What Is the ASD Essential Eight? A Plain English Guide for Australian Businesses

Short answer: the Essential Eight is a set of eight baseline cyber security strategies from the Australian Signals Directorate (ASD), published through its Australian Cyber Security Centre (ACSC). Implemented together, they protect organisations against the most common cyber attacks. It is the de facto security baseline in Australia.

If you do only one structured thing for your cyber security this year, working toward the Essential Eight is the highest value place to start.

The eight strategies

They group into three goals: stop attacks, limit the damage, and recover.

Prevent malware from running 1. Application control. Allow only approved applications to run, so malicious software cannot execute. 2. Patch applications. Keep apps such as browsers, Office, and PDF readers up to date to close known holes. 3. Configure Microsoft Office macro settings. Block untrusted macros, a very common attack path. 4. User application hardening. Turn off risky features like Java, ads, and unneeded browser add ons.

Limit the extent of attacks 5. Restrict administrative privileges. Give admin rights only to those who genuinely need them, and control how they are used. 6. Patch operating systems. Keep Windows and other systems current. 7. Multi-factor authentication (MFA). Require a second factor beyond a password. One of the single most effective controls available.

Recover when something goes wrong 8. Regular backups. Back up important data and configurations, and test that you can actually restore them.

Maturity levels: 0 to 3

The Essential Eight is measured across maturity levels, so you can target a level that matches your risk:

• Level 0: notable weaknesses in your posture.
• Level 1: protects against common, opportunistic attacks.
• Level 2: protects against more capable attackers who invest more effort.
• Level 3: protects against adaptive, well resourced attackers.

Most SMBs should aim for Level 1 across all eight first, then climb as their risk and obligations grow.

Who needs the Essential Eight?

It is mandatory for many Australian federal government entities, but its reach goes much wider:

• Suppliers and contractors are increasingly asked to demonstrate Essential Eight alignment to win work.
• Cyber insurers and larger clients use it as a yardstick for whether you take security seriously.
• For any SMB, it is simply a practical, prioritised checklist that blocks the attacks that actually happen.

How to get started

1. Assess where you are. Honestly score yourself against each of the eight, at the maturity level you are targeting.
2. Prioritise the gaps. MFA, backups, and patching usually give the fastest risk reduction for the least effort.
3. Build a roadmap. Sequence the work so you reach Level 1 across all eight before chasing higher levels.
4. Maintain it. The Essential Eight is ongoing, not a one off project. Patching and backups never stop.

Common misconceptions

• "It is only for government." No. It is the practical baseline for any Australian organisation.
• "We have antivirus, so we are covered." Antivirus is not on the list. The Essential Eight targets how attacks actually succeed.
• "It is all or nothing." No. Even partial progress, especially MFA and backups, meaningfully reduces risk.

Frequently asked questions

Is the Essential Eight a certification? No. There is no formal certificate. It is a maturity model you assess and improve against, often with an independent review for credibility.

How is it different from ISO 27001 or NIST CSF? The Essential Eight is a focused, technical baseline. ISO 27001 and NIST CSF are broader management frameworks. They complement each other, and the Essential Eight is a great first step.

How long does it take to reach Level 1? For a typical SMB, a few months, depending on your starting point and how much of the groundwork (MFA, patching, backups) is already in place.

Get an honest Essential Eight assessment

Cyber Legion assesses Australian SMBs against the Essential Eight, then builds and helps you execute a prioritised uplift plan. For a clear picture of where you stand, get in touch.