Essential Eight Uplift

Why the Essential Eight matters

The Australian Cyber Security Centre (ACSC) recommends the Essential Eight to mitigate common cyber threats, including ransomware. Government and many regulated industries expect uplift to defined maturity levels. We align Essential Eight with your ISMS (ISO 27001) and ISM requirements so you get one coherent program — not competing frameworks.

Mandatory & expected

Increasingly required in public sector and supplier contracts.

Aligned to ISO & ISM

Maps cleanly to Annex A controls and ISM hardening.

Reduces breach risk

Targets the highest-impact mitigations for real-world attacks.

The Eight Strategies (Explained Simply)

Each strategy addresses a specific attack path — together they form layered defence.

1. Application control

Only approved software runs. Example: Staff can use Office; unknown apps are blocked.

2. Patch applications

Keep browsers/Adobe/Zoom updated. Example: Auto-updates enforced and tracked weekly.

3. Configure macros

Allow only trusted, signed macros. Example: Finance macros approved; others blocked.

4. User hardening

Disable risky browser/PDF features. Example: Block scripts/pop-ups in Edge/Chrome.

5. Restrict admin

Least privilege & just-in-time access. Example: Break-glass accounts only for emergencies.

6. Multi-factor auth

More than a password. Example: M365 and VPN require MFA for everyone.

7. Patch operating systems

Keep Windows/macOS/servers current. Example: Devices >14 days overdue are blocked.

8. Regular backups

Secure, offline, tested restores. Example: Immutable daily copies, monthly restore tests.

Together these controls prevent malware from running, limit its blast radius, and ensure you can recover quickly.

Understanding the three maturity levels

ACSC measures how consistently the strategies are applied — from basic protection to proactive resilience.

ML1 — Baseline

Stops opportunistic attacks; controls exist but may be inconsistent.

Basic patching & antivirus in place
Limited application control
Backups run, not always tested

ML2 — Sustainable

Standardised controls across the business; detects common attacks.

Automated patching & compliance checks
MFA & application control enforced for all
Backups regularly tested

ML3 — Resilient

Resists targeted attacks; integrated monitoring and continuous improvement.

Real-time detection & response
Immutable/off-site backups
Just-in-time admin + SIEM visibility

Most organisations aim for ML2. ML3 is typically required for government/defence systems.

Deliverables

Current → Target maturity

Evidence-based assessment against ML0–ML3, gap analysis, and a risk-prioritised roadmap.

Maturity scorecard per strategy
Quick wins & dependency map
Executive summary pack

Control implementation

Pragmatic uplift mapped to Microsoft 365, Azure and endpoints — Intune baselines, Defender hardening, application control and admin reduction.

Intune: compliance, encryption, baselines
Defender: ASR rules, EDR, vulnerability
Application control (WDAC/AppLocker)

Audit-ready evidence

Repeatable test scripts, exports and screenshots stored in SharePoint with retention & versioning — easy to hand to auditors or IRAP assessors.

PowerShell/Graph exports on cadence
Monitoring & exception registers
Before/after artefact packs

Aligned to ISO 27001 and the ISM

Essential Eight strengthens your ISMS and ISM compliance. We map each strategy to Annex A controls and ISM hardening so uplift benefits multiple frameworks without extra effort.

Application control → ISO A.8.32; ISM application whitelisting

MFA → ISO A.5.17; ISM identity & access control

Backups → ISO A.12.3; ISM backup management

Patch management → ISO A.8.8; ISM vulnerability management