The ACSC Essential Eight
Eight controls. Four maturity levels. One continuous loop.
The Australian Cyber Security Centre's Essential Eight is the control set almost every serious conversation about Australian SME cybersecurity ends up referencing. This is our plain-English map: what each control does, which maturity level you should be aiming for, and what CCP actually does to get you there and hold you there.
What the Essential Eight is
A prioritised list of eight mitigations that stop most Australian SME attacks.
Published and maintained by the Australian Signals Directorate's ACSC. The eight controls aren't the only things that matter in cybersecurity, but in 2026 they are the lingua franca: insurers score against them, larger clients ask about them, regulators reference them, and every serious cyber-incident post-mortem maps back to one or more of them.
We map our services against this framework deliberately, because it's the one our clients are being asked about.
Go to the source
Authoritative ACSC documentation.
Our pages are a plain-language guide; the canonical definitions live with the ACSC. If you're producing evidence for a regulator, quote from these.
- Essential Eight Maturity Model (ACSC)
The canonical control definitions and ML1/ML2/ML3 requirements.
- Essential Eight Explained (ACSC)
ACSC's own plain-language introduction to the eight mitigation strategies.
- Essential Eight Assessment Process Guide (ACSC)
How the ACSC expects Essential Eight assessments to be conducted, if you are running one formally.
The eight controls
The eight ACSC Essential Eight controls: application control, patching, Office macros, hardening, admin privileges, MFA and backups.
Application control
Only letting approved programs run on your computers. Everything else is blocked by default.
Read the controlPatch applications
Keeping your software up to date so it has the latest security fixes.
Read the controlConfigure Microsoft Office macro settings
Stopping the little automation scripts inside Word and Excel from running unless they're from a trusted source.
Read the controlUser application hardening
Turning off features in web browsers and Office that attackers commonly abuse.
Read the controlRestrict administrative privileges
Making sure only the people who need admin rights have them, and only when they need them.
Read the controlPatch operating systems
Keeping Windows, macOS, Linux and your server operating systems up to date.
Read the controlMulti-factor authentication
Requiring something more than a password to log in (a code, a key, an app).
Read the controlRegular backups
Keeping copies of your important data somewhere safe, and regularly testing that you can actually restore them.
Read the controlMaturity levels
Essential Eight maturity levels ML0 to ML3: what each covers and which to aim for.
Four levels run from ML0 to ML3. Overall maturity is scored against your weakest control, not averaged. Pick the lowest level that satisfies the people auditing you and the people whose data you hold, plus a small margin.
Partial or missing controls, no documented evidence. Where most mid-market Australian businesses sit before they've been assessed properly. ML0 is never a goal; the conversation is always about a realistic path to ML1 or above.
Controls that stand up to publicly-available adversary tradecraft. Right for businesses that don't hold materially sensitive client information. The baseline most cyber-insurance renewals and standard vendor-security audits now expect.
Controls tuned against more capable adversaries, with real isolation of privileged access and proper evidence trails. Right for law, finance, health and regulated services. This is where CCP lives and breathes.
Depth, centralised logging of privileged activity, hardware-backed credential protection, continuous validation. Built for defence-adjacent work, classified-information environments, and enterprises large enough to attract a dedicated threat actor.
Which level should you aim for?
Three questions will get you the right answer.
Interactive tool · three questions
Your recommended target
Answer the three questions to see the level that fits your business, and the reason for it.
The same answer, in longer form.
- ML1
Your business holds no data that, if breached, would meaningfully harm the people you serve. A breach costs you operationally but doesn't land other people in trouble. Most trades, light retail, logistics, marketing and professional services without privileged client data sit here. Our standard Managed IT Complete stack is designed to hold this level without you having to think about it.
- ML2
You hold information whose exposure would do real harm to your clients, patients, donors or counterparties. Law firms, financial services, accounting, health and allied-health, education, not-for-profits with beneficiary data, conveyancers. This is CCP's native target: our Managed IT Complete plus Compliance stack is built to reach ML2 and hold it.
- ML3
You handle classified or highly sensitive information under a specific obligation: defence supply chain, top-secret work, critical-infrastructure operators. If you're wondering whether ML3 applies, it almost certainly doesn't; the parties who need ML3 have been told so in writing.
- ML0
Not a target, a starting point. If an honest assessment puts you here, the conversation is about a realistic path to ML1, ML2 or ML3, whichever profile above matches your business.
Free self-assessment
Score yourself. Get a branded PDF.
Eight questions, your estimated maturity level, a report you can share.
Short self-assessment you can run yourself. Answer honestly for where you sit today and download a CCP-branded PDF report you can share with your board, broker or auditor. Runs entirely in your browser. No email required, nothing sent to us unless you choose to book a call.
Take the self-assessmentHow CCP helps you get there
Assess. Gap-analyse. Plan. Uplift. Review. Repeat.
Maturity isn't a one-shot project. It's a continual-improvement loop: start where you are, close the gaps to the next level, hold the line, then do it again.
- 01
Assess where you actually sit.
A written, honest audit of the environment against the ACSC criteria, control by control. You get a current-state posture rating for each of the eight controls and a single overall maturity level that reflects the weakest among them.
- 02
Run the gap analysis against the next level.
For each control that isn't yet at your target level, we document the specific gap, the work required to close it, the cost, the timeframe, and the business-disruption expectation.
- 03
Build a sequenced plan, with you in the room.
Controls that underpin other controls go first. Controls that need staff cooperation are timed around the business calendar. The plan is written so your board, insurer and auditor can read it without a translator.
- 04
Deliver the uplift with the team that runs your IT.
No handoff from strategy to execution. The same senior-led team that runs your day-to-day environment delivers the uplift projects, absorbing most of the work into existing services.
- 05
Validate, then hold the line, then move up.
Reaching a level is one thing; holding it through staff changes and vendor drift is another. Our Technology Success Program reviews Essential Eight posture quarterly and flags drift before it becomes a downgrade.
Common questions
What business owners actually ask about the Essential Eight.
For questions about a specific control (macros, backups, MFA, etc.), see that control's page.
- Is Essential Eight ML1 enough for my business?
- For most mid-market Australian businesses without specific regulatory obligations, ML1 is a reasonable first target and a fair answer to most insurance questionnaires in 2026. If you're in financial services under APRA, a defence supply chain, an RTO with ASQA obligations, or a mid-tier law firm with corporate-client audits, expect the bar to keep moving toward ML2 over the next 24 months.
- Who actually audits Essential Eight compliance?
- The ACSC does not audit private-sector Essential Eight compliance. Your auditors are effectively: your cyber insurance broker (via the renewal questionnaire), your larger corporate clients (via their vendor-security processes), and increasingly your sector regulator (APRA, ASIC, Law Society, ASQA). Each uses their own scoring, but the Essential Eight is the common language underneath.
- How does the Essential Eight map to our cyber insurance questionnaire?
- It maps closely but imperfectly. Most Australian cyber insurance renewal questionnaires now cover the same concepts (MFA coverage, patch cadence, privileged access, backups, training) and often reference the Essential Eight directly. Your broker will score against their own criteria, but an ML1 business typically clears a renewal questionnaire without flagging red issues. We've filled in enough of these to know which questions and answers actually move the premium and which don't.
- Do we have to do all eight controls, or can we pick?
- The Essential Eight is scored as a package. Your overall maturity is the weakest control, not the average. Being ML2 on seven controls and ML0 on one means you're at ML0 overall. That's deliberate: the controls are designed to work together, and attackers go through the weakest one.
- Can you give us a rough budget and timeline for the ML0 to ML1 move?
- It depends on your starting posture and environment size, but a typical mid-market business we haven't worked with before sits somewhere in the mid-ML0 range on assessment, and reaches ML1 within 90 to 180 days of deliberate work. For clients already on our Managed IT Complete stack, ML1 is usually a posture we maintain by default, not a separate project.
The qualifier
Let's see if we're a fit.
Seven questions, one moment of your time. We'd rather tell you now than three months in.