The ASD Essential Eight for Australian SMEs: a practical 2026 guide

The Australian Signals Directorate's Essential Eight is the country's de facto baseline cybersecurity maturity standard. It defines eight technical controls that mitigate the most common cyber attacks against Australian organisations, with three maturity levels from "starting point" to "advanced." For Australian SMEs, hitting Maturity Level 1 across all eight controls typically requires moderate investment and addresses the bulk of practical cyber risk. Maturity Level 1 is also increasingly the threshold at which cyber insurance becomes available at reasonable rates and government and large enterprise contracts become winnable.

Key facts

• The Essential Eight is published by the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) and is freely available at cyber.gov.au.
• Three maturity levels: ML1 (mitigates adversaries with basic capabilities), ML2 (mitigates adversaries with moderate capabilities), ML3 (mitigates state-sponsored adversaries).
• ML1 is the baseline expectation for most Australian SMEs in 2026.
• The eight controls: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, regular backups.
• Federal government non-corporate Commonwealth entities are required to implement Maturity Level 2 as a minimum.
• Most Australian cyber insurers and large enterprise customers reference Essential Eight in their vendor due diligence processes.

What is the Essential Eight?

The Essential Eight is a set of eight prioritised mitigation strategies developed by the ASD's Australian Cyber Security Centre. The strategies were originally distilled from the Top 35 Strategies to Mitigate Cyber Security Incidents and represent the controls ASD considers most effective against common cyber attack patterns.

The Essential Eight was originally published in 2017 and has been refined multiple times since, including the introduction of the Maturity Model in 2018 and significant revisions through 2022 and 2023 to address contemporary threats. The current version focuses on Microsoft Windows-based environments, though most controls have direct equivalents in Mac, Linux, and cloud-native contexts.

The eight controls cover three categories: prevent malicious code execution (application control, patch applications, configure macros, user application hardening), limit the extent of incidents (restrict admin privileges, patch operating systems, MFA), and recover data and system availability (regular backups). Together, they address the most common entry points and lateral movement techniques used in real-world attacks.

What are the eight controls?

Each of the eight controls has specific Maturity Level requirements. The summary below covers what ML1 looks like for an Australian SME.

1. Application control. Block executable files, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets from running on workstations and servers. ML1 typically uses Microsoft AppLocker, Windows Defender Application Control, or third-party tools like AirLock or ThreatLocker.

2. Patch applications. Identify missing patches and update applications, particularly internet-facing ones, within strict timeframes. ML1 requires patching exploitable vulnerabilities in internet-facing applications within two weeks (or 48 hours if exploit code exists), and other applications within one month.

3. Configure Microsoft Office macro settings. Block macros from the internet, validate macros only from trusted locations, and disable macros for users that don't need them. Macro-based attacks remain a significant vector, particularly for Australian SMEs where Microsoft Office is ubiquitous.

4. User application hardening. Web browsers configured to block ads, Java, Flash (now legacy), and unnecessary features that introduce risk. Microsoft Office configured to block OLE packages and similar high-risk content. PDF readers configured to block JavaScript.

5. Restrict administrative privileges. Privileged accounts limited to specific tasks, separated from user accounts, with strong authentication. Domain admins shouldn't browse the web or read email. Standard users shouldn't have local admin rights on their workstations.

6. Patch operating systems. Same approach as patching applications: identify, test, and apply OS patches within strict timeframes based on severity and exploit availability. For SMEs, Microsoft Intune or Windows Autopatch handles this for managed Windows fleets.

7. Multi-factor authentication. MFA on remote access (VPN, RDP), privileged accounts, important data repositories, and external services accessing sensitive data. ML1 expects MFA on the obvious accounts; ML2 and ML3 expand the scope.

8. Regular backups. Backups of important data, software, and configuration settings; backups stored offline, online, or remotely; backups tested for integrity and accessibility. Recovery testing is the bit most SMEs skip and most regret skipping.

Why does Maturity Level 1 matter for SMEs?

Three reasons.

It's the practical security floor. An SME at ML1 has addressed the bulk of common cyber attacks. The remaining gap to ML2 and ML3 is mostly diminishing returns for typical SME threat models. ML1 is enough to make your business a substantially harder target than the unhardened SME next door.

Cyber insurance and customer contracts. Most Australian cyber insurers map their underwriting questions to Essential Eight controls. Hitting ML1 typically unlocks reasonable cyber cover at standard premiums; below ML1, cover gets expensive or unavailable. Government and large enterprise customers increasingly require ML1 or ML2 attestation in vendor due diligence.

Regulatory alignment. The Essential Eight aligns with the "reasonable steps" expectation under the Privacy Act's APP 11. An SME implementing ML1 has documented evidence of technical and organisational measures meeting current security standards, which materially helps if the OAIC investigates after a breach.

What does it actually cost an SME to hit Maturity Level 1?

For most Australian SMEs already on Microsoft 365, the cost is moderate. The bulk of ML1 controls are achievable using tools the organisation already pays for: Microsoft Intune for endpoint management, Microsoft Defender for application control, Microsoft Entra for MFA, Microsoft 365 backup for SaaS data backup. The investment is mostly configuration and process, not new license fees.

For SMEs with mature M365 Business Premium or E3/E5 subscriptions, achieving ML1 typically takes 2-4 months of configuration work, mostly focused on application control rollout, macro policy, OS patching cadence, and user application hardening. Costs are mostly internal time or partner advisory fees, with some hardware refresh for older Windows fleets that don't support modern controls.

For SMEs not yet on M365 Business Premium or with older or third-party stacks, the investment is higher: M365 license uplift (around AU$30 per user per month for Business Premium), implementation work, and potentially new tools for areas the existing stack doesn't cover.

How do you actually implement Essential Eight?

Three phases over 3-6 months for a typical SME.

Phase 1: Assess and prioritise (weeks 1-2). Document current state against each of the eight controls. Identify the largest gaps. ASD provides a free Essential Eight Maturity Model document with detailed criteria. Many SMEs find that MFA, patching, and backup are partially in place; application control, macro settings, and admin privilege restrictions are typically the bigger gaps.

Phase 2: Implement quick wins (weeks 3-8). Roll out MFA where it's missing, document patching cadence, configure Microsoft Office macro policy, restrict local admin rights on user workstations. These are high-value controls that don't require new tools or major workflow changes.

Phase 3: Implement structural changes (weeks 9-24). Application control rollout (most disruptive, needs careful change management), backup architecture upgrade for ML1 compliance (immutable backup target, restore testing), user application hardening across browsers and PDF readers. These changes affect daily workflows and need staged rollout.

Ongoing: Maintain and measure. Quarterly review of patching compliance, monthly review of application control exceptions, biannual restore testing, annual maturity reassessment. Essential Eight isn't a project that finishes; it's a baseline that needs maintenance.

Frequently asked questions

What is the ASD Essential Eight?

The Essential Eight is a set of eight prioritised cybersecurity mitigation strategies developed by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC). The eight controls cover application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. The framework includes three maturity levels from ML1 (basic) to ML3 (advanced).

Is Essential Eight mandatory for Australian businesses?

Federal government non-corporate Commonwealth entities are required to implement Maturity Level 2 as a minimum. For private sector businesses, Essential Eight is not legally mandatory, but it is the de facto baseline referenced in cyber insurance underwriting, government and large enterprise vendor due diligence, and "reasonable steps" assessments under the Privacy Act's APP 11.

What is the cost of implementing Essential Eight Maturity Level 1?

For an Australian SME already on Microsoft 365 Business Premium or higher, achieving ML1 typically costs minimal additional license fees but requires 2-4 months of configuration and process work, with some hardware refresh for older Windows fleets. For SMEs not yet on suitable M365 plans, the cost is higher (license uplift plus implementation), typically AU$15,000-50,000 for a 30-50 person SME end-to-end.

Should an SME aim for Maturity Level 1, 2, or 3?

For most Australian SMEs, ML1 is the right target. ML2 is reasonable for SMEs handling sensitive data, government contracts, or operating in regulated industries. ML3 is largely an enterprise concern (defence contractors, critical infrastructure, large financial services) and generally over-engineered for typical SME threat models. Cyber insurance preferential rates often kick in at ML2.

How does Essential Eight compare to ISO 27001 or NIST CSF?

Essential Eight is narrower and more prescriptive than ISO 27001 or NIST CSF. ISO 27001 is a comprehensive information security management system standard with formal certification; NIST CSF is a US framework with broader risk management focus. Essential Eight focuses specifically on technical controls against common attacks. For Australian SMEs, Essential Eight is typically the practical starting point; ISO 27001 makes sense when customers or contracts require it.

If you'd like a hand running an Essential Eight maturity assessment, building a practical roadmap to Maturity Level 1, or implementing the technical controls (application control, patching cadence, MFA, immutable backups), we can run an Essential Eight readiness review tailored to where your SME sits today.