Free Readiness Assessment
Gauge your cyber security maturity across all eight ASD mitigation strategies. Answer 24 questions, get an instant domain-by-domain score and download a branded PDF you can share with executives, boards or auditors.
24 questions across all eight Essential Eight strategies, plus a quick environment context block.
Questions calibrated to the evidence criteria the ACSC and auditors assess for each strategy.
Score breakdown, top gaps and a prioritised action plan — ready to share with leadership or auditors.
A few details to tailor your Essential Eight roadmap. Required fields are marked *.
Allow-lists for approved executables, libraries, scripts and installers.
Only approved applications and code should run — this prevents malware and unauthorised software execution.
New software should be approved through a controlled, auditable process rather than broad exceptions.
Blocked executions should be logged, reviewed and used to tune allow-lists — not ignored.
Timely patching of internet-facing and high-risk applications.
High-risk applications must be patched quickly to reduce exposure to known exploits.
You must know what applications exist and which ones present the highest risk before you can patch them consistently.
Patch compliance evidence must be repeatable, consistent and easy to produce for auditors.
Block or tightly control macros from the Internet.
Macros are a common attack vector — blocking Internet-sourced macros by default is a baseline control.
Controls that are not consistently deployed provide no protection for unmanaged or unpatched devices.
Exceptions to macro controls should be rare, formally approved and periodically reviewed.
Disable risky browser features and block executable downloads.
Reducing the browser attack surface limits options for drive-by and watering-hole attacks.
Blocking executable downloads for standard users removes a common malware delivery path.
Hardening controls can drift — periodic verification ensures they remain effective.
Least privilege, JIT access and segmented admin accounts.
Limiting standing administrative access reduces the blast radius of credential compromise.
Regular access reviews ensure only authorised users retain administrative access over time.
Separating admin from day-to-day activity reduces risk of credential theft through phishing or malware.
Meet SLAs for OS patches with centralised visibility.
Operating systems must be patched within defined timeframes to reduce exploit risk from known vulnerabilities.
Controlled rollout reduces operational risk from faulty patches affecting the entire fleet simultaneously.
Audit-ready OS patching evidence should be easy to produce on demand.
MFA for remote, privileged and sensitive access.
MFA is mandatory for high-risk access paths — the ACSC considers this non-negotiable.
Stronger MFA methods significantly reduce the risk of credential phishing and MFA fatigue attacks.
Emergency access must exist for resilience but be tightly controlled and alerted on.
Tested, immutable backups with defined RTO and RPO.
Backups must cover critical services comprehensively to support timely recovery.
Immutable backups protect against ransomware and insider threats modifying or deleting backup data.
Backups that have never been tested cannot be relied upon for actual recovery.
Available once all questions are answered
Your PDF has downloaded automatically. A copy of your responses has been sent to our team — we'll follow up if you'd like to discuss the results.
We use analytics cookies (Google Analytics & Clarity) to understand site usage — no advertising or personalisation. Cookie policy
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
