The Essential Eight - Australia's Cyber Security Baseline
The Essential Eight is a set of eight cyber security strategies developed by the Australian Cyber Security Centre (ACSC). Together, they form the most effective baseline for mitigating cyber security incidents - from ransomware and data breaches to phishing and insider threats.
Milnsbridge can implement and manage all eight strategies through a scoped uplift program. Our managed IT plans include the core foundations - patching, EDR, monitoring, and email security - with assessment and staged maturity uplift available as an add-on. Whether you need a baseline assessment, a staged uplift program, or ongoing Essential Eight operations, we handle it end to end.
What the Essential Eight Covers
1. Application Control
Block unauthorised software with ThreatLocker zero-trust allowlisting. Only approved applications can execute.
2. Patch Applications
Critical patches deployed within 48 hours. Automated patching via N-able N-central.
3. Configure M365 Macros
Restrict macro execution to digitally signed, trusted documents only. Block a primary malware delivery vector.
4. User Application Hardening
Browser and Office hardening - Flash blocked, Java restricted, OLE controls, and attack surface reduction.
5. Restrict Admin Privileges
Separate admin accounts, just-in-time elevation, and regular access reviews. No standing admin rights.
6. Patch Operating Systems
Windows and macOS patches within 48 hours for critical vulnerabilities. N-able N-central managed centrally.
7. Multi-Factor Authentication
MFA enforced on all accounts via Duo or Microsoft Entra ID (MFA platform scoped separately as an add-on). Phishing-resistant methods prioritised.
8. Regular Backups
Cove Backup with automated daily backups (cloud backup is a separately priced add-on; daily backup monitoring included in every plan), offsite replication, and immutable storage for ransomware recovery.
Ongoing Compliance
Continuous monitoring and quarterly reviews to maintain your Essential Eight maturity level as threats evolve.
Which Essential Eight maturity level do you need?
The Essential Eight is not pass/fail. The ACSC measures each of the eight strategies across maturity levels (ML0 to ML3). Your overall posture is usually described as the lowest maturity level you can demonstrate (with evidence) across the eight strategies. That is why the question most businesses should ask is not "Do we have Essential Eight?" but "What maturity are we operating at, and what level do we actually need?"
ML0 - Incomplete
No or inconsistent controls across the eight strategies. Patching is ad hoc, application control is absent, and MFA is not enforced. Most businesses start here before a formal assessment.
ML1 - Baseline
Core controls in place to block opportunistic attacks. Automated patching, basic application whitelisting, and MFA on internet-facing services. The minimum sensible target for most SMBs.
ML2 - Standard
Stronger, validated controls designed to resist targeted attackers. Centralised logging, MFA on all systems, tested backups, and hardened configurations. Common target for businesses handling sensitive data.
ML3 - Advanced
High-assurance controls with continuous monitoring and an assumed breach posture. Validated through regular testing and evidence collection. Typically required for defence supply chain and government programs.
Practical target for most SMBs: ML1 is the minimum sensible baseline, and ML2 is a common target when email compromise, ransomware, and supplier obligations are real risks. ML3 is typically required for defence supply chain, government programs, or environments where a very capable adversary is assumed.
A common gotcha: maturity is evidence-based. It is not enough to have a setting enabled once; you need repeatable operations (policy, monitoring, access reviews, patch compliance, backup testing) that you can demonstrate. In practice, uplift work is usually a mix of technical changes (Entra ID, M365 hardening, EDR, app control, N-able N-central) and process changes (change control, asset and identity hygiene, exception handling). That is why many organisations choose staged uplift: stabilise to ML1 quickly, then harden and formalise to ML2.
| Strategy | ML1 (baseline) | ML2 (strong) | ML3 (advanced) |
|---|---|---|---|
| Application control | Block common unapproved apps | Allowlisting with stronger coverage | Tight control incl. scripts and admin tools |
| Patch applications | Critical apps patched quickly | Broader app coverage and reporting | Tighter SLAs, validation, exception control |
| Configure macros | Block or restrict macros | Signed macros only, controlled sources | Tight controls with monitoring and review |
| User app hardening | Reduce common browser/Office risk | Stronger policies + attack surface reduction | Hardened builds, verified drift control |
| Restrict admin privileges | Separate admin accounts | Reduced standing admin + regular reviews | Just-in-time, strong PAM and auditing |
| Patch operating systems | Critical OS patches rapidly | Broader OS coverage + compliance reporting | Tight change control and assurance evidence |
| Multi-factor authentication | MFA for key remote/admin access | MFA widely enforced (incl. cloud apps) | Phishing-resistant methods prioritised |
| Regular backups | Daily backups + restore test basics | Better coverage, monitoring, and testing | Immutable/offline options + stronger recovery assurance |
How Milnsbridge helps: Our managed IT plans include the core foundations. We offer Essential Eight assessment and staged maturity uplift as a separately scoped engagement. Start with an evidence-based maturity assessment, then uplift in phases so you can reach (and maintain) the target level without disrupting the business.
Source: ACSC Essential Eight Maturity Model
WHO NEEDS ITIs Essential Eight Right for Your Business?
Defence Supply Chain
DISP membership requires Essential Eight alignment. Mandatory for businesses handling defence-related information.
Government Contractors
Australian government agencies increasingly require Essential Eight compliance from suppliers and contractors.
Any Business Serious About Security
Even without regulatory requirements, Essential Eight is the most practical framework for reducing cyber risk in any Australian business.
How We Help
Essential Eight Assessment →
Evidence-based assessment with maturity scoring and a prioritised uplift roadmap.
Uplift Program →
Staged implementation from 90-day stabilisation to target maturity over 6-12 months.
ThreatLocker (App Control) →
Zero-trust application control - the most effective single strategy in the Essential Eight.
WHY MILNSBRIDGE
Trusted by Sydney Businesses Since 2002
24+
Years experience
E8
Essential Eight aligned
87%
First-call resolution
20sec
Average answer time
EXPLORE MORE
Cyber Security Resources
Hub
Cyber security services
Plans, scope, uplift modules and the full FAQ set.
Explore →
Essential Eight
Essential Eight overview
What it is, why it matters, and the eight strategies in plain English.
Explore →
Essential Eight
Essential Eight uplift program
A staged delivery model with milestones and progress reporting.
Explore →
Capability
Endpoint protection
EDR deployment, hardening, monitoring and reporting.
Explore →
Capability
ThreatLocker
Application control and allowlisting to block unauthorised software.
Explore →
Capability
Email security
Anti-phishing controls and Managed DMARC options.
Explore →
Capability
Duo MFA
Multi-factor authentication rollout and management.
Explore →
Capability
Managed DMARC
Domain protection to reduce email spoofing risk.
Explore →
Strategic add-on
Managed FortiGate
Firewall monitoring, updates and change control.
Explore →
Capability
Cloud backup and recovery
Independent backup, disaster recovery, and Microsoft 365 protection.
Explore →
Capability
Microsoft 365 backup
Independent backup for Exchange, SharePoint, OneDrive and Teams.
Explore →
Capability
Incident response
Triage, containment, recovery and uplift actions.
Explore →
Roadmap
SMB1001 readiness
A structured path beyond Essential Eight foundations.
Explore →
FAQ
Essential Eight - Common Questions
What is the Essential Eight?
The Essential Eight is a set of eight cyber security mitigation strategies published by the Australian Cyber Security Centre (ACSC). It provides a prioritised baseline for organisations to protect against common cyber threats including ransomware, phishing, and credential theft. The eight strategies cover application control, patching, Microsoft Office macro settings, user application hardening, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups.
What are the Essential Eight maturity levels?
The ACSC defines four maturity levels (ML0 to ML3). ML0 means the strategy is not implemented or has significant gaps. ML1 is a basic implementation that addresses the most common threats. ML2 targets more sophisticated adversaries. ML3 provides the highest level of protection against the most advanced threats. Most Sydney SMBs aim for ML1 or ML2 as a practical starting point.
Is Essential Eight compliance mandatory?
Essential Eight is mandatory for Australian federal government entities. For private sector businesses, it is not legally required but is widely recognised as best practice and increasingly expected by insurers, auditors, and clients in regulated industries such as defence, finance, and healthcare. Milnsbridge can assist with Essential Eight assessment and phased uplift programs.
How does Milnsbridge help with Essential Eight?
Milnsbridge offers two services: an Essential Eight assessment that establishes your current maturity baseline with a prioritised roadmap, and an uplift program that implements the recommended controls in staged phases with quarterly progress reporting. Both are scoped separately from managed IT plans.
What does "Essential Eight aligned" mean on your managed IT plans?
It means our standard managed IT controls (patching, endpoint protection, email security, backup monitoring) broadly map to Essential Eight strategies. It does not mean your organisation automatically meets an Essential Eight maturity level. Achieving a formal maturity level requires assessment, evidence, and ongoing operation, which is what the assessment and uplift services deliver.
How long does Essential Eight uplift take?
It depends on your starting position, target maturity level, and environment complexity. A typical uplift from ML0 to ML1 takes 3 to 6 months. ML1 to ML2 typically takes 6 to 12 months. Milnsbridge delivers uplift in staged phases with clear milestones so progress is measurable and you are not locked into a single large project.
