Tailored to shield organizations’ internet-connected IT networks, the Essential Eight stands as a robust defense framework. While adaptable to enterprise mobility and operational technology networks, it’s not specifically tailored for such contexts. In instances where unique cyber threats target these environments, alternative mitigation strategies may prove more suitable.

The Essential Eight Maturity Model, initially introduced in June 2017 and subject to regular updates, facilitates the adoption of the Essential Eight framework. Drawing from ASD’s expertise in cyber threat intelligence, incident response, penetration testing, and assisting organizations in implementation, this model provides a structured approach to enhance cyber resilience.

Essential Eight Maturity Model

Evaluations of compliance with the Essential Eight framework utilize the Essential Eight Maturity Model, which outlines three stages of maturity (Maturity Level One to Maturity Level Three) designed to address escalating levels of tradecraft (comprising tools, tactics, techniques, and procedures) and targeting. Additionally, it includes Maturity Level Zero, intended for instances where the requirements of Maturity Level One aren’t met.

While the methodology for conducting assessments may vary depending on system size and complexity, there are fundamental principles applicable to all assessments. Consequently, assessors should integrate the guidance provided in this publication, while exercising their own judgment and expertise.

When determining the effectiveness of compensating controls, assessors must ensure that any implemented compensating measures offer a level of protection equivalent to the recommendations outlined in the Essential Eight. This approach aids in achieving and maintaining a consistent level of protection against specific tradecraft and targeting, thereby enhancing overall cybersecurity resilience.

During an assessment, assessors must collect and examine credible evidence to substantiate their conclusions regarding the efficacy of controls. The quality of evidence utilized to assess control effectiveness typically varies depending on the chosen approach. Therefore, assessors should aim to obtain and utilize the highest quality evidence available, whenever feasible, throughout the assessment process.