Important Updates to the Essential Eight Maturity Model

The ACSC released a significant update to the Essential Eight Maturity Model earlier this week.  Details of the revised Maturity Model can be found here: Essential Eight Maturity Model |

The Essential Eight Maturity Model is designed to provide prioritised guidance on mitigations organisations can employ to protect themselves against various cyber security threats. Some of the common threats that the Essential Eight Maturity Model aims to increase an organisations protection against include: 

  • Identity Theft / Compromised Identity 
  • Execution of Malware (including ransomware) 
  • Exfiltration of data (theft of organisation and/or customer data) 

There have been substantial changes to the guidance provided around each of the maturity levels. With a number of new controls being introduced to align with maturity level 1 and 2 that were previously guided for level 3 of beyond. There is also a substantial uplift across all levels in areas previously not included in the Essential Eight Maturity Model, examples of these include: 

  • Centralised logging 
  • Vulnerability scanning 
  • Action on blocked events 

These changes represent a substantial increase in recommended baseline cyber security posture with all levels of the Essential Eight Maturity Model as published by the Australian Cyber Security Centre. Previous guidance for best practice within this framework has now been revised and many organisations at Level 3 maturity in some pillars for the previous maturity model may now find themselves at maturity zero in those same pillars. 

The Essential Eight Maturity Model is an evolving framework which we expect to see continue to see develop over time as cyber threats and technological landscape continues to shift. 

The ACSC Essential Eight Maturity Models’ 8 Pillars



Application Control 

Prevents unapproved applications (such as malware) from executing 

Patch Applications 

Prevent the exploitation of known security vulnerabilities in applications 

Configure Microsoft Office Macro Settings 

Prevent the execution of malicious code within the Microsoft Office Suite 

User Application Hardening 

Prevent the delivery and execution of malicious code through applications such as web browsers 

Restrict Administrative Privileges 

Minimise the risk of theft of administrative credentials and the vectors through which this theft could occur 

Patch Operating Systems 

Prevent the exploitation of known security vulnerabilities in operating systems 

Multi-factor Authentication 

Stronger user authentication makes it harder for adversaries to access sensitive information and systems 


Ensure information can be accessed following a cyber security incident (e.g. a ransomware incident).  

If you would like to find out how your business aligns with the updated guidance and what your Essential Eight Maturity Level is under this new guidance, please contact our team.