The Essential Eight is a set of prioritized cybersecurity mitigation strategies published by the Australian Cyber Security Centre (ACSC). Originally developed for Australian federal agencies, the Essential Eight has since become widely adopted by private-sector organizations as a practical, technically focused baseline to defend against common threats, especially ransomware, malware, and unauthorized access.
This article explains the eight strategies in detail, their three-level maturity model, how they map to global frameworks such as ISO 27001, SOC 2, and NIST CSF, and practical considerations for implementation and assessment.
What is the Essential Eight?
The Essential Eight is a prescriptive framework consisting of eight core security strategies that make it significantly more difficult for attackers to compromise systems. These controls emphasize technical implementation and are designed to be applied progressively, based on an organization’s risk exposure, resources, and operational maturity.
Unlike broader governance frameworks, the Essential Eight is narrowly focused on defensive controls that reduce the impact of real-world attacks. Each strategy can be implemented at one of three maturity levels, with higher levels offering stronger and more consistent protection.
Background and Purpose
The Essential Eight was derived from the ACSC’s broader list of Strategies to Mitigate Cyber Security Incidents. These eight were selected based on their demonstrated effectiveness in preventing or limiting common threat vectors. While not a formal compliance standard, implementation is mandatory for Australian federal government agencies under the Information Security Manual (ISM) and strongly recommended for other public and private organizations seeking to establish a resilient security baseline.
The Eight Mitigation Strategies
# | Strategy | Description |
1 | Application Control | Only allow approved applications to run on systems. Helps prevent execution of malicious or unapproved software. |
2 | Patch Applications | Apply security patches for applications (e.g., Microsoft Office, web browsers, Java) within 2 weeks, or sooner if a vulnerability is actively exploited. |
3 | Configure Microsoft Office Macros | Block macros from the internet and limit macro execution to only those with a legitimate business need. |
4 | User Application Hardening | Disable features that aren't commonly required (e.g., Flash, ads, Java in browsers) to reduce the attack surface. |
5 | Restrict Administrative Privileges | Restrict admin access to systems based on job requirements and review access regularly. |
6 | Patch Operating Systems | Apply OS security patches within 2 weeks, or sooner if vulnerabilities are actively exploited. |
7 | Multi-Factor Authentication (MFA) | Enforce MFA for all remote access,privileged accounts, and sensitive systems. |
8 | Regular Backups | Perform daily backups, store them securely offline, and test restoration regularly. |
Mapping the Essential Eight to Common Frameworks
Although the Essential Eight originates from Australian guidance, it aligns conceptually with internationally recognized standards. This mapping is provided for illustrative purposes to show how implementing the Essential Eight can support broader security and governance efforts across other frameworks.
Essential Eight Strategy | ISO 27001:2022 Control | NIST CSF Function & Category | SOC 2 Trust Services Criteria |
1. Application Control | A.8.9 – Security of software in operational systems (conceptual mapping; optional: A.5.1/A.5.2 for policy enforcement) | PR.IP-1, PR.DS-6 (PR.DS-6 relates to protecting data; PR.IP-2 could also be relevant for asset management) | CC6.6, CC7.1 (logical access and change management) |
2. Patch Applications | A.8.8 – Management of technical vulnerabilities (covers patching applications; conceptual mapping) | PR.IP-12, DE.CM-8 (DE.CM-8 monitors unauthorized changes; PR.IP-12 covers patch management) | CC7.1, CC7.2 (change management/system operations) |
3. Configure Office Macros | A.8.10 – Secure configuration (applies to macro security; ensures safe configuration of software) | PR.IP-1, PR.DS-7 (PR.DS-7 relevant if macro security protects data integrity) | CC7.1, CC6.6 |
4. User Application Hardening | A.8.9 – Security of software in operational systems (hardening operational software; optional A.8.10 if configuration hardening is included) | PR.IP-1, PR.DS-6 | CC7.1 |
5. Restrict Admin Privileges | A.5.15 – Access rights (managing access; optional: A.9.2 user access management) | PR.AC-4, PR.AC-6 | CC6.1, CC6.2 |
6. Patch Operating Systems | A.8.8 – Management of technical vulnerabilities | PR.IP-12, DE.CM-8 | CC7.1, CC7.2 |
7. Multi-Factor Authentication | A.5.17 – Authentication information (optional: A.9.4 for system access control) | PR.AC-7 | CC6.3, CC6.7 |
8. Regular Backups | A.8.13 – Information backup (optional: A.17.1 for continuity management) | PR.IP-4, PR.PT-5 | CC7.2 |
Maturity Model: Levels 1 to 3
Each Essential Eight strategy or control is measured against three Maturity Levels, which represent increasing strength of defense:
Level 1 – Provides basic protections against opportunistic or unsophisticated attacks
Level 2 – Defends against moderate adversaries with more advanced tools or techniques
Level 3 – Protects against highly targeted and persistent threats
For example, a Multi-Factor Authentication implementation might progress from requiring MFA for all remote access (Level 1) to requiring MFA for all remote access and privileged accounts (Level 2), and finally to requiring MFA for all users accessing sensitive or critical data and systems (Level 3).
ACSC strongly recommends organizations implement all eight controls at the same maturity level for consistency. Partial implementation across levels may lead to gaps and exploitable weaknesses.
Why the Essential Eight Matters
Even for organizations outside Australia, the Essential Eight offers clear, actionable practices to improve cyber hygiene. Implementing these controls helps:
Reduce the likelihood and impact of ransomware and malware attacks
Strengthen endpoint, access, and application security
Increase incident preparedness and recovery readiness
Align with global compliance frameworks like ISO 27001, NIST CSF, and SOC 2
Many of the strategies are also foundational for achieving maturity in areas such as patch management, access control, asset hardening, and business continuity.
Common Implementation Challenges
Organizations often run into the following pitfalls when starting with the Essential Eight:
Incomplete patch coverage across all applications and systems.
Microsoft Office macros left enabled by default for large groups of users.
MFA only enforced on a subset of applications.
Admin rights not regularly reviewed or overly granted.
Backups performed but not tested, or stored insecurely.
Lack of organizational buy-in or dedicated resources.
Difficulty aligning all eight strategies to the same maturity level.
Regular internal reviews and realistic maturity targets help overcome these obstacles.
Implementation Guidance from ACSC
To successfully implement the Essential Eight:
Start by targeting Maturity Level One for all eight controls.
Prioritize implementation based on a risk assessment of your most critical systems and data.
Ensure controls are implemented consistently across systems.
Gradually scale to higher maturity levels as your capability and risk posture evolve.
Use the Essential Eight Maturity Model to assess readiness and gaps