ML1 requires you to block internet-sourced macros and lock the settings. The ACSC requires that Microsoft Office macros are blocked in files that originate from the internet, that Microsoft Office macro antivirus scanning is enabled, and that users cannot change Microsoft Office macro security settings.
Common SMB failure: macros are left fully enabled because "the accounts team needs them." ML1 does not require disabling all macros, only blocking those from the internet and preventing users from weakening the settings. Microsoft 365 supports this through Group Policy or cloud policy.
User application hardening
ML1 requires hardening web browsers against common attack vectors. The ACSC requires that web browsers do not process Java from the internet, do not process web advertisements from the internet, that Internet Explorer 11 is disabled or removed, and that web browser security settings cannot be changed by users.
Common SMB failure: Internet Explorer 11 still present on older machines, or no ad-blocking or content controls applied at the browser level. These are easy to overlook but explicitly tested at ML1.
Regular backups
ML1 requires backups that are performed regularly, retained, and proven to restore. The ACSC requires that backups of important data, software and configuration settings are performed and retained in line with business continuity requirements. Restoration of systems, software and important data from backups must be tested when initially implemented, and when infrastructure changes. Unprivileged accounts must not be able to access, modify or delete backups belonging to other accounts, or their own backups beyond the retention period.
Common SMB failure: backups run, but nobody has ever tested a restore, so a real ransomware event finds them unrecoverable. ML1 explicitly requires restoration testing, not just that backups exist.
How to use this checklist
Work through all eight strategies and mark each as met or not met against the wording above. Because ML1 is pass-or-fail across the full set, prioritise the gaps that fail you outright: unsupported software, missing MFA, shared admin accounts, and untested backups. CYBERWHITE offers a self-guided plus automated Essential 8 assessment that maps your Microsoft 365 tenant against these requirements, with one-click AutoFix via Microsoft Graph for many of the configurable controls, and CARS adaptive risk scoring to prioritise the gaps that matter most.
Frequently asked questions
What is the Essential 8 ML1 checklist?
It is a control-by-control list of every requirement an organisation must meet to reach Maturity Level One across all eight ACSC mitigation strategies: patch applications, patch operating systems, MFA, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening and regular backups.
How many controls do you need to pass ML1?
All of them. ML1 is assessed across all eight strategies, and you must meet every requirement within each strategy. Meeting most controls does not earn a partial maturity level under the ACSC model.
What are the ML1 patch timeframes?
Per the ACSC, internet-facing services must be patched within two weeks, or within 48 hours if an exploit exists. Other applications and the operating systems of workstations, servers and network devices must be patched within one month.
Does ML1 require MFA for everyone?
ML1 requires MFA for users of internet-facing services and for third-party services handling your sensitive data, with MFA used where available for other third-party services. A range of methods is acceptable at ML1, though SMS is discouraged. Phishing-resistant MFA is only mandatory from ML2 upward.
Is antivirus the same as application control?
No. Antivirus detects known malicious files. ML1 application control restricts which executables and scripts can run in user-writable locations such as user profiles and temporary folders. They are separate controls, and ML1 requires application control specifically.
Can a small business reach ML1 on Microsoft 365 alone?
Largely yes, for the configurable controls. Microsoft 365 and Entra ID support MFA, macro restrictions, browser hardening and admin separation. Application control and patching of third-party and on-premises software usually need additional tooling and process.
How often do backups need testing at ML1?
The ACSC requires restoration from backups to be tested when the backup capability is first implemented and whenever there are infrastructure changes. Backups that are never test-restored do not satisfy ML1.
What is the most common reason SMBs fail ML1?
The frequent failures are unsupported operating systems or applications still in use, MFA gaps, every user holding local admin rights, and backups that have never been test-restored.
How do I check my current Essential 8 maturity level?
Run a structured assessment against the ACSC requirements. You can use the CYBERWHITE Essential 8 maturity self-assessment to map your Microsoft 365 environment and see exactly which ML1 controls you currently pass.
Is ML1 enough for an Australian government contract?
It depends on the contract. Some require ML1 as a baseline, while others specify Maturity Level Two or higher. Confirm the required level in the tender or contract terms, then assess against that specific level rather than assuming ML1 is sufficient.