Compliance365 — Cyber, Privacy & AI Compliance Compliance365

ASD Essential Eight readiness checklist (free)

Use this free ASD Essential Eight readiness checklist to gauge your cyber security maturity across all eight mitigation strategies. Select Yes / Partial / No for each item — we’ll calculate your score by domain and generate a PDF you can use in risk discussions, audit prep and uplift planning.

What this covers

All eight ASD Essential Eight strategies: Application Control, patching, macros, user application hardening, admin privileges, OS patching, MFA and backups — mapped to practical, evidence-ready questions.

How scoring works

Select Yes = 2, Partial = 1, No = 0 for each item. We calculate an overall readiness score plus a domain-by-domain breakdown.

Free PDF output

Download a free, branded PDF readiness report with a score dial, domain bars, top gaps and detailed responses. Your details are sent via a secure AWS endpoint and used only to share the report and relevant security, privacy and AI governance updates.

ISO 27001 ISO 27701 ISO 42001 Essential Eight SOC 2 DISP / ISM / IRAP

Application Control

Allow-lists for approved executables, libraries, scripts and MSI.

0/0 answered
Only approved applications and code should be allowed to run to prevent malware and unauthorised software.
Show examples
  • Microsoft Defender Application Control (WDAC) or AppLocker policies enforcing allow-listing.
  • Coverage includes executables, DLLs, scripts (PowerShell, JS, VBS) and installers (MSI).
  • Policies applied to both workstations and servers where feasible.
Allow new software through controlled, auditable approval rather than broad exceptions.
Show examples
  • Rules allowing signed code from approved publishers.
  • Formal change/exception approval process for new applications.
  • Testing and promotion workflow from audit to enforced mode.
Blocked executions should be logged, reviewed and used to refine allow-lists.
Show examples
  • Centralised collection of AppLocker/WDAC events in Sentinel or SIEM.
  • Documented review cadence (e.g., weekly during rollout, monthly ongoing).
  • Evidence of tuning actions taken based on logs.

Patch Applications

Timely patching of Internet-facing and high-risk apps.

0/0 answered
High-risk applications must be patched quickly to reduce exposure to exploits.
Show examples
  • Defined patch SLAs (e.g., critical within 48 hours).
  • Automated patching via Intune, Defender, or third-party tools.
  • Reports showing compliance for browsers, PDF readers and email clients.
You must know what applications exist and which ones present the highest risk.
Show examples
  • Application inventory including version, owner and business criticality.
  • Risk classification highlighting internet-facing or privileged apps.
  • Process for onboarding and retiring applications.
Patch compliance evidence must be repeatable and audit-ready.
Show examples
  • Monthly exported patch compliance reports stored in SharePoint.
  • Dashboards from Intune or Defender showing patch status.
  • Retention aligned to audit and regulatory requirements.

Configure MS Office Macros

Block or tightly control macros from the Internet.

0/0 answered
Macros are a common attack vector and should be blocked by default.
Show examples
  • Office policy blocking macros from files downloaded from the Internet.
  • Only signed macros or trusted locations allowed.
  • Configuration aligned to ACSC macro guidance.
Macro controls must be consistently applied across the fleet.
Show examples
  • Intune or GPO policies enforcing macro settings.
  • Evidence of deployment to all applicable device groups.
  • Testing results confirming expected behaviour.
Exceptions should be rare, approved and regularly reviewed.
Show examples
  • Formal exception request and approval workflow.
  • Time-bound exceptions with automatic expiry.
  • Logging and periodic review of active macro exceptions.

User Application Hardening

Disable risky features (e.g., Flash/Java, ads, web trackers).

0/0 answered
Reduce attack surface by disabling unnecessary or legacy browser features.
Show examples
  • Policies disabling Flash and legacy plugins.
  • Ad/tracker restrictions or enhanced browser security settings.
  • Configuration aligned to ACSC hardening guidance.
Prevent users from easily running malicious code from the Internet.
Show examples
  • Browser or OS controls blocking executable downloads.
  • SmartScreen or equivalent enforcement.
  • Exceptions limited to approved use cases.
Auditors expect proof that hardening controls remain in place.
Show examples
  • Screenshots or reports showing active hardening settings.
  • Verification checks performed quarterly or after major changes.
  • Evidence stored with linked policy references.

Restrict Admin Privileges

Least privilege, approvals, and JIT/JEA patterns.

0/0 answered
Limit standing administrative privileges to reduce impact of compromise.
Show examples
  • Use of Azure AD PIM or equivalent for just-in-time admin access.
  • Removal of permanent admin rights for standard users.
  • Approval and logging of privileged access activations.
Regular reviews ensure only authorised users retain admin access.
Show examples
  • Quarterly access review records for admin groups.
  • Evidence of removals or adjustments following reviews.
  • Sign-off by system or risk owners.
Separate admin activities from day-to-day user activity.
Show examples
  • Dedicated admin accounts with no email or web browsing.
  • Privileged Access Workstations (PAWs) or hardened admin devices.
  • Policy prohibiting admin account misuse.

Patch Operating Systems

Meet SLAs for OS patches with centralised visibility.

0/0 answered
Operating systems must be patched quickly to reduce exploit risk.
Show examples
  • Documented OS patch SLAs aligned to ACSC guidance.
  • Patch compliance reports showing SLA adherence.
  • Tracked and approved exceptions.
Controlled rollout reduces operational risk from patching.
Show examples
  • Defined pilot, broad and critical update rings.
  • Rollback procedures for failed updates.
  • Evidence of testing updates before full deployment.
OS patching evidence should be easy to produce for audits.
Show examples
  • Dashboards showing patch compliance by device group.
  • Exported reports stored monthly in SharePoint.
  • Retention aligned to audit requirements.

Multi-Factor Authentication

MFA for remote, privileged and sensitive access.

0/0 answered
MFA is mandatory for high-risk access paths.
Show examples
  • MFA enforced for VPN, remote access and cloud admin roles.
  • Conditional Access policies covering sensitive applications.
  • Exceptions documented and risk-approved.
Stronger MFA methods significantly reduce credential phishing risk.
Show examples
  • Use of FIDO2 security keys or passkeys.
  • Number matching or app-based MFA enabled.
  • SMS restricted or phased out where possible.
Emergency access must exist but be tightly controlled and monitored.
Show examples
  • Documented break-glass accounts with strong passwords.
  • Regular testing of break-glass access.
  • Alerts and monitoring on break-glass usage.

Regular Backups

Tested, immutable/tamper-evident backups and restores.

0/0 answered
Backups must support timely recovery of critical business services.
Show examples
  • List of critical systems and SaaS included in backups.
  • Defined RTO and RPO for each critical service.
  • Alignment with business impact analysis.
Protect backups from ransomware and unauthorised modification.
Show examples
  • Immutable or object-locked backups configured.
  • Separation of duties between backup admins and system admins.
  • Evidence of configuration and access controls.
Backups are only effective if they can be restored successfully.
Show examples
  • Scheduled restore tests for critical systems.
  • Test results documented with screenshots or logs.
  • Issues tracked and remediated.
0%
Not started

Answer the questions to see your readiness.

📞 Microsoft Teams