AU · ACSC MANDATE

Essential Eight, end-to-end.

Eight mitigations, four maturity levels, one auditor with a checklist. We cover every control, evidence ask, and report your assessor expects — without you having to read the 90-page guide.

Start your E8 baseline → See the eight

At a glance → Owner · ACSC (AU Signals Directorate) Version · 2025.4 Controls · 8 mitigations · ~120 sub-checks Levels · ML0 · ML1 · ML2 · ML3 Cybereen status · Live coverage

WHAT IT IS

Australia's cyber baseline.

A practical floor for cyber hygiene — recommended for every AU organisation, mandated for federal entities, and increasingly expected by APRA, ASIC, and state regulators.

The Essential Eight is a set of eight prioritised mitigation strategies published by the Australian Cyber Security Centre (ACSC). Each addresses a real, common attack path — phishing, ransomware, lateral movement, data theft — and the bundle was deliberately chosen because, implemented together, it stops the majority of intrusions AU businesses actually see.

Maturity is reported on a 0–3 scale. ML0 means a strategy is absent or ad-hoc; ML3 means it's tuned to active adversaries. The level your auditor expects depends on who you are: a small not-for-profit can rest at ML1, an APRA-regulated lender will be pushed to ML2 or ML3.

The honest version: The mitigations themselves aren't hard. What kills teams is keeping evidence current across all eight, every month, in a format an auditor will accept. That's the gap Cybereen closes.

THE MATURITY LADDER

Four rungs. Pick the one your auditor expects.

The ACSC defines four maturity levels for each of the eight mitigations. Cybereen reports your level per strategy and overall — and shows you the exact next move to climb a rung.

ML0

Not started.

The strategy isn't implemented, or you can't prove it is. Common starting point for orgs new to cyber compliance.

No documented evidence
Ad-hoc / inherited tools
Audit risk: high

ML1

Baseline.

Mitigates opportunistic attackers using publicly-known techniques. Reasonable floor for small AU orgs.

Basic tooling in place
Mostly point-in-time evidence
Suits small non-regulated orgs

ML2

Comprehensive.

Mitigates attackers willing to invest more time and effort. The level most regulated AU organisations should target.

Continuous monitoring
Documented + tested policies
APRA / ASIC comfortable

ML3

Adversary-aware.

Mitigates well-resourced adversaries who tailor their tradecraft. Required for highest-risk federal and critical-infrastructure entities.

Active threat modelling
Adversarial testing
SOC 24/7 expected

THE EIGHT

The eight mitigations.

What each strategy covers, and where Cybereen asks you for evidence or hands you a policy template.

Application Control

Only approved apps run. Blocks malware delivered through unknown executables.

Allowlist export Approval policy

Patch Applications

Patch internet-facing apps within 48 hours of a critical CVE.

Patch SLA Patch register

Configure MS Office Macros

Block macros from the internet, allow only signed macros for trusted users.

Macro config policy

User Application Hardening

Disable web ads, Java in browsers, untrusted Office add-ins by policy.

Hardening policy GPO export

Restrict Admin Privileges

Time-bound, just-in-time admin access. Reviewed quarterly.

Access policy Review log

Patch Operating Systems

Critical OS patches within 48 hours. Internet-facing OSes treated separately.

Patch SLA Patch register

Multi-Factor Authentication

MFA for all users, all internet-facing services, and privileged access.

MFA policy Enrolment log

Regular Backups

Daily, tested, offline / immutable. Restore exercise quarterly.

Backup policy Restore proof

Policy — we provide the template, you sign it Evidence — we ask you to upload or sign off Integrations to read state directly — on the roadmap

INSIDE CYBEREEN

Eight strategies. One radar.

Your current maturity, your target, and the criteria still to close — on one screen, exportable to PDF, sharable to your auditor as a live link.

Radar by strategy — current vs target maturity, per mitigation.
Criteria progress bars — every sub-check, completed vs remaining.
One-click PDF — board-ready, dated, audit-trail attached.
Auditor live link — read-only, time-boxed, revocable.
Cross-framework reuse — your E8 evidence pre-fills ISO 27001 + NIST CSF.

app.cybereen.com / reports / essential-eight

LIVE

Cybereen Essential Eight report — current vs target maturity radar plus per-strategy criteria progress bars

COMMON AU MISTAKES

Three places AU teams trip on E8.

Patterns we see weekly. Each has a one-line fix.

Mistake 01

Reporting an overall ML number.

"We're ML2" is meaningless to an auditor — your maturity is per-strategy. Backups can be ML3 while admin privs are ML0, and the auditor only cares about the weakest one.

Fix: Report per-strategy maturity. Cybereen does this by default.

Mistake 02

Treating policies as evidence.

A signed policy that says "we patch in 48 hours" is not evidence you patched in 48 hours. Auditors increasingly want the artefact, not the intent.

Fix: Pair every policy with three months of running evidence.

Mistake 03

Skipping the restore test.

You have backups. Have you actually restored one this quarter, end-to-end, with timing logged? If not, you're at ML0 for Mitigation 08 — no matter how many TB you back up nightly.

Fix: Schedule the test. Cybereen books the calendar reminder.

ESSENTIAL EIGHT FAQ

Questions auditors ask before signing.

If yours isn't here, the trial form has a free-text field — answers go in the next page revision.

Is the Essential Eight mandatory for my organisation?

For Australian federal Non-Corporate Commonwealth Entities — yes, to a specified maturity level. For private orgs it's strongly recommended; for APRA-regulated entities and ASX-listed companies it's increasingly expected as part of cyber due diligence. Even if you're not strictly mandated, most AU auditors will ask about it.

How long does Cybereen take to reach ML2?

Most teams starting from ML0–ML1 reach a defensible ML2 in three weeks of focused effort using Cybereen — provided you have admin access to your identity provider, endpoint manager, and backup system. Reaching ML3 is months of work; we won't pretend otherwise.

Which auditors accept Cybereen's reports?

The Essential Eight is a self-assessment standard — there is no central certification body. The reports Cybereen produces are accepted as inputs by every major AU audit firm we've worked with, including the Big 4 and the AU mid-tier. They'll always do their own testing on top, but the evidence trail and audit log we maintain has stood up to that scrutiny consistently.

What if I'm already at ML2 — what do I get?

Cybereen keeps you there. Maintenance is the unglamorous part of compliance — patches lapse, MFA gets bypassed for "just this once", admin accounts proliferate after a merger. Continuous monitoring catches drift before your next audit cycle does.

Does Cybereen replace my MDM / EDR / backup tool?

No. Cybereen is the management system, not the operational tool. The MFA, EDR, patching, and backup platforms you already run stay where they are. We record the state of each control, score your maturity, and produce the audit-ready report. Direct integrations to read state from those tools are on the roadmap — today, evidence is uploaded or attested. The audit trail stays human.

How does Essential Eight relate to ISO 27001 or NIST CSF?

They overlap heavily. The same evidence you produce for MFA, patching, and backups feeds straight into ISO 27001 Annex A controls and NIST CSF Protect/Recover functions. Cybereen's cross-framework reuse means you answer once and we map it everywhere — typically saving ~3× on evidence collection.

Get your first ML map in 60 minutes.

Connect your identity provider and endpoint manager — Cybereen produces your per-strategy maturity scorecard while you grab a coffee. Free trial, no card.

Start free trial → Book a 20-minute walk-through

Other standards on Cybereen →

Essential Eight APRA CPS 230 ISO 27001 ISO 27002 ISO 42001 NIST CSF 2.0