Understanding the Essential Eight Framework

The Essential Eight (E8) is a cybersecurity baseline developed by the Australian Cyber Security Centre (ACSC), designed to help organisations defend against common cyber threats such as ransomware, phishing, and unauthorised access. Since its inception in 2017, the E8 has evolved into a widely adopted framework due to its practicality, cost-effectiveness, and adaptability across industries.

The framework focuses on eight mitigation strategies that, when implemented effectively and together, significantly uplift an organisation’s cyber resilience. Each strategy has defined maturity levels (0–3), enabling organisations to assess their current posture and progressively strengthen their defences.

The eight strategies are:

1. Application Control – Restricts unapproved software to prevent malicious code from executing.

2. Patch Applications – Ensures timely updates to applications to close known vulnerabilities.

3. Configure Microsoft Office Macro Settings – Blocks internet-sourced macros and allows only verified internal ones.

4. User Application Hardening – Disables unnecessary features in applications to limit attack surfaces.

5. Restrict Administrative Privileges – Limits access to administrative functions based on need and validates usage regularly.

6. Patch Operating Systems – Keeps systems updated with security patches, especially those exposed to external networks.

7. Multi-factor Authentication (MFA) – Enforces strong authentication mechanisms for remote and privileged access.

8. Regular Backups – Maintains frequent, tested backups of essential data to enable rapid recovery.

Key Updates (November 2023)

The November 2023 update introduced several important refinements to strengthen protection against modern attack techniques and improve the speed and accountability of cybersecurity responses.

Patching Enhancements

• Critical patches must now be applied within 48 hours, across both applications and operating systems.

• Internet-facing applications must be patched within two weeks, a shorter timeframe than previously required.

• Non-internet-facing systems can be patched monthly, while vulnerability scans are required at set intervals based on maturity level.

• Firmware and drivers are now included at higher maturity levels, with mandatory patching of critical updates.

MFA Strengthened

• A minimum standard for MFA now includes both “something you know” (e.g., password) and “something you have” (e.g., authenticator app or hardware token).

• Customer portals containing sensitive data must enforce MFA with no exceptions.

• Higher maturity levels require phishing-resistant MFA and secure login methods like smart cards or security keys.

Administrative Controls Expanded

• Privileged access must undergo formal approval, periodic revalidation, and limited internet access.

• Break-glass (emergency) accounts are subject to stricter controls including unique, unpredictable credentials with enforced time limitations.

• Secure administration practices such as using hardened admin workstations and memory isolation techniques are required at higher maturity levels.

Application Control and Hardening

• Application control rules must be reviewed at least annually, and blocklists must follow recommended vendor guidelines.

• Internet Explorer 11 must be disabled or removed entirely.

• PowerShell and command-line interface usage must be logged with detailed transcription and execution histories at higher maturity levels.

• Where vendor and ACSC hardening guidance differs, the stricter option must be applied.

Macro Configuration

• Logging of macro usage is no longer mandatory at higher maturity levels.

• Only digitally signed macros using secure version 3 certificates are permitted at the highest maturity level.

Backup and Recovery

• Backup strategies must now be aligned to the criticality of data and systems.

• Organisations are required to test the integrity and restorability of backups regularly.

Logging and Incident Readiness

• Centralised logging of key systems is now required at mid to high maturity levels.

• Incident response plans must be in place and reviewed regularly, with clear reporting obligations internally and externally.

Target Audience

The Essential Eight framework applies to a wide range of sectors and organisational sizes. It is especially relevant for:

• Government departments looking to meet compliance requirements and secure sensitive data.

• Private enterprises that want to implement practical, high-impact cybersecurity controls.

• CISOs and IT leaders aiming to drive cybersecurity maturity through structured, measurable action.

• Service providers and consultants helping clients benchmark and improve their security posture.

The 2023 updates also make the framework more suitable for organisations with high-value data, complex networks, or regulatory scrutiny.

Additional Resources: How MyCISO Can Help

Implementing and maintaining compliance with the updated Essential Eight can be resource-intensive. MyCISO supports organisations with tools, insights, and guided pathways to accelerate and sustain E8 adoption.

1. Advisories and Alerts

MyCISO keeps your team informed of the latest vulnerabilities, threat patterns, and recommended responses—aligned with the E8 strategies and their updated timeframes.

2. Training Programs

Through the Security Culture module, MyCISO delivers end-user awareness training that reinforces key E8 principles including phishing resistance, secure credential handling, macro control, and privileged account governance.

3. Tools and Templates

MyCISO offers pre-built templates for policy creation, administrative access approval workflows, patching schedules, backup verification processes, and incident response planning.

4. Guidelines and Implementation Support

The platform includes guided assessments that help organisations measure and improve against the E8 maturity levels. Dashboards and reporting tools make it easy to demonstrate compliance to leadership and auditors.

Benefits of Adoption

Adopting the Essential Eight framework—especially with the 2023 enhancements—delivers wide-ranging benefits:

• Reduced risk of cyber attacks, especially ransomware, phishing, and credential theft.

• Improved visibility and control over systems, applications, and user privileges.

• Faster recovery from data loss or system breaches through rigorous backup and testing.

• Stronger compliance posture for regulatory obligations and security audits.

• Greater executive confidence in the organisation’s ability to protect sensitive assets.

Importantly, the maturity model allows for a phased approach, enabling organisations to prioritise based on available resources and risk exposure.