Skip to main content

The Essential Eight Maturity Model was developed to help organisations mitigate potential cyber security incidents. The Essential Eight provides a roadmap for organisations seeking to reduce their cyber security attack surface by detailing a minimum standard of mitigations organisations can put in place to reduce the risk of a cyber-attacks and to minimise the exposure in the event a cyber attack does occur.


Cyber attacks can impact an organisation in many ways including:

  • Economic Costs: Including loss, damage or theft organisational, customer and employee data and a disruption of services.

  • Legal Consequences: Including data protection and privacy breach

  • Reputational Damage

The Australian Cyber Security Centre recommends all organisations target Maturity Level Three. The varying levels give organisations a pathway enabling them to achieve a recognised level of compliance on their journey to Level Three.

  • Maturity Level One: Partly aligned with the intent of the mitigation strategy.

  • Maturity Level Two: Mostly aligned with the intent of the mitigation strategy.

  • Maturity Level Three: Fully aligned with the intent of the mitigation strategy.

The Essential Eight

Application control

Application Control or whitelisting is the practice of specifying a list of approved software applications that are permitted to be present and active on a computer system. Whitelisting is designed to protect computers and networks from potentially harmful applications.

Application Patching Strategies

Most common threats use known vulnerabilities in applications, using a robust application patching strategy mitigates these risks. End of life applications (those not receiving vendor support) should be updated or replaced with supported applications.

Microsoft Office macro settings

Macros allow users to group together multiple commands into a single action to complete tasks automatically. While this can be a convenient way automatically complete tasks, they are also used to execute malicious code. Strict controls should be applied to control how macros execute.

User application hardening

Web browsers are hardened against common intrusions such as ads, unmanaged extensions, and flash content. Microsoft Office is hardened against intrusion from plugins, objects and embedded packages.

Restricting administrative privileges

Ensuring the principal of least privilege is applied. Administrative access is limited to only those users who require it. Administrative credentials are only used when performing administrative functions and have additional controls in place to prevent the exposure of administrative accounts to common attack vectors such as email and web browsing.

Patching Operating Systems

Operating systems patching must be implemented to ensure identified security vulnerabilities are not left open for exploitation. End of life operating systems must be updated or replaced with vendor supported alternatives.

Multi-factor authentication

Multi-factor Authentication (MFA) provides an additional layer of security protecting your accounts from being compromised with the use of two (or more) authentication methods. Examples of MFA include biometrics, software, and hardware tokens – when used in combination with a password.

Daily backups

Ensuring important information is backed up in a secured manner and for a sufficient period with a high enough frequency to minimise the risk of permanent data loss. Restoration processes must be in place and tested regularly to ensure data restoration is reliable.


Chamonix Managed Services works with organisations to:

  • Assess Essential Eight Maturity level

  • Work with your organisation to assess the impact of implementing all controls required to achieve Maturity Level 3

  • Establish a plan to achieve your desired Maturity Level

  • Implement the required technical controls

  • Conduct user training

  • Setup on-going management of security controls to ensure your organisation maintains compliance.