ACSC ESSENTIAL 8 GUIDE
Essential 8 Compliance: Your 2026 Guide for Australian Businesses
The Australian Cyber Security Centre's Essential 8 is the country's baseline cybersecurity framework. This page explains what compliance actually requires, the three maturity levels, the eight mitigation strategies in plain English, and how Australian businesses become audit-ready faster.
Australian Owned and Operated. ABN 31 598 198 475. DSI SMB1001 Licensed Commercial Holder.
What is Essential 8 compliance?
Essential 8 compliance means your organisation has implemented and can continually demonstrate the eight mitigation strategies published by the Australian Cyber Security Centre (ACSC) at a specified Maturity Level. The framework is the official cybersecurity baseline for the Australian Federal Government and is widely adopted across state government, critical infrastructure, and the private sector.
The eight strategies were chosen by the ACSC because, together, they mitigate the majority of cyber attack techniques observed in the Australian threat landscape. They are deliberately focused on technical, measurable controls rather than broad policy statements, which makes Essential 8 unusually practical compared to many international frameworks.
Compliance is not a single yes-or-no flag. Each of the eight strategies is assessed at one of three Maturity Levels (ML1, ML2, or ML3), and your overall maturity is determined by the lowest-performing strategy. This means achieving Essential 8 compliance is less about ticking a single box and more about raising every strategy to the same level.
For Australian businesses, Essential 8 compliance signals that you take cybersecurity seriously to government customers, enterprise buyers, insurers, and regulators. Increasingly, it is becoming a prerequisite for winning government contracts and for maintaining cyber insurance coverage.
Who needs to be Essential 8 compliant?
Mandatory
All Australian Federal Government non-corporate Commonwealth entities must achieve Maturity Level 2 or higher across all eight strategies. Many federal contractors are required to demonstrate the same level to win or renew contracts.
Strongly Recommended
State and territory government agencies. Australian businesses bidding on government contracts. Critical infrastructure operators under the SOCI Act. Organisations holding cyber insurance.
Practical for Most SMBs
Any Australian business that wants a defensible cybersecurity posture, that sells into government or enterprise, or that needs to satisfy customer security questionnaires. Most Australian SMBs target Maturity Level 1 as their starting point.
MSPs and Consultants
Managed Service Providers delivering security services to Australian SMBs find Essential 8 a natural offering because they already manage their clients' Microsoft 365 and Azure environments where most of the controls live.
The eight mitigation strategies you must implement
Each strategy addresses a distinct category of attack technique. The order below reflects the ACSC's grouping of the eight strategies.
1. Application control
Restricts which executables, libraries, scripts, and installers can run on workstations and servers. The goal is to stop malicious or unauthorised software from executing in the first place. At ML1 this usually means whitelisting approved applications on user devices. At ML2 the same control extends to all workstations and servers with cryptographic verification. At ML3 it covers all endpoints with stringent driver and script blocking.
2. Patch applications
Keeps internet-facing applications, office productivity suites, web browsers, email clients, and PDF software up to date. Most successful cyber attacks exploit vulnerabilities for which a patch has been available for months. ML1 requires patching within 48 hours for critical vulnerabilities on internet-facing services and within two weeks for others. ML2 and ML3 tighten these windows considerably and add vulnerability scanning requirements.
3. Configure Microsoft Office macro settings
Disables macros for users who do not need them and restricts the macros that are allowed to run to those that are digitally signed by a trusted publisher. Office macros remain a common phishing payload, so reducing the attack surface here pays off immediately. ML1 disables macros by default with user opt-in. ML2 only allows trusted macros to execute. ML3 disables macros entirely for users who do not have a business need.
4. User application hardening
Configures web browsers, email clients, office applications, and PDF readers to block risky features such as Flash, advertisements from untrusted sources, Java in the browser, and embedded objects. Reduces the surface that drive-by attacks can land on. ML1 disables the most common risky features in browsers and Office. ML2 and ML3 extend the scope to email clients, PDF readers, and Microsoft Office macros embedded in untrusted documents.
5. Restrict administrative privileges
Limits who has elevated access, requires separate accounts for administrative work, and ensures administrative accounts cannot browse the web or read external email. Compromised admin accounts give attackers a near-total foothold, so this control has outsized impact. ML1 requires identifying admin accounts and preventing them from being used for general productivity tasks. ML2 adds privileged-access workstations. ML3 adds Just-In-Time admin access with approval workflows.
6. Patch operating systems
Same logic as patch applications, but for the operating systems themselves across servers and end-user devices. ML1 mandates patching critical vulnerabilities within 48 hours on internet-facing services and within one month elsewhere. ML2 tightens those windows and adds operating-system vulnerability scanning. ML3 requires automated patch deployment with verification.
7. Multi-factor authentication
Requires a second factor (something you have, something you are) beyond a password before granting access. The single most effective control against credential theft. ML1 requires MFA for privileged users and remote users. ML2 extends MFA to all users authenticating to important data repositories. ML3 requires phishing-resistant MFA (FIDO2 hardware keys or equivalent) across every authentication event.
8. Regular backups
Performs automated, tested backups of important data and configuration settings, with retention periods that allow recovery from ransomware that may go undetected for weeks. ML1 requires daily backups with restoration tested annually. ML2 adds quarterly restoration testing and protections that prevent unprivileged users from modifying or deleting backups. ML3 adds immutable backups and tighter recovery-time objectives.
The three Maturity Levels explained
Each strategy is assessed independently against one of three Maturity Levels. Your overall maturity is determined by the lowest-performing strategy.
ML1
Foundational
Defends against general opportunistic threats using commodity tradecraft. Appropriate for most Australian SMBs as a starting baseline. Achievable in 60 to 120 days for a typical Microsoft 365 environment.
ML2
Intermediate
Defends against more capable threats using publicly available tools and techniques. Required for Federal Government non-corporate entities. Typical target for businesses bidding on government contracts. Adds 90 to 180 days beyond ML1 for most organisations.
ML3
Advanced
Defends against capable, well-resourced, targeted attackers including nation-state actors. Typically reserved for high-value Federal contractors, Defence Industry Security Program members, and critical infrastructure operators. Requires significant investment in tooling and operational discipline.
How long does Essential 8 compliance take?
Timelines vary based on your starting position, the size of your environment, and whether you take a consulting-led, in-house, or platform-led approach. The following ranges reflect what we see across Australian SMBs.
ML1
60 to 120 days
Faster if your Microsoft 365 environment is already reasonably configured.
ML2
+90 to 180 days
Beyond ML1. Adds privileged access workstations and tighter patching windows.
ML3
+6 to 12 months
Beyond ML2. Significant operational and tooling investment required.
Automated platforms compress these timelines by handling continuous discovery, prioritisation by attack-pattern severity, and one-click remediation directly into Microsoft Graph. Customers using CYBERWHITE typically reach ML1 in roughly half the time of a consulting-led implementation.
How CYBERWHITE accelerates Essential 8 compliance
CYBERWHITE is an Australian-built compliance platform purpose-built for Essential 8, SMB1001, SOC 2, and NIST AI RMF. We focus on the controls Australian SMBs and MSPs actually need to satisfy.
Automated scanning across all eight strategies
Our compliance agent connects to your Microsoft 365 tenant with read-only least-privilege scopes and assesses your environment against every Essential 8 control at ML1 and ML2. No more spreadsheets, no more guesswork.
149 AutoFix actions for one-click remediation
Where a control gap can be closed via Microsoft Graph, AutoFix can deploy the change with your approval. Snapshot, execute, verify, rollback if needed. You retain full control of what gets deployed in your environment.
CARS algorithm prioritises what to fix first
Our patent-pending CyberWhite Adaptive Risk Scoring algorithm ranks every gap by attack-pattern severity weighted to your environment. You always know what to fix next, not just what is broken.
Audit-ready evidence on demand
Every scan, every remediation, every approval is logged. Export an audit pack in minutes when an assessor, customer, or insurer asks for evidence. No more scrambling at the last minute.
Frequently asked questions
Is Essential 8 mandatory in Australia?
Essential 8 is mandatory for all Australian Federal Government non-corporate Commonwealth entities at Maturity Level 2 or higher. State governments often require it for contractors. For private sector businesses it is not legally mandatory but is strongly recommended by the Australian Cyber Security Centre and is frequently required by enterprise customers and insurers.
How long does Essential 8 compliance take to implement?
Most Australian businesses reach Maturity Level 1 within 60 to 120 days, depending on the size of their environment and how mature their existing security controls are. Reaching Maturity Level 2 typically adds another 90 to 180 days. Automated platforms such as CYBERWHITE compress this timeline by handling discovery, prioritisation, and one-click remediation across Microsoft 365 and Azure.
What is the difference between Essential 8 ML1, ML2, and ML3?
The Maturity Levels represent the sophistication of attackers your environment can resist. ML1 defends against general opportunistic threats. ML2 defends against more capable threats that use general tools and techniques. ML3 defends against capable, well-resourced, targeted attackers including nation-states. Most SMBs target ML1 or ML2; ML3 is generally reserved for high-value government contractors.
How much does Essential 8 compliance cost?
Costs vary widely based on the scope of your environment and whether you do the work in-house, with a consultant, or with an automated platform. Consulting-led implementations typically range from AUD 25,000 to AUD 150,000+ for an SMB. Platform-led approaches such as CYBERWHITE start at a fraction of that, with monthly subscriptions that include ongoing scanning, prioritised remediation, and audit-ready evidence collection.
Can MSPs deliver Essential 8 compliance to their clients?
Yes. Managed Service Providers are one of the most efficient channels for delivering Essential 8 because they already manage their clients' Microsoft 365 and Azure environments. CYBERWHITE provides a dedicated MSP platform for delivering Essential 8 at scale across multiple client tenants.
What is the difference between Essential 8 and ISO 27001?
Essential 8 is a focused set of eight specific technical mitigation strategies developed by the Australian Cyber Security Centre. ISO 27001 is an international information security management standard covering organisational policies, risk processes, and controls across a much broader scope. Essential 8 is more technically prescriptive; ISO 27001 is more management-system focused. Many businesses pursue both.
Does Essential 8 cover cloud workloads?
Yes. The eight strategies apply equally to cloud and on-premises systems. CYBERWHITE focuses on Microsoft 365 and Azure environments because they represent where most Australian SMBs run their workloads, and where most Essential 8 misconfigurations are concentrated.
Is Essential 8 enough to satisfy SOC 2 requirements?
Essential 8 covers many of the technical controls that SOC 2 auditors look for, but SOC 2 also requires organisational policies, vendor management, change management, and ongoing monitoring evidence that go beyond Essential 8. Many CYBERWHITE customers use Essential 8 as their starting baseline and then layer SOC 2 readiness on top.
How is Essential 8 different from SMB1001?
SMB1001 is the Australian DSI framework specifically built for small and medium businesses. It is simpler and more accessible than Essential 8 and is graduated across four levels. Many Australian SMBs start with SMB1001 and then progress to Essential 8 maturity once their basic security hygiene is in place. CYBERWHITE supports both, with native automated assessment for each.
Where can I assess my current Essential 8 maturity?
You can run a free Essential 8 maturity assessment on the CYBERWHITE platform that examines your Microsoft 365 environment and returns a maturity score across all eight strategies plus a prioritised gap-closure plan.