TL;DR: An Essential 8 audit assesses whether your organisation's technical controls meet the Australian Signals Directorate's requirements at your target maturity level. Assessors review documentation, test controls directly in your environment, and interview staff. The most common failures are patch timing gaps, incomplete MFA coverage, and backups that have never been tested for restoration.
What is an Essential 8 audit?
An Essential 8 audit is a formal evaluation of how your organisation has implemented the eight mitigation strategies published by the Australian Cyber Security Centre (ACSC). Assessors follow the ACSC Essential Eight Assessment Process Guide, which defines exactly how each control must be tested at ML1, ML2, and ML3.
The purpose is independent verification. Having a policy that says you implement application control is not the same as an assessor confirming it is technically in place and configured to the ACSC standard. Government contracts, procurement requirements, and cyber insurance policies typically require the latter.
An Essential 8 audit differs from a self-assessment. A self-assessment is your organisation measuring its own compliance against the ACSC guidance, either manually or using an automated platform such as CYBERWHITE's free Essential 8 maturity assessment. An external audit validates those findings independently. Both are useful. Only an external audit provides the assurance level that procurement teams and boards typically accept.
Who conducts Essential 8 audits in Australia?
For Australian Federal Government entities, IRAP (Information Security Registered Assessors Program) assessors are the required path under the Protective Security Policy Framework. IRAP assessors are accredited by the ACSC and are listed on the cyber.gov.au register.
For private sector organisations, the ACSC does not mandate IRAP assessors. Any qualified cybersecurity consultant with solid knowledge of the ACSC's assessment methodology can conduct a valid assessment. Quality varies across providers, and the depth of technical testing is the main differentiator.
Many organisations run an automated gap assessment before engaging an external assessor. This approach reduces the time the assessor spends on discovery and typically cuts the overall engagement cost, because the gap list is already documented and triaged.
What auditors check at each maturity level
For each of the eight strategies, the ACSC specifies what must be implemented and verified at each maturity level. Assessors do not check whether a policy exists. They check whether controls are technically active.
At ML1, key checks include: critical patches on internet-facing services applied within 48 hours of release; patches on other applications applied within 30 days; MFA enabled for all remote access and all administrator accounts; application control blocking execution in user-writable locations for the required file types; and backups tested for restoration within the past three months.
At ML2, the standard lifts across every strategy. Patch timing requirements extend to a broader asset scope. MFA must cover all users accessing internet-facing services, not only administrators. Application control extends to servers as well as workstations. Backups must be disconnected from the internet and from production systems. Event logging requirements become more prescriptive.
At ML3, phishing-resistant MFA is required for all users, covering hardware keys, certificate-based methods, or Windows Hello for Business. A full organisational application control allowlist is mandatory. Privileged activities must be performed from dedicated privileged access workstations.
For a detailed walkthrough of requirements by level, see the Essential 8 maturity levels guide.
The four types of evidence assessors require
ACSC-aligned assessors gather evidence in four ways, and documentation alone is not enough to satisfy any control at any maturity level.
Documentation review: policies, procedures, and configuration records. This establishes intent but must be backed by technical evidence.
Technical testing: running checks directly against your environment. For patch management, an assessor queries installed software versions and compares them to vendor release dates. For application control, they may attempt to execute a blocked file type from a user-writable location.
Observation: watching staff perform tasks. For backup testing, an assessor may observe a live restoration procedure rather than accept a completion certificate.
Interviews: asking IT administrators how controls work, who is responsible for them, and what happens when an exception is needed. The goal is confirming the organisation actively manages each control, not just that the control was configured once.
Common Essential 8 audit failures
Patch timing is the most frequent failure at ML1 and ML2. Organisations often patch consistently but cannot produce evidence the patches were applied within the required 48-hour window for internet-facing services. Assessors rely on automated scan records with timestamps, not manual patch logs or technician notes.
Incomplete MFA coverage is the second most common gap. Organisations enable MFA for primary email accounts but leave VPN connections, remote desktop access, cloud management consoles, or contractor accounts outside the MFA policy. All remote access paths must be covered.
Backup restoration testing is consistently overlooked. Having a backup solution running does not satisfy the ACSC requirement. The control requires that backups are tested for restoration. If no restoration test records exist from within the past three months, the backup control fails at ML1.
Application control scope gaps appear frequently at ML2. Organisations implement application control on workstations (satisfying ML1) but do not extend it to servers, which is required at ML2.
User application hardening failures around web browsers are common. The ACSC requires that internet-facing applications block web advertising and untrusted content. Many organisations configure this for corporate devices but miss personal or shared devices used for work.
How to prepare for your Essential 8 audit
The most effective first step is a gap assessment before the formal audit. Running an automated scan against your Microsoft 365 environment identifies which controls are active and which have gaps, mapped directly to ACSC maturity levels. This removes the discovery phase from your external engagement and gives you a clear remediation list.
Once gaps are identified, prioritise by your target maturity level. An ML1 assessment requires all eight strategies to reach their ML1 threshold. Achieving ML2 on five strategies while three remain at ML1 does not result in an ML1 pass. The ACSC's overall maturity level reflects the lowest score across all eight strategies.
Before the audit, collect and organise the evidence your assessor will request: patch logs with timestamps relative to vendor release dates; MFA enablement reports showing all accounts and access paths covered; application control policy exports from your endpoint management platform; backup restoration test records with dates; and log retention evidence.
CYBERWHITE produces audit-ready evidence packages mapped to the ACSC control structure, which reduces the discovery phase for your external assessor. See the CYBERWHITE platform features for what the evidence export covers. For subscription costs, see pricing.
If you are also working toward SMB1001 compliance alongside Essential 8, many controls overlap across the frameworks. A combined gap assessment reduces duplication and lets you close two frameworks simultaneously. For a complete overview of the Essential 8 framework itself, see the Essential 8 compliance guide.
Essential 8 audit FAQ
What is the difference between an Essential 8 audit and a self-assessment?
A self-assessment is your organisation evaluating its own controls using the ACSC guidance or an automated platform. An audit is conducted by an external party who independently tests controls and validates evidence. Self-assessments are the right tool for identifying gaps and tracking progress internally. External audits provide the independent verification that procurement teams, contract managers, and cyber insurers require.
Do I need an IRAP assessor for an Essential 8 audit?
IRAP assessors are required for Australian Federal Government agencies under the Protective Security Policy Framework. Private sector organisations are not required to use IRAP assessors. Any qualified cybersecurity consultant with strong familiarity with the ACSC's assessment methodology can conduct a valid private sector assessment. If you are supplying to federal government, confirm the specific requirement in your contract before engaging an assessor.
How long does an Essential 8 audit take?
For a small organisation with automated scanning evidence already prepared, an assessor may complete the engagement in two to three days. For a larger environment without pre-prepared evidence, expect one to two weeks. Organisations that run an automated gap assessment and prepare their evidence package before the formal audit typically spend significantly less time in the external engagement.
How often should an organisation get an Essential 8 audit?
The ACSC does not mandate a specific audit frequency for private sector organisations. Annual assessments are standard for organisations holding government contracts. At ML3, the ACSC requires certain controls, including the application control allowlist, to be reviewed at least annually, which makes an annual audit the practical cadence for ML3-level organisations.
What happens if I fail an Essential 8 audit?
The assessor documents the gaps and records the maturity level actually achieved. You remediate the gaps and arrange a re-assessment. There is no expiry date on the finding; the assessment reflects your posture at the time of assessment. Contracts that require a specific maturity level accept a new assessment report once you have reached it.
Can an organisation be at different maturity levels for different strategies?
Yes, individual strategies can sit at different levels. However, your overall maturity level is determined by the lowest level achieved across all eight strategies. If seven strategies are at ML2 but one remains at ML1, your overall assessed maturity is ML1. This weakest-link rule is the most important structural fact to understand when planning your audit preparation.
Is automated scanning evidence sufficient to pass an audit?
Automated scanning evidence is a useful starting point for assessors, not a substitute for independent testing. Assessors use scan results to guide their own technical checks. Platforms that produce ACSC-aligned evidence packages with timestamps and control-by-control detail reduce the assessor's workload and typically result in a shorter, less expensive engagement.
What is the most common reason organisations fail their first Essential 8 audit?
Patch timing failures are the most frequent cause at both ML1 and ML2. The ACSC requires critical patches on internet-facing services to be applied within 48 hours of release. Most organisations patch regularly but cannot produce evidence demonstrating the patches were applied within that specific window. Automated scan records with timestamps are the evidence assessors rely on.
How much does an Essential 8 audit cost in Australia?
Consulting-led Essential 8 audits vary based on environment size, target maturity level, and the depth of technical testing. The ACSC does not publish a fee schedule. CYBERWHITE is a subscription-based platform that helps organisations prepare for audit by identifying and closing gaps before the formal engagement. See pricing for current subscription costs.
Does passing an Essential 8 audit mean my organisation is fully protected?
Essential 8 compliance reduces your exposure to a defined set of attack categories. ML1 addresses opportunistic threats. ML3 addresses well-resourced, targeted attackers. The ACSC does not claim compliance eliminates all cyber risk. It means you have implemented the controls the Australian Signals Directorate considers most impactful for reducing the probability and impact of the most common attack types. See the Essential 8 compliance guide for a full breakdown of what each maturity level covers.