The Essential Eight

The Essential Eight is always evolving

Historically, The Essential Eight was initially designed only for Windows based systems. Not cloud servers or other environments.

Over time separate guidance has been issued for other environments such as Linux.

The Essential Eight is not required to be certified (for example like ISO27001) - but may be assessed by a regulatory authority. A good example of this is the DISO cyber audit vetting team reviewing your Essential Eight strategy and implementation. Or Department of Premier and Cabinet requesting an audit before your business tenders or delivers an eServices contract.

The Essential Eight is not the be all and end all.
Its the top 37 or so strategies (ISM controls) to mitigate cyber incidents. A great baseline to start.

The Essential Eight has 3 maturity levels (and also zero for non compliant)
A general guide (but not definitive) could be used to describe the 3 levels.
Maturity Level 1 - Suitable for a majority of SMEs
Maturity Level 2 - Suitable for Enterprise (for example 200-300 users)
Maturity Level 3 - Suitable for Critical Infrastructure


ML3 is important because it is aligns with the recent piece of legislation, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022

When assessing what Matutity level a business should achieve it is important to consider only a single rating is applied. That is, if you only meet 7 of the 8 pillars of ML2 you would only be assigned ML1.