Essential 8··13 min read

How an Essential 8 Assessment Works: Process, Evidence and Timelines

How the Essential 8 assessment process works: self-assessment vs third-party, the evidence assessors expect, common gaps, and how long each stage takes.

By Vikram Kukreja

TL;DR

An Essential 8 assessment measures how well your organisation has implemented the ASD's eight cybersecurity mitigation strategies at ML1, ML2, or ML3. Any business can run a self-assessment using the ACSC's publicly available methodology. Government contractors and non-corporate Commonwealth entities typically need third-party verification. The gap between your current state and your target maturity level is what the assessment reveals.

Want a starting point before you work through the process below? The free Essential 8 assessment tool gives you an indicative, self-rated maturity score across all eight strategies in a few minutes. It is not an official assessment result, but it shows you which strategies to focus on first, and the process below turns that into an evidence-backed position.

What an Essential 8 assessment measures

An Essential 8 assessment is not a pass/fail exam against a single standard. It is a structured gap analysis: where are you now against ML1, ML2, or ML3 requirements across eight specific mitigation strategies?

The ASD/ACSC publishes the full assessment methodology in the Essential Eight Assessment Process Guide, available at cyber.gov.au. [1] That document defines what evidence assessors look for, how controls are tested, and what constitutes compliance at each level.

Every assessment covers all eight mitigation strategies:

  1. Application Control
  2. Patch Applications
  3. Configure Microsoft Office Macro Settings
  4. User Application Hardening
  5. Restrict Administrative Privileges
  6. Patch Operating Systems
  7. Multi-Factor Authentication
  8. Regular Backups

Each strategy is assessed independently at your declared target maturity level. Falling short on one strategy reduces your overall assessed level for that control, regardless of how well the other seven are implemented.

Self-assessment vs. third-party assessment: which one you need

Self-assessment is the right starting point for most Australian SMBs. The ACSC's methodology is public, and organisations can work through each control themselves, collect evidence, and score their current position against the Essential Eight Maturity Model. [2]

Third-party assessment carries more weight with government procurement teams. For non-corporate Commonwealth entities, PSPF Policy 10 requires independent assessment in place of a self-declared result. [3] Government contractors should check whether the specific tender or agency receiving their compliance claim requires third-party evidence.

If you are a private business pursuing a government contract, confirm with your customer whether they accept a self-assessment report or require an assessor's letter before investing in a formal engagement.

What the maturity levels require from an assessment perspective

The ACSC's maturity model defines three levels of implementation rigour, each building on the one below. [2] Understanding what each level demands helps you scope the assessment correctly before you start.

ML1 addresses opportunistic threats. An ML1 assessment checks that baseline controls are in place: MFA on email and internet-facing remote access, standard application control on workstations, patching within ACSC timeframes for internet-facing services, and restricted administrative privileges. Evidence requirements at ML1 are relatively straightforward.

ML2 raises requirements across the board. Patching windows tighten. MFA must cover more user groups and access methods. Application control extends to a wider set of execution paths. Event logs must be collected, protected, and monitored. Evidence at ML2 includes configuration exports, group policy screenshots, and logs proving that patch timelines are met.

ML3 closes the attack paths that sophisticated adversaries exploit. MFA must be phishing-resistant. Application control must block user-writable paths. Privileged access management is considerably more prescriptive. Evidence at ML3 must align across testing results, configuration documentation, and policy records.

For most Australian SMBs approaching Essential 8 compliance for the first time, ML1 is the realistic first target. The ACSC recommends ML2 as the appropriate baseline for organisations facing more than opportunistic threats. [2]

What evidence the assessment requires

Preparing evidence before the assessment begins cuts assessment time significantly. Many organisations discover their biggest gap at this stage is documentation, not the controls themselves.

Here is what assessors typically look for, strategy by strategy:

  • Application Control: Configuration exports showing which applications are permitted on workstations. At ML2 and above, a hash-based or publisher-based allowlist.
  • Patch Applications: A current software inventory and patch reports showing remediation dates alongside vulnerability publication dates. The ACSC specifies timeframes by severity level. [1]
  • Macro Settings: Group Policy Objects or Intune policies showing macro configuration, with evidence those settings are enforced across the estate.
  • User Application Hardening: Browser settings exported via MDM or GPO, showing that web advertisements and Java are blocked or restricted on workstations.
  • Restrict Administrative Privileges: A register of accounts holding admin rights, with evidence that privileged accounts are not used for email or web browsing.
  • Patch Operating Systems: OS versions and patch levels across the environment, with remediation dates.
  • Multi-Factor Authentication: Enrolment reports and authentication logs showing MFA coverage and the authentication method types in use.
  • Regular Backups: Backup schedules, retention logs, and documented tested restoration results with dates.

How long an Essential 8 assessment takes

The assessment itself and the remediation work are two separate timelines. A common mistake is treating them as one.

A self-assessment at ML1 for a small to medium business with a prepared IT team can be completed in a few days. Working through all eight strategies, collecting evidence, and scoring gaps takes longer if documentation is scattered or controls are only partially implemented.

A third-party assessment by an external firm typically runs two to four weeks for a mid-sized organisation. This includes a scoping call, document collection, configuration testing across a representative set of systems, and report writing. Timelines vary depending on how prepared the organisation is when the engagement starts.

The remediation phase is separate entirely. Closing the gaps an assessment reveals takes longer than the assessment itself. Australian SMBs new to Essential 8 often spend several weeks to a few months on implementation work before they can confidently claim ML1. Reaching ML2 adds more time, particularly if phishing-resistant MFA needs to be rolled out or application control needs to extend to new execution paths.

CYBERWHITE's compliance scanner connects to your Microsoft 365 tenant and produces a gap report mapped against Essential 8 controls and maturity levels. You can move from tenant connection to baseline gap report within the same working day. The AutoFix engine then lets you deploy approved remediation changes through Intune and Microsoft Graph, with your sign-off required before anything is deployed.

Common gaps that derail first-time assessments

Assessors across Australian SMBs see the same issues appear repeatedly. Knowing these in advance lets you close them before the formal review.

Patching timelines not documented. Many organisations patch regularly but have no record showing when the patch was applied relative to when the vulnerability was published. Without those dates, you cannot demonstrate compliance with ACSC patching timeframes.

MFA applied inconsistently. ML1 requires MFA on internet-facing remote access and email. ML2 extends this to all users and all access methods. A common finding is that MFA was enabled in Microsoft 365 but not enforced for legacy authentication protocols, leaving an exploitable path open.

Privileged accounts used for daily tasks. This is one of the most frequently cited ML1 failures. IT staff using domain admin accounts for email and web browsing fails the Restrict Administrative Privileges control.

Backups not tested. The ACSC does not require backups to exist. It requires backups to be tested. At ML1, restoration must be verified. At ML2, disconnected or immutable backup copies are required. Organisations often have working backups but no evidence of a tested restoration event.

Macro settings enforced by individual configuration, not policy. Disabling macros on one Office installation is not the same as enforcing the setting via GPO or Intune. Assessors check for policy-based enforcement across the estate, not one-off configuration changes.

How to prepare for your first Essential 8 gap assessment

Running a successful assessment comes down to three steps: inventory your systems, collect your evidence, and identify gaps before an assessor does.

Start with a full inventory of devices, user accounts, and software. You cannot assess what you cannot see. This inventory defines the scope document that tells an assessor which systems are in-scope.

Then work through the Essential 8 ML1 checklist control by control and collect the evidence listed above. If gaps emerge, decide whether to remediate first or proceed to assessment with an acknowledged gap list.

Finally, clarify what your target audience accepts. If you are self-assessing to understand your own risk, proceed when evidence is ready. If you are presenting results to a government customer, confirm whether they require a third-party report before engaging an external assessor.

What happens after the assessment?

An assessment report is a point-in-time snapshot. Controls drift as staff change, new systems are added, and new vulnerabilities are published. Organisations that treat the assessment as a one-time event typically find themselves non-compliant within 12 months without ongoing monitoring.

The ACSC recommends reassessment when any of the following occur: a significant change to the IT environment, a new software or system deployment, a security incident, or at minimum annually. [1] For government contractors, reassessment cadence may be specified in the contract itself.

For more on what the different maturity levels require on an ongoing basis, see our guide to Essential 8 maturity levels. To compare CYBERWHITE options for your organisation size, see pricing.

FAQ

What is an Essential 8 assessment?

An Essential 8 assessment is a structured evaluation of how well an organisation has implemented the ASD's eight cybersecurity mitigation strategies at ML1, ML2, or ML3. It covers application control, patch applications, macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Organisations can self-assess or engage a third-party assessor.

Do I need a third-party assessor?

Not for a self-assessment. The ACSC makes the assessment methodology publicly available and any organisation can evaluate themselves against the Essential Eight Maturity Model. Third-party assessments are required for non-corporate Commonwealth entities under the PSPF and are often expected by government procurement teams for contractors claiming compliance.

Which maturity level should I target?

The ACSC recommends ML2 as the baseline for most Australian organisations. Government contractors should confirm the specific level required in the contract. Non-corporate Commonwealth entities are required to reach ML2 under PSPF Policy 10. Organisations new to Essential 8 typically start with an ML1 gap analysis first.

How long does the assessment take?

A self-assessment at ML1 can take a few days for a small team with good documentation already in place. A third-party assessment typically runs two to four weeks for a mid-sized organisation. The time to remediate gaps and reach your target maturity level is separate and usually considerably longer.

What evidence do I need to collect?

Evidence varies by control but typically includes configuration exports, group policy settings, software inventory lists, patch reports showing remediation dates, MFA enrolment records, backup logs with tested restoration dates, and privilege access registers. The ACSC's Essential Eight Assessment Process Guide details the specific artefacts expected at each maturity level.

Is Essential 8 mandatory for Australian businesses?

Essential 8 is mandated for non-corporate Commonwealth entities under the PSPF. It is not a legal requirement for private businesses. However, many government procurement processes and enterprise contracts require suppliers to demonstrate a minimum maturity level, making it effectively mandatory for businesses pursuing those contracts.


Sources

[1] ASD/ACSC, "Essential Eight Assessment Process Guide" (August 2023), cyber.gov.au

[2] ASD/ACSC, "Essential Eight Maturity Model", cyber.gov.au

[3] Australian Government, "Protective Security Policy Framework (PSPF) Policy 10", protectivesecurity.gov.au

Related reading

Ready to assess your compliance?

CYBERWHITE helps Australian businesses reach Essential 8 and SMB1001 audit-readiness faster. Start with our free 5-minute assessment.