Essential Eight · Brisbane · Melbourne · Sydney · Australia-Wide
Most Australian mid-market organisations on Microsoft 365 E5 are already at ML1 across most controls — and within 12–16 weeks of evidenced ML2. We assess where you actually sit, design the shortest path to ML2, and capture audit-ready evidence at every milestone.
Most consultancies will tell you Essential Eight ML2 is a 6-month programme. For organisations on Microsoft 365 E5, that's usually wrong. Here's why.
Standard pitch
Typical timeline:
6+ months
M365-native reality
Typical timeline:
12–16 weeks
The exception: organisations on M365 E3, with substantial legacy estate, or with very low current maturity (ML0 across most controls) may genuinely need longer. We assess honestly before scoping.
Three Australian pressures converging in 2026 — and a framework that addresses all three.
Australian cyber insurers are tightening requirements rapidly. Essential Eight ML2 evidence is now a common condition of coverage or premium reduction for mid-market policies. Self-attestation isn't sufficient — insurers want assessor-grade evidence packs that hold up under post-incident scrutiny.
Federal, state, and government-adjacent procurement panels increasingly require Essential Eight maturity as a prerequisite — not just for direct contracts, but for supply chain due diligence. SOCI Act obligations for critical infrastructure operators reference Essential Eight explicitly.
Large enterprise customers running supply chain risk programmes are asking suppliers for documented Essential Eight maturity. Without evidence, you're either disqualified or stuck in remediation conversations that delay contracts by months.
Each control addresses a specific adversary technique. Together they form a layered defence that dramatically reduces the likelihood of successful compromise. We deliver all eight to ML2 — configured to ASD intent, evidenced against ASD criteria.
Prevents unapproved or malicious executables from running. Deployed via WDAC or AppLocker through Intune with ring-based rollout and a documented exception governance process for line-of-business applications.
Internet-facing and end-user applications patched within ASD timeframes. Managed through Defender Vulnerability Management and Intune with fortnightly scanning cadence and asset lifecycle oversight.
Blocks or restricts Office macros to prevent the most common malware delivery vector. Enforced via Intune ADMX profiles with Defender ASR rules blocking macro-driven child processes and centralised telemetry.
Reduces the attack surface of browsers, Office, and PDF software through configuration hardening aligned to ACSC and vendor guidance. Deployed via Intune with compliance reporting and drift monitoring.
Privileged accounts limited via Entra PIM with just-in-time elevation, approval workflows, and Windows LAPS for local admin rotation. All privileged events logged centrally with annual revalidation.
OS vulnerabilities remediated within ASD timeframes using Windows Update for Business and Defender Vulnerability Management. Includes legacy endpoint lifecycle for devices outside standard patch cadence.
MFA enforced for all users accessing internet-facing services and important data. Phishing-resistant methods (FIDO2, Windows Hello) for privileged accounts. Conditional Access policies managed via Entra ID P2.
Business-critical data, software, and configuration restorable following an incident. Includes M365 backup tooling selection (third-party, required for ML2), immutable retention, restore testing, and a documented, tabletop-tested DRP.
One control consistently requires external tooling for ML2: Regular Backups. Microsoft 365 backup is not included in E5 — third-party tools (Veeam, AvePoint, HYCU, Keepit) are required. We help you select, configure, and evidence the right one without unnecessary spend.
Essential Eight is the right framework for Australian organisations in one of these situations:
Insurers are asking for Essential Eight ML2 evidence as a condition of coverage or premium reduction. Self-attestation isn't sufficient anymore. We deliver assessor-grade evidence packs that hold up under insurer due diligence.
Federal, state, or defence-adjacent procurement requires Essential Eight maturity from suppliers. SOCI Act obligations reference it explicitly for critical infrastructure operators. Without it, you're disqualified at the questionnaire stage.
Large enterprise customers running third-party risk management programmes are asking suppliers for documented Essential Eight maturity. ISO 27001 is increasingly expected as well, but Essential Eight is often the specific evidence procurement teams need to tick the box.
Essential Eight and ISO 27001 controls overlap substantially. Combined engagements typically reduce total cost by 30–40% versus running them sequentially. Common for organisations that need both an Australian cyber baseline and an international security certification.
Delivered across Australia
We work with organisations in Brisbane, Melbourne, Sydney, Canberra, Perth and across regional Australia. Because Essential Eight uplift is delivered inside your existing Microsoft 365 environment, geography isn't a constraint — most of the work happens remotely, with on-site workshops where it genuinely adds value.
Both built on the same methodology — scoped to where you are and what you need.
Structured current-state assessment against ASD ML1, ML2, and ML3 criteria — with prioritised remediation roadmap. Delivered in 2–3 weeks. Fixed-price from $8k–$18k depending on scope.
End-to-end delivery from current state to evidenced ML2 across all eight controls. Fixed-price from $22k–$120k depending on scope. 12–16 weeks for most M365 E5 organisations.
Already at ML2 and looking to sustain or reach ML3? Talk to us about ongoing assurance retainers.
Every control follows the same four-phase delivery — overlapping across milestones to maintain momentum, but no control claimed complete until evidence is assessor-ready.
Assess
Tenant configuration review, asset inventory, current maturity rated against ASD criteria. Prioritised remediation roadmap with effort estimates.
Design
Each control designed to ASD intent. Pilot rings defined, exception workflows built, rollback plans documented. Steering committee sign-off before production changes.
Implement
Controls deployed in audit mode first, monitored, exceptions triaged, then expanded in tranches before full enforcement. No big-bang changes that break operations.
Evidence
Evidence captured at the point of change, never reconstructed later. Each milestone pack indexed against ASD criteria, QA reviewed, signed off before milestone payment.
Every Essential Eight engagement tracks all 8 controls in a live SharePoint list — current maturity level, target, remediation status, and the M365 evidence source for each control.
Essential Eight Maturity Assessment Tracker
Answered plainly. If you have a question not covered here, the fastest way to get a real answer is a 30-min call.
12–16 weeks for most Australian mid-market organisations on M365 E5. Shorter for focused engagements. Longer for E3 environments, substantial legacy estate, or very low current maturity. We assess honestly before scoping.
Assessment: $8k–$18k fixed-price (2–3 weeks). ML2 uplift: $22k–$120k fixed-price depending on company size and scope. Combined with ISO 27001: 30–40% cheaper than running them separately.
For M365 E5: 80–85% of ML2 is achievable with native tooling. The main external requirement is third-party M365 backup tooling (Veeam, AvePoint, HYCU, Keepit) which is required for the Regular Backups control. For E3, additional licensing or tooling may be needed.
ML2 for most mid-market organisations — the level cyber insurers and procurement panels expect. ML3 for high-risk, government, or defence-adjacent environments. ML1 is rarely sufficient for procurement or insurance purposes.
Mandatory for non-corporate Commonwealth entities under the PSPF. For private sector: not legislatively mandated, but increasingly required by insurers, referenced in SOCI Act obligations, and expected by enterprise/government customers in due diligence.
Yes. Every evidence pack is assembled against ASD's published ML2 requirements with a criteria-mapping index. QA reviewed for completeness and defensibility. Designed to survive IRAP reviews, cyber insurance audits, and customer due diligence.
ML1 (Maturity Level 1) means controls are partially implemented with limited alignment to ASD intent — generally insufficient for cyber insurance or government procurement. ML2 is the ASD-recommended baseline: controls are implemented, tested, and evidenced against specific criteria. ML3 is ML2 with stronger requirements around multi-factor authentication, privileged access, and application control — appropriate for high-risk environments, Commonwealth entities, and defence-adjacent organisations. Most mid-market clients target ML2 as the structured first objective.
Essential Eight pairs naturally with ISO 27001 for international procurement coverage, or with DISP/IRAP for defence-adjacent work.
Three questions. Instant estimate including the platform licence costs you'll avoid. No sign-up.
Estimate based on typical engagement patterns. Precise scope confirmed on call after reviewing your environment.
A free 30-minute call will give you a clear picture of your current maturity position, the most important gaps to close first, and what a realistic uplift programme looks like. If you're closer to ML2 than your last assessment suggested, we'll tell you.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
